Getting sshd Configured on Win2k Platform

Getting sshd Configured on Win2k Platform

[David Highley]

We have researched all the sources of information We can find on setting
up sshd as a service, but still I'm not quite able to get it to function
properly. We have read the openssh README file by Corinna Vinschen and
the cygrunsrv.README file. We also did a search of the FAQ and the
mailist archives.

The goal of this effort is to have remote VPN access for a Windows user.
Using sshd for the encrypted link an TightVNC for the application
interface.

We are using openssh rev 3.4p1 on system, openssh rev 3.4p1-3 on the
Win2k Advanced Server system. Cygrunsrv is rev 0.95-1. All versions are
the latest available. We ran the ssh-host-config script taking the
defaults. We have checked the file permissions with a bash shell and the
security ACLs via the windows explorer. The service install, but will
not run and the application event view shows:
    The description for Event ID (0) in Source (sshd) cannot be found.
    The local computer may not have the necessary registry information
    or message DLL files to display messages from a remote computer. The
    following information is part of the event sshd: Win32 Process id =
    0x590: Cygwin Process id = 0x590: starting service 'sshd' failed:
    execv: 255, error 255.

The pop up dialog box error is:
    Could not start the CYGWIN sshd service on Local Computer.
    The service did not return an error. This could be an internal
    Windows error or an internal service error. If the problem persists,
    contact your system administrator.

If we install the service per the openssh README instructions as:
    cygrunsrv --install sshd -f "Secure Shell Daemon" -t auto \
	--path /usr/sbin/sshd --args -D

Then we are able to start the service and a:
    ssh sysname -l Administrator - successful 
    ssh sysname                  - returns the following:
    Last login: Thu Jul 11 09:28:06 2002 from
    hemlock.highley-recommended.com
    Fanfare!!!
    You are successfully logged in to this server!!!
    setgid: Invalid argument
    Connection to redwood closed.

We have tried both discussed /etc/sshd_config file settings in the
openssh README file:
     RSAAuthentication yes
     RhostsAuthentication yes
     RhostsRSAAuthentication yes

     or

     PasswordAuthentication yes
     RhostsAuthentication no
     RhostsRSAAuthentication no
     RSAAuthentication no           or  RSAAuthentication yes

In reading the openssh README file it talks about having the service run
as a user and to modify the Local Security Settings. We see that the
ssh-host-config added a user sshd to the /etc/passwd file, but did not
add user flags nor modify the Local Security Settings.

Sorry for the length of this message, but we are trying to understand
what the recipe is for getting this to work. Has someone set this up and
defined the process for installing it? Another question is if we use the
second sshd_config file settings with "PasswordAuthentication yes" will
we have an encrypted VPN link?



-- 


Regards,

David Highley		      Phone: (206) 669-0081
Highley Recommended, Inc.	FAX: (253) 838-8509
2927 SW 339th Street	      Email: dhighley@highley-recommended.com
Federal Way, WA 98023-7732	WEB: http://www.highley-recommended.com

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Getting sshd Configured on Win2k Platform

[Corinna Vinschen]

On Thu, Jul 11, 2002 at 11:54:37PM -0700, David Highley wrote:
> We think there are missing single quotes in the ssh-host-config script.
> When the environment parameter is done as in the script:
>     -e "CYGWIN=binmode ntsec tty" variables expanded here
> the service will not start. If we do the following:
>     -e '"CYGWIN=binmode ntsec tty"'
> the service will start and different users can login. We also found that
> a /etc/group entry was missing which was causing the setgid problem.

Works here w/o single quotes.  They aren't needed.

> We also ran snoop to verify the we have the communication link
> encrypted an no information is leaking. For /etc/sshd_config we ended up
> with:
>      RSAAuthentication yes
>      RhostsAuthentication yes
>      RhostsRSAAuthentication yes
>      PasswordAuthentication yes

Rhosts authentication is BAD!  Set to no.

> We did add ssh to the ${SYSTEMROOT}/system32/drivers/etc/services file.

Which should have been added already by ssh-host-config.

> We did not make any modifications to the Local Security Settings as
> discussed in the openssh README file.

Which is good since the README explicitely says:

===========================================================================
The following restrictions only apply to Cygwin versions up to 1.3.1
===========================================================================

[...]

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Getting sshd Configured on Win2k Platform

[David Highley]

"dhighley wrote:"
From dhighley Thu Jul 11 15:58:18 2002
Subject: Re: Getting sshd Configured on Win2k Platform
To: maharig@idirect.net (Harig, Mark A.)
Date: Thu, 11 Jul 2002 15:58:18 -0700 (PDT)
In-Reply-To: <BADF3C947A1BD54FBA75C70C241B0B9E40F0E6@ex02.idirect.net> from "Harig, Mark A." at Jul 11, 2002 04:18:31 PM
X-Mailer: ELM [version 2.5 PL6]
Content-Length: 1619      


It is working now and from the replies we found two things to fix.

"Harig, Mark A. wrote:"
> 
> 1. Which filesystem are you running on your disk(s): FAT32 or NTFS?
> 
> 2. If you are running NTFS, then you need to specify '-e "CYGWIN=ntsec"'
> to cygrunsrv.

We think there are missing single quotes in the ssh-host-config script.
When the environment parameter is done as in the script:
    -e "CYGWIN=binmode ntsec tty" variables expanded here
the service will not start. If we do the following:
    -e '"CYGWIN=binmode ntsec tty"'
the service will start and different users can login. We also found that
a /etc/group entry was missing which was causing the setgid problem.

> 
> 3. What are the permissions of the directory /home/Administrator?
> 
> 4. Once you get the sshd running, before attempting to ssh to the sshd
> remotely, you should try to ssh locally (i.e., run the ssh client on the
> machine that is running sshd).

We also ran snoop to verify the we have the communication link
encrypted an no information is leaking. For /etc/sshd_config we ended up
with:
     RSAAuthentication yes
     RhostsAuthentication yes
     RhostsRSAAuthentication yes
     PasswordAuthentication yes

We did add ssh to the ${SYSTEMROOT}/system32/drivers/etc/services file.
We did not make any modifications to the Local Security Settings as
discussed in the openssh README file.


-- 


Regards,

David Highley		      Phone: (206) 669-0081
Highley Recommended, Inc.	FAX: (253) 838-8509
2927 SW 339th Street	      Email: dhighley@highley-recommended.com
Federal Way, WA 98023-7732	WEB: http://www.highley-recommended.com



-- 


Regards,

David Highley		      Phone: (206) 669-0081
Highley Recommended, Inc.	FAX: (253) 838-8509
2927 SW 339th Street	      Email: dhighley@highley-recommended.com
Federal Way, WA 98023-7732	WEB: http://www.highley-recommended.com

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

RE: Getting sshd Configured on Win2k Platform

[Harig, Mark A.]

1. Which filesystem are you running on your disk(s): FAT32 or NTFS?

2. If you are running NTFS, then you need to specify '-e "CYGWIN=ntsec"'
to cygrunsrv.

3. What are the permissions of the directory /home/Administrator?

4. Once you get the sshd running, before attempting to ssh to the sshd
remotely, you should try to ssh locally (i.e., run the ssh client on the
machine that is running sshd).



> -----Original Message-----
> From: David Highley [mailto:dhighley@highley-recommended.com]
> Sent: Thursday, July 11, 2002 4:02 PM
> To: cygwin@cygwin.com
> Subject: Getting sshd Configured on Win2k Platform
> 
> 
> We have researched all the sources of information We can find 
> on setting
> up sshd as a service, but still I'm not quite able to get it 
> to function
> properly. We have read the openssh README file by Corinna Vinschen and
> the cygrunsrv.README file. We also did a search of the FAQ and the
> mailist archives.
> 
> The goal of this effort is to have remote VPN access for a 
> Windows user.
> Using sshd for the encrypted link an TightVNC for the application
> interface.
> 
> We are using openssh rev 3.4p1 on system, openssh rev 3.4p1-3 on the
> Win2k Advanced Server system. Cygrunsrv is rev 0.95-1. All 
> versions are
> the latest available. We ran the ssh-host-config script taking the
> defaults. We have checked the file permissions with a bash 
> shell and the
> security ACLs via the windows explorer. The service install, but will
> not run and the application event view shows:
>     The description for Event ID (0) in Source (sshd) cannot be found.
>     The local computer may not have the necessary registry information
>     or message DLL files to display messages from a remote 
> computer. The
>     following information is part of the event sshd: Win32 
> Process id =
>     0x590: Cygwin Process id = 0x590: starting service 'sshd' failed:
>     execv: 255, error 255.
> 
> The pop up dialog box error is:
>     Could not start the CYGWIN sshd service on Local Computer.
>     The service did not return an error. This could be an internal
>     Windows error or an internal service error. If the 
> problem persists,
>     contact your system administrator.
> 
> If we install the service per the openssh README instructions as:
>     cygrunsrv --install sshd -f "Secure Shell Daemon" -t auto \
> 	--path /usr/sbin/sshd --args -D
> 
> Then we are able to start the service and a:
>     ssh sysname -l Administrator - successful 
>     ssh sysname                  - returns the following:
>     Last login: Thu Jul 11 09:28:06 2002 from
>     hemlock.highley-recommended.com
>     Fanfare!!!
>     You are successfully logged in to this server!!!
>     setgid: Invalid argument
>     Connection to redwood closed.
> 
> We have tried both discussed /etc/sshd_config file settings in the
> openssh README file:
>      RSAAuthentication yes
>      RhostsAuthentication yes
>      RhostsRSAAuthentication yes
> 
>      or
> 
>      PasswordAuthentication yes
>      RhostsAuthentication no
>      RhostsRSAAuthentication no
>      RSAAuthentication no           or  RSAAuthentication yes
> 
> In reading the openssh README file it talks about having the 
> service run
> as a user and to modify the Local Security Settings. We see that the
> ssh-host-config added a user sshd to the /etc/passwd file, but did not
> add user flags nor modify the Local Security Settings.
> 
> Sorry for the length of this message, but we are trying to understand
> what the recipe is for getting this to work. Has someone set 
> this up and
> defined the process for installing it? Another question is if 
> we use the
> second sshd_config file settings with "PasswordAuthentication 
> yes" will
> we have an encrypted VPN link?
> 
> 
> 
> -- 
> 
> 
> Regards,
> 
> David Highley		      Phone: (206) 669-0081
> Highley Recommended, Inc.	FAX: (253) 838-8509
> 2927 SW 339th Street	      Email: dhighley@highley-recommended.com
> Federal Way, WA 98023-7732	WEB: http://www.highley-recommended.com
> 
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Bug reporting:         http://cygwin.com/bugs.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
> 
> 

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/