Need information on creating service user to connect from the Agent server to Windows hosts for installing agents on remote

Need information on creating service user to connect from the Agent server to Windows hosts for installing agents on remote

[Subramanya Narayanaswamy]

Hi Team,

 

I'm Trying to setup Cygwin installation on windows server 2012 and 2016. I'm installing latest Cygwin version with packages openssh,openssl,zip,unzip.

 

When I run Cygwin.bat file and try to configure SSH host service to connect from Agent server on this windows host, I don't get a prompt to create CYGWIN user at all. By default it is taking the SYSTEM default user for authentication.

 

But I want create a new Cygwin(let's say agentuser user) using the command ssh-host-config by running the Cygwin.bat file.

 

Could you please help on how to setup separate user with right SSH permission please? It would be great help. 

 

Subramanya

 

Re: Need information on creating service user to connect from the Agent server to Windows hosts for installing agents on remote

[Andrey Repin]

Greetings, Subramanya Narayanaswamy!

> I'm Trying to setup Cygwin installation on windows server 2012 and 2016.
> I'm installing latest Cygwin version with packages openssh,openssl,zip,unzip.

> When I run Cygwin.bat file and try to configure SSH host service to connect
> from Agent server on this windows host, I don't get a prompt to create
> CYGWIN user at all. By default it is taking the SYSTEM default user for authentication.

That's how it's done.

> But I want create a new Cygwin(let's say agentuser user) using the command
> ssh-host-config by running the Cygwin.bat file.

Why?

> Could you please help on how to setup separate user with right SSH
> permission please? It would be great help. 

What you want to use that user for? If you want to use it for maintenance,
just create a user and `passwd -R` it. Then you can use SSH key to login as
that user.


-- 
With best regards,
Andrey Repin
Tuesday, August 11, 2020 1:37:01

Sorry for my terrible english...

Re: Need information on creating service user to connect from the Agent server to Windows hosts for installing agents on remote

[Bill Stewart]

On Mon, Aug 10, 2020 at 12:21 PM Subramanya Narayanaswamy via Cygwin wrote:

When I run Cygwin.bat file and try to configure SSH host service to connect
> from Agent server on this windows host, I don't get a prompt to create
> CYGWIN user at all. By default it is taking the SYSTEM default user for
> authentication.
>

The service now runs as SYSTEM by default and this is a good thing because
you don't have to manage its password or configure special user rights for
it.

Why doesn't this work for your scenario?

Bill

RE: Need information on creating service user to connect from the Agent server to Windows hosts for installing agents on remote

[Subramanya Narayanaswamy]

Hi Andrey,

Thanks for the response.

Basically I have an Cloud control Agent server on LINUX host and Cloud control would like connect to Windows hosts over an SSH protocol. So for that I have installed CYGWIN on my client windows machine and tried to configure ssh-host-config. It is taking default SYSTEM user ( example: if my local account is SUBBU) and generating the profile files. Now I can user the below command to connect to windows host over SSH using username and password that is SYSTEM default.

ssh user1@IP

But here I want to create a separate user to authenticate from Cloud controller to target client with ssh setup and password based authentication.

Hope I answered your question?

Subramanya
-- 

Subramanya Narayanswamy, Staff Consultant, Infrastructure
Mobile: +919900036638
Oracle Consulting | IaaS

Oracle India 

-----Original Message-----
From: Andrey Repin [mailto:anrdaemon@yandex.ru] 
Sent: Tuesday, August 11, 2020 4:08 AM
To: Subramanya Narayanaswamy <subramanya.narayanswamy@oracle.com>; cygwin@cygwin.com
Subject: Re: Need information on creating service user to connect from the Agent server to Windows hosts for installing agents on remote

Greetings, Subramanya Narayanaswamy!

> I'm Trying to setup Cygwin installation on windows server 2012 and 2016.
> I'm installing latest Cygwin version with packages openssh,openssl,zip,unzip.

> When I run Cygwin.bat file and try to configure SSH host service to 
> connect from Agent server on this windows host, I don't get a prompt 
> to create CYGWIN user at all. By default it is taking the SYSTEM default user for authentication.

That's how it's done.

> But I want create a new Cygwin(let's say agentuser user) using the 
> command ssh-host-config by running the Cygwin.bat file.

Why?

> Could you please help on how to setup separate user with right SSH 
> permission please? It would be great help.

What you want to use that user for? If you want to use it for maintenance, just create a user and `passwd -R` it. Then you can use SSH key to login as that user.


--
With best regards,
Andrey Repin
Tuesday, August 11, 2020 1:37:01

Sorry for my terrible english...

Re: Need information on creating service user to connect from the Agent server to Windows hosts for installing agents on remote

[Marco Atzeri]

On 11.08.2020 08:35, Subramanya Narayanaswamy via Cygwin wrote:
> Hi Andrey,
> 
> Thanks for the response.
> 
> Basically I have an Cloud control Agent server on LINUX host and Cloud control would like connect to Windows hosts over an SSH protocol. So for that I have installed CYGWIN on my client windows machine and tried to configure ssh-host-config. It is taking default SYSTEM user ( example: if my local account is SUBBU) and generating the profile files. Now I can user the below command to connect to windows host over SSH using username and password that is SYSTEM default.
> 
> ssh user1@IP
> 
> But here I want to create a separate user to authenticate from Cloud controller to target client with ssh setup and password based authentication.
> 
> Hope I answered your question?
> 
> Subramanya
> 

you are confusing the user that runs the sshd services (SYSTEM) with the
user that uses the sshd service and connects through ssh


/usr/bin/ssh-host-config sets the first
/usr/bin/ssh-user-config sets the second


$ cygcheck -l openssh |grep -- -config
/usr/bin/ssh-host-config
/usr/bin/ssh-user-config

Re: Need information on creating service user to connect from the Agent server to Windows hosts for installing agents on remote

[Andrey Repin]

Greetings, Subramanya Narayanaswamy!

Please bottom post in this list.

> Thanks for the response.

> Basically I have an Cloud control Agent server on LINUX host and Cloud
> control would like connect to Windows hosts over an SSH protocol.

For that, you need a REGULAR user, for which you need to use a strong password
and prepare it for key-based login.
See the documentation and the other reply from Marco.

> ssh user1@IP

> But here I want to create a separate user to authenticate from Cloud
> controller to target client with ssh setup and password based authentication.

Yes. Do it.


-- 
With best regards,
Andrey Repin
Wednesday, August 12, 2020 2:22:48

Sorry for my terrible english...

RE: Need information on creating service user to connect from the Agent server to Windows hosts for installing agents on remote

[Subramanya Narayanaswamy]

Do you have any steps to follow to create an admin user using ssh-user-config command? Because when I run ssh-user-config it is taking SYSTEM user as default user name and doesn't prompt to create new user for the purpose of connecting remotely to the target windows host which runs CYGWIN.

Subramanya
-- 

Subramanya Narayanswamy, Staff Consultant, Infrastructure
Mobile: +919900036638
Oracle Consulting | IaaS

Oracle India 


-----Original Message-----
From: Andrey Repin [mailto:anrdaemon@yandex.ru] 
Sent: Wednesday, August 12, 2020 4:55 AM
To: Subramanya Narayanaswamy <subramanya.narayanswamy@oracle.com>; cygwin@cygwin.com
Subject: Re: Need information on creating service user to connect from the Agent server to Windows hosts for installing agents on remote

Greetings, Subramanya Narayanaswamy!

Please bottom post in this list.

> Thanks for the response.

> Basically I have an Cloud control Agent server on LINUX host and Cloud 
> control would like connect to Windows hosts over an SSH protocol.

For that, you need a REGULAR user, for which you need to use a strong password and prepare it for key-based login.
See the documentation and the other reply from Marco.

> ssh user1@IP

> But here I want to create a separate user to authenticate from Cloud 
> controller to target client with ssh setup and password based authentication.

Yes. Do it.


--
With best regards,
Andrey Repin
Wednesday, August 12, 2020 2:22:48

Sorry for my terrible english...

Re: Need information on creating service user to connect from the Agent server to Windows hosts for installing agents on remote

[Andrey Repin]

Greetings, Subramanya Narayanaswamy!

> Do you have any steps to follow to create an admin user using
> ssh-user-config command? Because when I run ssh-user-config it is taking
> SYSTEM user as default user name and doesn't prompt to create new user for
> the purpose of connecting remotely to the target windows host which runs CYGWIN.

Creating a new user is outside the scope of Cygwin.
ssh-user-config prepares CURRENT user to use SSH.


-- 
With best regards,
Andrey Repin
Wednesday, August 12, 2020 17:41:18

Sorry for my terrible english...

Re: Need information on creating service user to connect from the Agent server to Windows hosts for installing agents on remote

[Stephen Carrier]

On Wed, Aug 12, 2020 at 01:43:30PM +0000, Subramanya Narayanaswamy via Cygwin wrote:
> Do you have any steps to follow to create an admin user using ssh-user-config command? Because when I run ssh-user-config it is taking SYSTEM user as default user name and doesn't prompt to create new user for the purpose of connecting remotely to the target windows host which runs CYGWIN.

I think you just need to create a regular windows users, or use one that
already exists.  I use ssh extensively to connect to various windows
accounts and have never touched ssh-user-config.  Just ssh and use the
windows login and password.  It can be an Administrator account.

Stephen

Re[2]: Need information on creating service user to connect from the Agent server to Windows hosts for installing agents on remote

[Subramanya Narayanswamy]

Thanks Stephen 
--
Thanks,
Subbu Wednesday, 12 August 2020, 09:29PM +05:30 from Stephen Carrier  carrier@berkeley.edu :

>On Wed, Aug 12, 2020 at 01:43:30PM +0000, Subramanya Narayanaswamy via Cygwin wrote:
> Do you have any steps to follow to create an admin user using ssh-user-config command? Because when I run ssh-user-config it is taking SYSTEM user as default user name and doesn't prompt to create new user for the purpose of connecting remotely to the target windows host which runs CYGWIN.
>
>I think you just need to create a regular windows users, or use one that
>already exists.  I use ssh extensively to connect to various windows
>accounts and have never touched ssh-user-config.  Just ssh and use the
>windows login and password.  It can be an Administrator account.
>
>Stephen

RE: Need information on creating service user to connect from the Agent server to Windows hosts for installing agents on remote

[Subramanya Narayanaswamy]

Hi Team,

I'm facing below issue while trying to start CYGSSHD server. I'm running the below command as an Administrator but not sure why cygsshd is not starting. Any help?
--------------------------------------------------------------
$ net start cygsshd
The CYGWIN cygsshd service is starting.
The CYGWIN cygsshd service could not be started.

The service did not report an error.

More help is available by typing NET HELPMSG 3534.

Subramanya
-- 

Subramanya Narayanswamy, Staff Consultant, Infrastructure
Mobile: +919900036638
Oracle Consulting | IaaS

Oracle India 

-----Original Message-----
From: Stephen Carrier [mailto:carrier@berkeley.edu] 
Sent: Wednesday, August 12, 2020 9:29 PM
To: Subramanya Narayanaswamy <subramanya.narayanswamy@oracle.com>
Cc: cygwin@cygwin.com
Subject: Re: Need information on creating service user to connect from the Agent server to Windows hosts for installing agents on remote

On Wed, Aug 12, 2020 at 01:43:30PM +0000, Subramanya Narayanaswamy via Cygwin wrote:
> Do you have any steps to follow to create an admin user using ssh-user-config command? Because when I run ssh-user-config it is taking SYSTEM user as default user name and doesn't prompt to create new user for the purpose of connecting remotely to the target windows host which runs CYGWIN.

I think you just need to create a regular windows users, or use one that already exists.  I use ssh extensively to connect to various windows accounts and have never touched ssh-user-config.  Just ssh and use the windows login and password.  It can be an Administrator account.

Stephen

Re: Need information on creating service user to connect from the Agent server to Windows hosts for installing agents on remote

[Marco Atzeri]

On 16.08.2020 10:17, Subramanya Narayanaswamy via Cygwin wrote:
> Hi Team,
> 
> I'm facing below issue while trying to start CYGSSHD server. I'm running the below command as an Administrator but not sure why cygsshd is not starting. Any help?
> --------------------------------------------------------------
> $ net start cygsshd
> The CYGWIN cygsshd service is starting.
> The CYGWIN cygsshd service could not be started.
> 
> The service did not report an error.
> 
> More help is available by typing NET HELPMSG 3534.
> 
> Subramanya
> 

I saw the same problem.
The /var/log/sshd.log gave me the hint:
-----------------------------------------------
Permissions 0640 for '/etc/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
..
Permissions 0640 for '/etc/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
..
Permissions 0640 for '/etc/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
sshd: no hostkeys available -- exiting.
------------------------------------------------


from the Admin account

  $ cd /etc
  $ chmod 600 ssh*

solved the problem

  $ cygrunsrv -S cygsshd

  $ cygrunsrv -Q cygsshd
Service             : cygsshd
Display name        : CYGWIN cygsshd
Current State       : Running
Controls Accepted   : Stop
Command             : /usr/sbin/sshd -D

Re: Need information on creating service user to connect from the Agent server to Windows hosts for installing agents on remote

[ASSI]

Subramanya Narayanaswamy via Cygwin writes:
> Hi Team,
>
> I'm facing below issue while trying to start CYGSSHD server. I'm running the below command as an Administrator but not sure why cygsshd is not starting. Any help?
> --------------------------------------------------------------
> $ net start cygsshd
> The CYGWIN cygsshd service is starting.
> The CYGWIN cygsshd service could not be started.
>
> The service did not report an error.
>
> More help is available by typing NET HELPMSG 3534.

Most likely you didn't ensure the SSH private key files are only
readable by the SYSTEM user.  There should be a complaint about the
permissions being too open in /var/log/sshd.log in that case.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Factory and User Sound Singles for Waldorf Blofeld:
http://Synth.Stromeko.net/Downloads.html#WaldorfSounds

Re: Need information on creating service user to connect from the Agent server to Windows hosts for installing agents on remote

[Stephen Carrier]

On Sun, Aug 16, 2020 at 11:36:10AM +0200, Marco Atzeri via Cygwin wrote:
> On 16.08.2020 10:17, Subramanya Narayanaswamy via Cygwin wrote:
> > Hi Team,
> > 
> > I'm facing below issue while trying to start CYGSSHD server. I'm running the below command as an Administrator but not sure why cygsshd is not starting. Any help?
> > --------------------------------------------------------------
> > $ net start cygsshd
> > The CYGWIN cygsshd service is starting.
> > The CYGWIN cygsshd service could not be started.
> > 
> > The service did not report an error.
> > 
> > More help is available by typing NET HELPMSG 3534.
> > 
> > Subramanya
> > 
> 
> I saw the same problem.
> The /var/log/sshd.log gave me the hint:
> -----------------------------------------------
> Permissions 0640 for '/etc/ssh_host_rsa_key' are too open.
> It is required that your private key files are NOT accessible by others.
> This private key will be ignored.
> ..
> Permissions 0640 for '/etc/ssh_host_ecdsa_key' are too open.
> It is required that your private key files are NOT accessible by others.
> This private key will be ignored.
> ..
> Permissions 0640 for '/etc/ssh_host_ed25519_key' are too open.
> It is required that your private key files are NOT accessible by others.
> This private key will be ignored.
> sshd: no hostkeys available -- exiting.
> ------------------------------------------------

/var/log/sshd.config may provide helpful clues even if the issue is
different from loose permissions on the private keys.  Let us know what
you find there if you are still having trouble.

> from the Admin account
> 
>  $ cd /etc
>  $ chmod 600 ssh*
> 
> solved the problem

It may have but ... There is no need to restrict permissions on the
public keys and restricting permissions on /etc/ssh_config may interfere
with ssh client use by non-Administrator users.  Moreover, I don't think
/etc/sshd_config needs to be restricted though that could be a judgement
call.

Perhaps

$ chmod 600 ssh_host_*_key

is enough to fix the private key permissions, if in fact that is the problem.

>  $ cygrunsrv -Q cygsshd
....

"cygrunsrv -V -Q cygsshd" will reveal even more information.

--Stephen

Re[2]: Need information on creating service user to connect from the Agent server to Windows hosts for installing agents on remote

[Subramanya Narayanswamy]

Hi Stephan,
Thanks for the information. Issue is fixed and it was IBM ssh service which was blocking way for cygwin to bind address 0.0.0.0/22 on my windows machine. I disabled that service and cygwin worked smoothly.
--
Thanks,
Subbu Wednesday, 19 August 2020, 10:03PM +05:30 from Stephen Carrier  carrier@berkeley.edu :

>On Sun, Aug 16, 2020 at 11:36:10AM +0200, Marco Atzeri via Cygwin wrote:
> On 16.08.2020 10:17, Subramanya Narayanaswamy via Cygwin wrote:
>> Hi Team,
>>
>> I'm facing below issue while trying to start CYGSSHD server. I'm running the below command as an Administrator but not sure why cygsshd is not starting. Any help?
>> --------------------------------------------------------------
>> $ net start cygsshd
>> The CYGWIN cygsshd service is starting.
>> The CYGWIN cygsshd service could not be started.
>>
>> The service did not report an error.
>>
>> More help is available by typing NET HELPMSG 3534.
>>
>> Subramanya
>>
>
> I saw the same problem.
> The /var/log/sshd.log gave me the hint:
> -----------------------------------------------
> Permissions 0640 for '/etc/ssh_host_rsa_key' are too open.
> It is required that your private key files are NOT accessible by others.
> This private key will be ignored.
> ..
> Permissions 0640 for '/etc/ssh_host_ecdsa_key' are too open.
> It is required that your private key files are NOT accessible by others.
> This private key will be ignored.
> ..
> Permissions 0640 for '/etc/ssh_host_ed25519_key' are too open.
> It is required that your private key files are NOT accessible by others.
> This private key will be ignored.
> sshd: no hostkeys available -- exiting.
> ------------------------------------------------
>/var/log/sshd.config may provide helpful clues even if the issue is
>different from loose permissions on the private keys.  Let us know what
>you find there if you are still having trouble.
>
> from the Admin account
>
> $ cd /etc
> $ chmod 600 ssh*
>
> solved the problem
>
>It may have but ... There is no need to restrict permissions on the
>public keys and restricting permissions on /etc/ssh_config may interfere
>with ssh client use by non-Administrator users.  Moreover, I don't think
>/etc/sshd_config needs to be restricted though that could be a judgement
>call.
>
>Perhaps
>
>$ chmod 600 ssh_host_*_key
>
>is enough to fix the private key permissions, if in fact that is the problem.
>
> $ cygrunsrv -Q cygsshd
>....
>
>"cygrunsrv -V -Q cygsshd" will reveal even more information.
>
>--Stephen