Silently configure sshd fails via system account

Silently configure sshd fails via system account

[Paul Griffith]

Hi,

I am using a software package called WPKG (wpkg.org) to silently deploy Cygwin and then configure SSHD. The Cygwin installation works like a charm. Configuring sshd is another story. If I run my script from a admin command prompt, I am to setup sshd. If I run that same script from WPKG, it fails. The only difference is that the WPKG agent runs as the SYSTEM user. I assume SCCM (Microsoft System Center Configuration Manager) users would have the same issue since their agent also run as SYSTEM.

Any ideas other than pulling apart /usr/bin/ssh-host-config  and trying to do this manually myself ??

Here is some of the debugging I captured. Notice how the permissions at [0] and [1] don't match, I can't explain that one. Updating Cygwin doesn't solve my problem.

Windows 7 Enterprise x64 SP 1
2GB RAM
VirtualBox 4.3.6

======
before running ssh-host-config (wpkg)
touch /var/log/sshd.log
chmod 700 /var/empty
chown SYSTEM /var/empty
ls -lad /var/empty
[0] drwx------+ 1 SYSTEM Administrators 0 Feb 21 13:07 /var/empty

/usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd blah

^[[1;32m*** Info:^[[0;0m Generating /etc/ssh_host_key
^[[1;32m*** Info:^[[0;0m Generating /etc/ssh_host_rsa_key
^[[1;32m*** Info:^[[0;0m Generating /etc/ssh_host_dsa_key
^[[1;32m*** Info:^[[0;0m Generating /etc/ssh_host_ecdsa_key
^[[1;32m*** Info:^[[0;0m Creating default /etc/ssh_config file
^[[1;32m*** Info:^[[0;0m Creating default /etc/sshd_config file
^[[1;32m*** Info:^[[0;0m Privilege separation is set to yes by default since OpenSSH 3.3.
^[[1;32m*** Info:^[[0;0m However, this requires a non-privileged account called 'sshd'.
^[[1;32m*** Info:^[[0;0m For more info on privilege separation read /usr/share/doc/openssh/README.privsep.
^[[1;35m*** Query:^[[0;0m Should privilege separation be used? (yes/no) yes
^[[1;33m*** Warning:^[[0;0m The owner and the Administrators need
^[[1;33m*** Warning:^[[0;0m to have r.x permission to /var/empty.
^[[1;33m*** Warning:^[[0;0m Here are the current permissions and ACLS:
[1] ^[[1;33m*** Warning:^[[0;0m     drwxr-xr-x+ 1 SYSTEM Administrators 0 Feb 21 13:07 /var/empty
^[[1;33m*** Warning:^[[0;0m     # file: /var/empty
^[[1;33m*** Warning:^[[0;0m     # owner: SYSTEM
^[[1;33m*** Warning:^[[0;0m     # group: Administrators
^[[1;33m*** Warning:^[[0;0m     user::rwx
^[[1;33m*** Warning:^[[0;0m     group::r-x
^[[1;33m*** Warning:^[[0;0m     mask:rwx
^[[1;33m*** Warning:^[[0;0m     other:r-x
^[[1;33m*** Warning:^[[0;0m     default:user::rwx
^[[1;33m*** Warning:^[[0;0m     default:group::r-x
^[[1;33m*** Warning:^[[0;0m     default:other:r-x
^[[1;33m*** Warning:^[[0;0m     ^[[1;33m*** Warning:^[[0;0m Please change the user and/or group ownership, ^[[1;33m*** Warning:^[[0;0m permissions, or ACLs of /var/empty.

^[[1;31m*** ERROR:^[[0;0m Problem with /var/empty directory. Exiting.
----

I call my script like the following:
start /wait %CYGWIN_ROOT%\bin\bash.exe --login -i /cygdrive/c/windows/temp/config-sshd-win7.sh "%cyg_server_passwd%" 


config-sshd-win7.sh script:
------snip------
#/bin/sh

echo running ssh-host-config

if [ -f /cygdrive/c/netinst/logs/ssh-host-config.log ]; then 
	rm -f /cygdrive/c/netinst/logs/ssh-host-config.log 
fi


echo before ssh-host-config > /cygdrive/c/netinst/logs/ssh-host-config.log

#setup permissions and owership of files
echo setting up permissions

echo touch /var/log/sshd.log >> /cygdrive/c/netinst/logs/ssh-host-config.log
touch /var/log/sshd.log >> /cygdrive/c/netinst/logs/ssh-host-config.log

if [ ! -d /var/empty ]; then  
   mkdir /var/empty
fi

#echo chown system /var/log/sshd.log /var/empty /etc/ssh_h* >> /cygdrive/c/netinst/logs/ssh-host-config.log
chown system /var/log/sshd.log /var/empty /etc/ssh_h* >> /cygdrive/c/netinst/logs/ssh-host-config.log

#echo chmod 700 /var/empty >> /cygdrive/c/netinst/logs/ssh-host-config.log
chmod 700 /var/empty >> /cygdrive/c/netinst/logs/ssh-host-config.log

echo /usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd   >> /cygdrive/c/netinst/logs/ssh-host-config.log
/usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd "$1" >> /cygdrive/c/netinst/logs/ssh-host-config.log

echo after ssh-host-config >> /cygdrive/c/netinst/logs/ssh-host-config.log
echo ls -lad /var/empty >> /cygdrive/c/netinst/logs/ssh-host-config.log
ls -lad /var/empty >> /cygdrive/c/netinst/logs/ssh-host-config.log

#Prohibits a user or group from logging on locally at the keyboard.
editrights -a SeDenyRemoteInteractiveLogonRight -u cyg_server

echo listing services: cygrunsrv -L >> /cygdrive/c/netinst/logs/ssh-host-config.log
cygrunsrv -L >> /cygdrive/c/netinst/logs/ssh-host-config.log

echo starting sshd: cygrunsrv -S sshd >> /cygdrive/c/netinst/logs/ssh-host-config.log
cygrunsrv -S sshd


echo cd "/home/Administrator" >> /cygdrive/c/netinst/logs/ssh-host-config.log
chmod 750 /home/Administrator
cd /home/Administrator

echo mkdir .ssh >> /cygdrive/c/netinst/logs/ssh-host-config.log
mkdir .ssh

echo chmod 700 .ssh >> /cygdrive/c/netinst/logs/ssh-host-config.log
chmod 700 .ssh
ls -lad .ssh >> /cygdrive/c/netinst/logs/ssh-host-config.log

echo cp //xxxxx/xxx/site/ssh/authorized_keys .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log
cp //xxxx/xxxx/site/ssh/authorized_keys .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log

echo ls -l .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log
ls -l .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log

echo chmod 644 .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log
chmod 644 .ssh/authorized_keys 
ls -l .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log

mkpasswd -l >> /etc/passwd
mkgroup -l >> /etc/group
-------snip------

Thank You
Paul



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Silently configure sshd fails via system account

[Larry Hall (Cygwin)]

On 2/21/2014 3:48 PM, Paul Griffith wrote:
> Hi,
>
> I am using a software package called WPKG (wpkg.org) to silently deploy
> Cygwin and then configure SSHD. The Cygwin installation works like a
> charm. Configuring sshd is another story. If I run my script from a admin
> command prompt, I am to setup sshd. If I run that same script from WPKG,
> it fails. The only difference is that the WPKG agent runs as the SYSTEM
> user. I assume SCCM (Microsoft System Center Configuration Manager) users
> would have the same issue since their agent also run as SYSTEM.
>
> Any ideas other than pulling apart /usr/bin/ssh-host-config  and trying
> to do this manually myself ??

Configuring sshd can be tricky.  There are plenty of failure paths so it's
best not to step off known paths to success unless you're willing to blaze
a new successful trail.  With that in mind, why not run WPKG under an
account that is known to successfully install Cygwin in the normal way?
This may be close enough to a known successful path to just work.

-- 
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Silently configure sshd fails via system account

[Paul Griffith]

On 02/21/2014 03:58 PM, Larry Hall (Cygwin) wrote:
> On 2/21/2014 3:48 PM, Paul Griffith wrote:
>> Hi,
>>
>> I am using a software package called WPKG (wpkg.org) to silently deploy
>> Cygwin and then configure SSHD. The Cygwin installation works like a
>> charm. Configuring sshd is another story. If I run my script from a admin
>> command prompt, I am to setup sshd. If I run that same script from WPKG,
>> it fails. The only difference is that the WPKG agent runs as the SYSTEM
>> user. I assume SCCM (Microsoft System Center Configuration Manager) users
>> would have the same issue since their agent also run as SYSTEM.
>>
>> Any ideas other than pulling apart /usr/bin/ssh-host-config  and trying
>> to do this manually myself ??
> 
> Configuring sshd can be tricky.  There are plenty of failure paths so it's
> best not to step off known paths to success unless you're willing to blaze
> a new successful trail.  With that in mind, why not run WPKG under an
> account that is known to successfully install Cygwin in the normal way?
> This may be close enough to a known successful path to just work.
> 

Thanks Larry,

   I have a few options to try. I post them to help others, if I achieve some measure of success.

Best Regards,
Paul


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Silently configure sshd fails via system account

[Lord Laraby]

I am also having serious issues with sshd-host-config. I ran it right
from the command line, from the built-in administrator account. It
failed to start with no message in the Event Log. But, the
/var/log/sshd.log said none of the keys were properly secured and
refused them all. I chmod'ed them all, tried again, failed again. This
time  it was that /var/empty was wrong. I had just gotten done
installing cygserver, so it was no surprise that cygserver (who had
permission to /var/empty before sshd-host-config) no longer had any
permissions. It was already started, however. So, I check and it was
owned by 'sshd' and group 'Administrator'.

The problem was that the config program never set the required
permissions. The message was "/var/empty must be owned by root and not
group or world-writable." Nice, there is no 'root', so I renamed
Administrator to root. Still no go. So, I changed the permissions to
be very strict (700). You'd think that would fix it?

Nope. So, I thought maybe it wants group 'root', too. So, I renamed
Administrator in /etc/groups to root. Still, not working and same
message.

I then was getting all kinds of weird messages from 'ls' about
group-id conflicts. It's getting worse, I thought. Short of removing
everything and starting over, I rebuilt /etc/passd and /etc/group with
mkpasswd and mkgroup. Then, I changed the owners to sshd again and
group Administrators with mode 600. It fails again.

I thought, "maybe I need to use elevated cygwin, rather than
Administrator account." So, I tried all those steps with that account.
Locked myself out of the /var/empty directory so I had to take
ownership and start all over.

I cannot understand how to do what it wants in order to start. Any
help would be appreciated. I can send cygcheck.out if desired. This is
Windows 8.1 ver 6.3 -- 64-bit. Cygwin (64-bit) is installed in a USB
hard drive K:\cygwin and I recently did an update by running setup and
not selecting anything new. I have run sshd successfully on Win7
computers and older. This is a new one for me.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Silently configure sshd fails via system account

[Henry S. Thompson]

Lord Laraby writes:

> I cannot understand how to do what it wants in order to start. Any
> help would be appreciated. I can send cygcheck.out if desired. This is
> Windows 8.1 ver 6.3 -- 64-bit. Cygwin (64-bit) is installed in a USB
> hard drive K:\cygwin and I recently did an update by running setup and
> not selecting anything new. I have run sshd successfully on Win7
> computers and older. This is a new one for me.

Same platform as you.  Here are my (possibly relevant) data for
comparison:

> ls -ld /var/empty
drwxr-xr-x+ 1 cyg_server root 0 Jan  3 11:36 /var/empty/
> egrep cyg_server /etc/passwd
cyg_server:unused:1003:513:Privileged
server,U-luther\cyg_server,S-1-5-21-3264347833-3381411623-2398912269-1003:/var/empty:/bin/bash
> egrep root /etc/group
root:S-1-5-32-544:0:
> egrep S-1-5-32-544 /etc/passwd
Administrators:*:544:544:,S-1-5-32-544::

ht
-- 
       Henry S. Thompson, School of Informatics, University of Edinburgh
      10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440
                Fax: (44) 131 650-4587, e-mail: ht@inf.ed.ac.uk
                       URL: http://www.ltg.ed.ac.uk/~ht/
 [mail from me _always_ has a .sig like this -- mail without it is forged spam]

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Silently configure sshd fails via system account

[Lord Laraby]

That's interesting. sshd-host-config gave me only sshd as a privileged
user name, cyg_server is already taken by a non-prvileged user
connected to the cygserver service.
Also, at no time does mkgroup create a group called root. I tried
that, but it screwed everything up. Of course, I used Administrators
actual group 513, not 544. I will fiddle with /etc/group and see what
I can come up with.
Ad far as the user name, if it requires cyg_server (not sshd), then I
have a serious issue with the other cygwin install as a service tool,
"cygserver."
The permissions on /var/empty failed everytime. I tried 755, 744, 711,
700, 655, 644, 611. and even 600. No dice.
This is the var/empty listing:
master@primaryserver ~
$ ls -ld /var/empty
drw-------+ 1 Administrators None 0 Mar 17 13:52 /var/empty

I also tried this:
master@primaryserver ~
$ ls -ld /var/empty
drw-------+ 1 sshd None 0 Mar 17 13:52 /var/empty
master@primaryserver ~
$ cygrunsrv -S sshd
cygrunsrv: Error starting a service: QueryServiceStatus:  Win32 error 1062:
The service has not been started.


On Mon, Mar 17, 2014 at 5:56 PM, Henry S. Thompson <ht@inf.ed.ac.uk> wrote:
> Lord Laraby writes:
>
>> I cannot understand how to do what it wants in order to start. Any
>> help would be appreciated. I can send cygcheck.out if desired. This is
>> Windows 8.1 ver 6.3 -- 64-bit. Cygwin (64-bit) is installed in a USB
>> hard drive K:\cygwin and I recently did an update by running setup and
>> not selecting anything new. I have run sshd successfully on Win7
>> computers and older. This is a new one for me.
>
> Same platform as you.  Here are my (possibly relevant) data for
> comparison:
>
>> ls -ld /var/empty
> drwxr-xr-x+ 1 cyg_server root 0 Jan  3 11:36 /var/empty/
>> egrep cyg_server /etc/passwd
> cyg_server:unused:1003:513:Privileged
> server,U-luther\cyg_server,S-1-5-21-3264347833-3381411623-2398912269-1003:/var/empty:/bin/bash
>> egrep root /etc/group
> root:S-1-5-32-544:0:
>> egrep S-1-5-32-544 /etc/passwd
> Administrators:*:544:544:,S-1-5-32-544::
>
> ht
> --
>        Henry S. Thompson, School of Informatics, University of Edinburgh
>       10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440
>                 Fax: (44) 131 650-4587, e-mail: ht@inf.ed.ac.uk
>                        URL: http://www.ltg.ed.ac.uk/~ht/
>  [mail from me _always_ has a .sig like this -- mail without it is forged spam]
>
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Silently configure sshd fails via system account

[Lord Laraby]

Oh, and sshd's entry is etc/passwd:
sshd:unused:1008:513:sshd
privsep,U-primaryserver\sshd,S-1-5-21-3985440655-1503118989-471546470-1008:/cygdrive/k/Cygwin/var/empty:/bin/bash
The service control manager says sshd is the user and the password is
the one I gave it. There error in sshd.log is:

/var/empty must be owned by root and not group or world-writable.
/var/empty must be owned by root and not group or world-writable.
... about 12 more lines like this ...
/var/empty must be owned by root and not group or world-writable.
/var/empty must be owned by root and not group or world-writable.

The above represents the many attempts to give /var/empy the proper
permissions. Believe me, I've linux for years and I'm a software
engineer. If this has me stumped, then I need to turn in my keys and
quit the computer world.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Silently configure sshd fails via system account

[Lord Laraby]

Followup. I changed everything permissions on /var/empty, group name,
everything now matches your setup (except user name and RID). Still
fails with the same message.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Silently configure sshd fails via system account

[Lord Laraby]

Okay, I figured out the whole issue. The script suggested
non-privleged user sshd as the service user. I allowed that and the
user was created. However the issues the script messed up are:
1) The account was never activated - "net user sshd /active:yes" had
to be run at the command line.
2) All of the keys had permissions given to user cyg_server (which is
actually another service with different needs).
3) the /var/empty file ownership was changed to sshd (stolen from
cyg_server which also had that assigned home directory.) So, that was
correct but wrong.
4) The /var/log/sshd.log ownership was given to cyg_server (who does
not write to that log.) the cygserver.log is owned by SYSTEM!!! I do
not know why.
5) Permission modes were wrong on every file.

These were all setup by the cygwin script, all I did was answer 'yes'
to each question and provide sshd a password (twice).

This might warrant a check by the maintainer.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Silently configure sshd fails via system account

[Henry S. Thompson]

Lord Laraby writes:

> That's interesting. sshd-host-config gave me only sshd as a privileged
> user name, cyg_server is already taken by a non-prvileged user
> connected to the cygserver service.
> Also, at no time does mkgroup create a group called root. 

That suggests an earlier (Cygwin-install-time) error, doesn't it?

I should have said I did exactly _no_ group/permission by-hand
fiddling to get the setup I sent.  All happened auto-magically as a
result of basic install.  Looking at my download area, I see I
installed cygwin, cygrunsrv and openssh all as part of my initial
install.  I can't immediately detect any sign of what initialisations
ran in what order -- /etc/sshd_config was built about an hour after
the downloads. . .

ht
-- 
       Henry S. Thompson, School of Informatics, University of Edinburgh
      10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440
                Fax: (44) 131 650-4587, e-mail: ht@inf.ed.ac.uk
                       URL: http://www.ltg.ed.ac.uk/~ht/
 [mail from me _always_ has a .sig like this -- mail without it is forged spam]

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Silently configure sshd fails via system account

[Lord Laraby]

Oh and I forgot the most intriguing gotcha. After creating the sshd
user for me (I went to service manager and discovered this) the user
assigned to the sshd server was actually cyg_server (not sshd)!!!!!
After changing all of those things the service started.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Silently configure sshd fails via system account

[Lord Laraby]

On Mon, Mar 17, 2014 at 7:22 PM, Henry S. Thompson  wrote:
> I should have said I did exactly _no_ group/permission by-hand
> fiddling to get the setup I sent.  All happened auto-magically as a
> result of basic install.  Looking at my download area, I see I
> installed cygwin, cygrunsrv and openssh all as part of my initial
> install.  I can't immediately detect any sign of what initialisations
> ran in what order -- /etc/sshd_config was built about an hour after
> the downloads. . .
>
> ht

I should have said, I've had those tools installed with my original
install of cygwin, but I just never activated them until today. As far
as creating a group "root", I have never seen cygwin do that
automagically. New thing?

By the way, see my previous post about what I had to do to fix the
setup the script made for me.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Silently configure sshd fails via system account

[Larry Hall (Cygwin)]

On 3/17/2014 7:22 PM, Henry S. Thompson wrote:
> Lord Laraby writes:
>
>> That's interesting. sshd-host-config gave me only sshd as a privileged
>> user name, cyg_server is already taken by a non-prvileged user
>> connected to the cygserver service.
>> Also, at no time does mkgroup create a group called root.
>
> That suggests an earlier (Cygwin-install-time) error, doesn't it?
>
> I should have said I did exactly _no_ group/permission by-hand
> fiddling to get the setup I sent.  All happened auto-magically as a
> result of basic install.  Looking at my download area, I see I
> installed cygwin, cygrunsrv and openssh all as part of my initial
> install.  I can't immediately detect any sign of what initialisations
> ran in what order -- /etc/sshd_config was built about an hour after
> the downloads. . .

Right.  '/etc/sshd_config' is built by 'ssh-host-config'.  It will create
the 'sshd' user for those requesting privilege separation and 'cyg-server'
as the privileged user to run the 'sshd' service under.  All this is done
as part of the 'ssh-host-config' script.  If this script isn't run, then
obviously the 'sshd' service won't start.  That's not say that it will
always just start when 'ssh-host-config' is run.  But that's the intent
and the blueprint for debugging problems.



-- 
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Silently configure sshd fails via system account

[Larry Hall (Cygwin)]

On 3/17/2014 7:28 PM, Lord Laraby wrote:
> On Mon, Mar 17, 2014 at 7:22 PM, Henry S. Thompson  wrote:
>> I should have said I did exactly _no_ group/permission by-hand
>> fiddling to get the setup I sent.  All happened auto-magically as a
>> result of basic install.  Looking at my download area, I see I
>> installed cygwin, cygrunsrv and openssh all as part of my initial
>> install.  I can't immediately detect any sign of what initialisations
>> ran in what order -- /etc/sshd_config was built about an hour after
>> the downloads. . .
>>
>> ht
>
> I should have said, I've had those tools installed with my original
> install of cygwin, but I just never activated them until today. As far
> as creating a group "root", I have never seen cygwin do that
> automagically. New thing?

No.  That's a message from the OpenSSH source that really isn't right
for Cygwin.  When you see 'root', think the user the 'sshd' server
runs under (i.e. 'cyg-server' if the default is used) for Cygwin.

-- 
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Silently configure sshd fails via system account

[Andrey Repin]

Greetings, Lord Laraby!

> Oh and I forgot the most intriguing gotcha. After creating the sshd
> user for me (I went to service manager and discovered this) the user
> assigned to the sshd server was actually cyg_server (not sshd)!!!!!
> After changing all of those things the service started.

That's because service is running as cyg_server, while sshd user is used to
invoke login shells of connecting users.
You just messed it all.


--
WBR,
Andrey Repin (anrdaemon@yandex.ru) 18.03.2014, <03:42>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Silently configure sshd fails via system account

[Lord Laraby]

On Mon, Mar 17, 2014 at 7:43 PM, Andrey Repin <> wrote:
> Greetings, Lord Laraby!
>
>> Oh and I forgot the most intriguing gotcha. After creating the sshd
>> user for me (I went to service manager and discovered this) the user
>> assigned to the sshd server was actually cyg_server (not sshd)!!!!!
>> After changing all of those things the service started.
>
> That's because service is running as cyg_server, while sshd user is used to
> invoke login shells of connecting users.
> You just messed it all.
>
>
> --
> WBR,
> Andrey Repin (anrdaemon@yandex.ru) 18.03.2014, <03:42>
>
> Sorry for my terrible english...
>
I did not change anything. As I said originally, after running
ssh-host-config, no changes on my part, I had a slew of errors. See my
original message. I do not change things on a whim. Service failed to
start, means just what it says!
Here is my original convo with cygwin:
$ ssh-host-config
[ ssh host config asks questions about did I want to install as a
service and privilege separation, and user account to be used.]
Host configuration finished. Have fun!
$ cygrunsrv -S sshd
[cygrunsrv: Error starting a service: OpenService:  Win32 error 1068:]
[message to the effect that something went wrong trying to start
(guessing because the scroll is now long gone)]

I immediately was concerned, as this script normally works.
I checked Event Log, and found this:

"The description for Event ID 0 from source sshd cannot be found.
Either the component that raises this event is not installed on your
local computer or the installation is corrupted. You can install or
repair the component on the local computer."

After googling I discovered there might still be a log. I read it.That
log is here:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_rsa_key
Could not load host key: /etc/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_dsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_dsa_key
Could not load host key: /etc/ssh_host_dsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_ecdsa_key
Could not load host key: /etc/ssh_host_ecdsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_ed25519_key
Could not load host key: /etc/ssh_host_ed25519_key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_rsa_key
Could not load host key: /etc/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_dsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_dsa_key
Could not load host key: /etc/ssh_host_dsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_ecdsa_key
Could not load host key: /etc/ssh_host_ecdsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_ed25519_key
Could not load host key: /etc/ssh_host_ed25519_key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_rsa_key
Could not load host key: /etc/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_dsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_dsa_key
Could not load host key: /etc/ssh_host_dsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_ecdsa_key
Could not load host key: /etc/ssh_host_ecdsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_ed25519_key
Could not load host key: /etc/ssh_host_ed25519_key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_rsa_key
Could not load host key: /etc/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_dsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_dsa_key
Could not load host key: /etc/ssh_host_dsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_ecdsa_key
Could not load host key: /etc/ssh_host_ecdsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_ed25519_key
Could not load host key: /etc/ssh_host_ed25519_key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_rsa_key
Could not load host key: /etc/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_dsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_dsa_key
Could not load host key: /etc/ssh_host_dsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_ecdsa_key
Could not load host key: /etc/ssh_host_ecdsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for '/etc/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_ed25519_key
Could not load host key: /etc/ssh_host_ed25519_key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.
/var/empty must be owned by root and not group or world-writable.
/var/empty must be owned by root and not group or world-writable.
/var/empty must be owned by root and not group or world-writable.
/var/empty must be owned by root and not group or world-writable.
/var/empty must be owned by root and not group or world-writable.
/var/empty must be owned by root and not group or world-writable.
/var/empty must be owned by root and not group or world-writable.
/var/empty must be owned by root and not group or world-writable.
/var/empty must be owned by root and not group or world-writable.

Not exactly working as intended. Now, I don't know a lot about
internals of SSHD, but this seems like a cause of concern! I messed it
up? Show me where?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Silently configure sshd fails via system account

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 2993 bytes --]

On Mar 17 21:54, Lord Laraby wrote:
> On Mon, Mar 17, 2014 at 7:43 PM, Andrey Repin <> wrote:
> > Greetings, Lord Laraby!
> >
> >> Oh and I forgot the most intriguing gotcha. After creating the sshd
> >> user for me (I went to service manager and discovered this) the user
> >> assigned to the sshd server was actually cyg_server (not sshd)!!!!!
> >> After changing all of those things the service started.
> >
> > That's because service is running as cyg_server, while sshd user is used to
> > invoke login shells of connecting users.
> > You just messed it all.
> >
> >
> > --
> > WBR,
> > Andrey Repin (anrdaemon@yandex.ru) 18.03.2014, <03:42>
> >
> > Sorry for my terrible english...
> >
> I did not change anything. As I said originally, after running
> ssh-host-config, no changes on my part, I had a slew of errors. See my
> original message. I do not change things on a whim. Service failed to
> start, means just what it says!

Nevertheless Andrey is right.  The sshd account is not meant to run the
service.  It's an unprivileged account used only in conjunction with
privilege separation.  The account you're supposed to run this under is
cyg_server, which is supposed to be a special account with more
privileges as a normal admin.  If you already have a cyg_server account,
it's utilized by default.  If the cyg_server account doesn't have the
required permissions, sshd is bound to fail.

The /etc/ssh* files as well as /var/empty are supposed to be owned by
the user account running sshd, which is cyg_server.  ssh-host-config
usually sets the permissions on these files accordingly.  The message
"/var/empty must be owned by root and not group or world-writable." is
generated by sshd and it's the right message for all other POSIX
systems, except Cygwin.  For Cygwin "root" here denotes the user running
sshd.  The reason the message doesn't reflect that is the unwillingness
of the upstream developers to change that just for the sake of Cygwin.
I'm asking for 10 years or so to convert certain checks for uid 0 into
platform-independent privilege tests.  I even sent patches to that
effect, but to no avail.

My suggestion: Remove all files related to ssh from /etc.  Remove
/var/empty.  Remove the ssh logs from /var/log.  Remove the sshd
and cyg_server accounts from your SAM.  Drop both from /etc/passwd.
Remove the sshd service.  Start over.

In another mail you wrote:

> cyg_server is already taken by a non-prvileged user
> connected to the cygserver service.

Why?  The cygserver service *can* run under a non-prvileged account,
but it's not supposed to.  It's not even supposed to run under the
cyg_server account, but under SYSTEM (or LocalSystem) because it
usually needs certain privileges.  The cygserver-config script does
exactly that.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: Silently configure sshd fails via system account

[PolarStorm]

Paul Griffith wrote
> ...
> /usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd blah
> ...

Just a few things...

1) Don't do that (manually). 
First of all, "ntsec" is deprecated. Second, there are a lot of strange
issues when 
using "--yes", just answer the questions manually, especially since you
don't need 
all those keys just to have ssh work. 

2) Make sure you run the ssh-host-config from an "administrator: cygwin
shell.

3) Check your /etc/sshd-config for: "UsePrivilegeSeparation sandbox" which
is 
the new default. The ssh-host-config script has a bug on line 169 that
attempts 
to set this to "no", but where the regex fails. (I told people in  THIS
<http://cygwin.1069669.n5.nabble.com/CSIH-SSH-setup-script-problems-on-W81-64-tp106953.html>  
nabble post, but I 
don't think it ever reached the main mailing list.)

4) The sshd user pas-wor-d is set to expire by default after 42 days, in
Windows 8.1. 
Fix it if you're using that.






--
View this message in context: http://cygwin.1069669.n5.nabble.com/Silently-configure-sshd-fails-via-system-account-tp106607p107203.html
Sent from the Cygwin list mailing list archive at Nabble.com.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Silently configure sshd fails via system account

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 715 bytes --]

On Mar 18 18:24, PolarStorm wrote:
> 3) Check your /etc/sshd-config for: "UsePrivilegeSeparation sandbox" which
> is 
> the new default. The ssh-host-config script has a bug on line 169 that
> attempts 
> to set this to "no", but where the regex fails. (I told people in  THIS
> <http://cygwin.1069669.n5.nabble.com/CSIH-SSH-setup-script-problems-on-W81-64-tp106953.html>  
> nabble post, but I 
> don't think it ever reached the main mailing list.)

No, it didn't.  Thanks for the hint, I'll look into updating the
ssh-host-config script.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: Silently configure sshd fails via system account

[Paul Griffith]

On 03/18/2014 09:24 PM, PolarStorm wrote:
> Paul Griffith wrote
>> ...
>> /usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd blah
>> ...
> 
> Just a few things...
> 
> 1) Don't do that (manually).
> First of all, "ntsec" is deprecated. Second, there are a lot of strange
> issues when
> using "--yes", just answer the questions manually, especially since you
> don't need
> all those keys just to have ssh work.
> 
> 2) Make sure you run the ssh-host-config from an "administrator: cygwin
> shell.
> 
> 3) Check your /etc/sshd-config for: "UsePrivilegeSeparation sandbox" which
> is
> the new default. The ssh-host-config script has a bug on line 169 that
> attempts
> to set this to "no", but where the regex fails. (I told people in  THIS
> <http://cygwin.1069669.n5.nabble.com/CSIH-SSH-setup-script-problems-on-W81-64-tp106953.html>
> nabble post, but I
> don't think it ever reached the main mailing list.)
> 
> 4) The sshd user pas-wor-d is set to expire by default after 42 days, in
> Windows 8.1.
> Fix it if you're using that.
> 


Thanks Gene for the heads up, it will help me fine tune my setup!  I need to use the "--yes" option because I am building a automated installation for Windows 7.

Cheers,
Paul


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Silently configure sshd fails via system account

[Corinna Vinschen]

[-- Attachment #1.1: Type: text/plain, Size: 2614 bytes --]

On Mar 19 11:54, Paul Griffith wrote:
> On 03/18/2014 09:24 PM, PolarStorm wrote:
> > Paul Griffith wrote
> >> ...
> >> /usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd blah
> >> ...
> > 
> > Just a few things...
> > 
> > 1) Don't do that (manually).
> > First of all, "ntsec" is deprecated. Second, there are a lot of strange
> > issues when
> > using "--yes", just answer the questions manually, especially since you
> > don't need
> > all those keys just to have ssh work.
> > 
> > 2) Make sure you run the ssh-host-config from an "administrator: cygwin
> > shell.
> > 
> > 3) Check your /etc/sshd-config for: "UsePrivilegeSeparation sandbox" which
> > is
> > the new default. The ssh-host-config script has a bug on line 169 that
> > attempts
> > to set this to "no", but where the regex fails. (I told people in  THIS
> > <http://cygwin.1069669.n5.nabble.com/CSIH-SSH-setup-script-problems-on-W81-64-tp106953.html>
> > nabble post, but I
> > don't think it ever reached the main mailing list.)
> > 
> > 4) The sshd user pas-wor-d is set to expire by default after 42 days, in
> > Windows 8.1.
> > Fix it if you're using that.
> > 
> 
> 
> Thanks Gene for the heads up, it will help me fine tune my setup!  I need to use the "--yes" option because I am building a automated installation for Windows 7.

I attached a new incarnation of the ssh-host-config script to this
mail.

Would interested parties be so kind to test this new script?

Changes compared to the released version from the openssh package:

- The "StrictModes" setting in /etc/sshd_config is now asked for, rather than
  setting it always to "no".
  
  The background is that "StrictModes yes" is the more secure setting.
  "StrictModes no" is only required for users with home directories on a
  "noacl" mount or on FAT/FAT32 partitions, so I think the administrator
  should have a choice here.

- The "UsePrivilegeSeparation" setting in /etc/sshd_config now takes into
  account that the default setting is "sandbox", which doesn't make
  sense on Cygwin.

- Changes to /etc/sshd_config are now only written to the file, if the file
  has been just generated or if the question

    "Overwrite existing /etc/sshd_config file?"

  has been answered with "yes".

I also tweaked the script slightly to support the new passwd/group code
I'm working on, but that's not yet finished.


Thanks a lot,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #1.2: ssh-host-config --]
[-- Type: text/plain, Size: 25172 bytes --]

#!/bin/bash
#
# ssh-host-config, Copyright 2000-2011 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS  
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF               
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.   
# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,   
# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR    
# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR    
# THE USE OR OTHER DEALINGS IN THE SOFTWARE.                               

# ======================================================================
# Initialization
# ======================================================================

CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh

# List of apps used.  This is checkad for existance in csih_sanity_check
# Don't use *any* transient commands before sourcing the csih helper script,
# otherwise the sanity checks are short-circuited.
declare -a csih_required_commands=(
  /usr/bin/basename coreutils
  /usr/bin/cat coreutils
  /usr/bin/chmod coreutils
  /usr/bin/dirname coreutils
  /usr/bin/id coreutils
  /usr/bin/mv coreutils
  /usr/bin/rm coreutils
  /usr/bin/cygpath cygwin
  /usr/bin/mkpasswd cygwin
  /usr/bin/mount cygwin
  /usr/bin/ps cygwin
  /usr/bin/setfacl cygwin
  /usr/bin/umount cygwin
  /usr/bin/cmp diffutils
  /usr/bin/grep grep
  /usr/bin/awk gawk
  /usr/bin/ssh-keygen openssh
  /usr/sbin/sshd openssh
  /usr/bin/sed sed
)
csih_sanity_check_server=yes
source ${CSIH_SCRIPT}

PROGNAME=$(/usr/bin/basename $0)
_tdir=$(/usr/bin/dirname $0)
PROGDIR=$(cd $_tdir && pwd)

# Subdirectory where the new package is being installed
PREFIX=/usr

# Directory where the config files are stored
SYSCONFDIR=/etc
LOCALSTATEDIR=/var

ssdh_config_configured=no
port_number=22
strictmodes=yes
privsep_used=yes
cygwin_value=""
user_account=
password_value=
opt_force=no

# ======================================================================
# Routine: update_services_file
# ======================================================================
update_services_file() {
  local _my_etcdir="/ssh-host-config.$$"
  local _win_etcdir
  local _services
  local _spaces
  local _serv_tmp
  local _wservices
  local ret=0

  _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
  _services="${_my_etcdir}/services"
  _spaces="                           #"
  _serv_tmp="${_my_etcdir}/srv.out.$$"

  /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}"

  # Depends on the above mount
  _wservices=`cygpath -w "${_services}"`

  # Add ssh 22/tcp  and ssh 22/udp to services
  if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ]
  then
    if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh                22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
    then
      if /usr/bin/mv "${_serv_tmp}" "${_services}"
      then
	csih_inform "Added ssh to ${_wservices}"
      else
	csih_warning "Adding ssh to ${_wservices} failed!"
	let ++ret
      fi
      /usr/bin/rm -f "${_serv_tmp}"
    else
      csih_warning "Adding ssh to ${_wservices} failed!"
      let ++ret
    fi
  fi
  /usr/bin/umount "${_my_etcdir}"
  return $ret
} # --- End of update_services_file --- #

# ======================================================================
# Routine: sshd_strictmodes
#  MODIFIES: strictmodes
# ======================================================================
sshd_strictmodes() {
  if [ "${ssdh_config_configured}" != "yes" ]
  then
    echo
    csih_inform "StrictModes is set to 'yes' by default."
    csih_inform "This is the recommended setting, but it requires that the POSIX"
    csih_inform "permissions of the user's home directory, the user's .ssh"
    csih_inform "directory, and the user's ssh key files are tight so that"
    csih_inform "only the user has write permissions."
    csih_inform "On the other hand, StrictModes don't work well with default"
    csih_inform "Windows permissions of a home directory mounted with the"
    csih_inform "'noacl' option, and they don't work at all if the home"
    csih_inform "directory is on a FAT or FAT32 partition."
    if ! csih_request "Should StrictModes be used?"
    then
      strictmodes=no
    fi
  fi
  return 0
}

# ======================================================================
# Routine: sshd_privsep
#  MODIFIES: privsep_used
# ======================================================================
sshd_privsep() {
  local ret=0

  if [ "${ssdh_config_configured}" != "yes" ]
  then
    echo
    csih_inform "Privilege separation is set to 'sandbox' by default since"
    csih_inform "OpenSSH 6.1.  This is unsupported by Cygwin and has to be set"
    csih_inform "to 'yes' or 'no'."
    csih_inform "However, using privilege separation requires a non-privileged account"
    csih_inform "called 'sshd'."
    csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
    if csih_request "Should privilege separation be used?"
    then
      privsep_used=yes
      if ! csih_create_unprivileged_user sshd
      then
	csih_error_recoverable "Couldn't create user 'sshd'!"
	csih_error_recoverable "Privilege separation set to 'no' again!"
	csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!"
	let ++ret
	privsep_used=no
      fi
    else
      privsep_used=no
    fi
  fi
  return $ret
} # --- End of sshd_privsep --- #

# ======================================================================
# Routine: sshd_config_tweak
# ======================================================================
sshd_config_tweak() {
  local ret=0

  # Modify sshd_config
  csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
  if [ "${port_number}" -ne 22 ]
  then
    /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \
      ${SYSCONFDIR}/sshd_config
    if [ $? -ne 0 ]
    then
      csih_warning "Setting listening port to ${port_number} failed!"
      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
      let ++ret
    fi
  fi
  if [ "${strictmodes}" = "no" ]
  then
    /usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \
      ${SYSCONFDIR}/sshd_config
    if [ $? -ne 0 ]
    then
      csih_warning "Setting StrictModes to 'no' failed!"
      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
      let ++ret
    fi
  fi
  if [ "${ssdh_config_configured}" != "yes" ]
  then
    /usr/bin/sed -i -e "
      s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \
      ${SYSCONFDIR}/sshd_config
    if [ $? -ne 0 ]
    then
      csih_warning "Setting privilege separation failed!"
      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
      let ++ret
    fi
  fi
  return $ret
} # --- End of sshd_config_tweak --- #

# ======================================================================
# Routine: update_inetd_conf
# ======================================================================
update_inetd_conf() {
  local _inetcnf="${SYSCONFDIR}/inetd.conf"
  local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
  local _inetcnf_dir="${SYSCONFDIR}/inetd.d"
  local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
  local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
  local _with_comment=1
  local ret=0

  if [ -d "${_inetcnf_dir}" ]
  then
    # we have inetutils-1.5 inetd.d support
    if [ -f "${_inetcnf}" ]
    then
      /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0

      # check for sshd OR ssh in top-level inetd.conf file, and remove
      # will be replaced by a file in inetd.d/
      if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ]
      then
	/usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
	if [ -f "${_inetcnf_tmp}" ]
	then
	  if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
	  then
  	    csih_inform "Removed ssh[d] from ${_inetcnf}"
	  else
  	    csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
	    let ++ret
	  fi
	  /usr/bin/rm -f "${_inetcnf_tmp}"
	else
	  csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
	  let ++ret
	fi
      fi
    fi

    csih_install_config "${_sshd_inetd_conf}"   "${SYSCONFDIR}/defaults"
    if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
    then
      if [ "${_with_comment}" -eq 0 ]
      then
	/usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
      else
	/usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
      fi
      if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
      then
	csih_inform "Updated ${_sshd_inetd_conf}"
      else
	csih_warning "Updating ${_sshd_inetd_conf} failed!"
	let ++ret
      fi
    fi

  elif [ -f "${_inetcnf}" ]
  then
    /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0

    # check for sshd in top-level inetd.conf file, and remove
    # will be replaced by a file in inetd.d/
    if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
    then
      /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
      if [ -f "${_inetcnf_tmp}" ]
      then
	if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
	then
	    csih_inform "Removed sshd from ${_inetcnf}"
	else
	    csih_warning "Removing sshd from ${_inetcnf} failed!"
	    let ++ret
	fi
	/usr/bin/rm -f "${_inetcnf_tmp}"
      else
	csih_warning "Removing sshd from ${_inetcnf} failed!"
	let ++ret
      fi
    fi

    # Add ssh line to inetd.conf
    if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
    then
      if [ "${_with_comment}" -eq 0 ]
      then
	echo 'ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
      else
	echo '# ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
      fi
      if [ $? -eq 0 ]
      then
	csih_inform "Added ssh to ${_inetcnf}"
      else
	csih_warning "Adding ssh to ${_inetcnf} failed!"
	let ++ret
      fi
    fi
  fi
  return $ret
} # --- End of update_inetd_conf --- #

# ======================================================================
# Routine: check_service_files_ownership
#   Checks that the files in /etc and /var belong to the right owner
# ======================================================================
check_service_files_ownership() {
  local run_service_as=$1
  local ret=0

  if [ -z "${run_service_as}" ]
  then
    accnt_name=$(/usr/bin/cygrunsrv -VQ sshd |
    		 /usr/bin/sed -ne 's/^Account *: *//gp')
    if [ "${accnt_name}" = "LocalSystem" ]
    then
      # Convert "LocalSystem" to "SYSTEM" as is the correct account name
      run_service_as="SYSTEM"
    else
      dom="${accnt_name%%\\*}"
      accnt_name="${accnt_name#*\\}"
      if [ "${dom}" = '.' ]
      then
	# Check local account
	run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" |
			 /usr/bin/awk -F: '{print $1;}')
      else
      	# Check domain
	run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" |
			 /usr/bin/awk -F: '{print $1;}')
      fi
    fi
    if [ -z "${run_service_as}" ]
    then
      csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!"
      csih_warning "As a result, this script cannot make sure that the files used"
      csih_warning "by the sshd service belong to the user running the service."
      csih_warning "Please re-run the mkpasswd tool to make sure the /etc/passwd"
      csih_warning "file is in a good shape."
      return 1
    fi
  fi
  for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub
  do
    if [ -f "$i" ]
    then
      if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1
      then
	csih_warning "Couldn't change owner of $i!"
	let ++ret
      fi
    fi
  done
  if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1
  then
    csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!"
    let ++ret
  fi
  if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
  then
    csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!"
    let ++ret
  fi
  if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
  then
    if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1
    then
      csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!"
      let ++ret
    fi
  fi
  if [ $ret -ne 0 ]
  then
    csih_warning "Couldn't change owner of important files to ${run_service_as}!"
    csih_warning "This may cause the sshd service to fail!  Please make sure that"
    csih_warning "you have suufficient permissions to change the ownership of files"
    csih_warning "and try to run the ssh-host-config script again."
  fi
  return $ret
} # --- End of check_service_files_ownership --- #

# ======================================================================
# Routine: install_service
#   Install sshd as a service
# ======================================================================
install_service() {
  local run_service_as
  local password
  local ret=0

  echo
  if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
  then
    csih_inform "Sshd service is already installed."
    check_service_files_ownership "" || let ret+=$?
  else
    echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
    if csih_request "(Say \"no\" if it is already installed as a service)"
    then
      csih_get_cygenv "${cygwin_value}"

      if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
      then
	csih_inform "On Windows Server 2003, Windows Vista, and above, the"
	csih_inform "SYSTEM account cannot setuid to other users -- a capability"
	csih_inform "sshd requires.  You need to have or to create a privileged"
	csih_inform "account.  This script will help you do so."
	echo

	[ "${opt_force}" = "yes" ] && opt_f=-f
	[ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
	csih_select_privileged_username ${opt_f} ${opt_u} sshd

	if ! csih_create_privileged_user "${password_value}"
	then
	  csih_error_recoverable "There was a serious problem creating a privileged user."
	  csih_request "Do you want to proceed anyway?" || exit 1
	  let ++ret
	fi
      fi

      # Never returns empty if NT or above
      run_service_as=$(csih_service_should_run_as)

      if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
      then
	password="${csih_PRIVILEGED_PASSWORD}"
	if [ -z "${password}" ]
	then
	  csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
	  password="${csih_value}"
	fi
      fi

      # At this point, we either have $run_service_as = "system" and
      # $password is empty, or $run_service_as is some privileged user and
      # (hopefully) $password contains the correct password.  So, from here
      # out, we use '-z "${password}"' to discriminate the two cases.

      csih_check_user "${run_service_as}"

      if [ -n "${csih_cygenv}" ]
      then
	cygwin_env=( -e "CYGWIN=${csih_cygenv}" )
      fi
      if [ -z "${password}" ]
      then
	if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
			      -a "-D" -y tcpip "${cygwin_env[@]}"
	then
	  echo
	  csih_inform "The sshd service has been installed under the LocalSystem"
	  csih_inform "account (also known as SYSTEM). To start the service now, call"
	  csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'.  Otherwise, it"
	  csih_inform "will start automatically after the next reboot."
	fi
      else
	if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
			      -a "-D" -y tcpip "${cygwin_env[@]}" \
			      -u "${run_service_as}" -w "${password}"
	then
	  /usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight
	  echo
	  csih_inform "The sshd service has been installed under the '${run_service_as}'"
	  csih_inform "account.  To start the service now, call \`net start sshd' or"
	  csih_inform "\`cygrunsrv -S sshd'.  Otherwise, it will start automatically"
	  csih_inform "after the next reboot."
	fi
      fi

      if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
      then
	check_service_files_ownership "${run_service_as}" || let ret+=$?
      else
	csih_error_recoverable "Installing sshd as a service failed!"
	let ++ret
      fi
    fi # user allowed us to install as service
  fi # service not yet installed
  return $ret
} # --- End of install_service --- #

# ======================================================================
# Main Entry Point
# ======================================================================

# Check how the script has been started.  If
#   (1) it has been started by giving the full path and
#       that path is /etc/postinstall, OR
#   (2) Otherwise, if the environment variable
#       SSH_HOST_CONFIG_AUTO_ANSWER_NO is set
# then set auto_answer to "no".  This allows automatic
# creation of the config files in /etc w/o overwriting
# them if they already exist.  In both cases, color
# escape sequences are suppressed, so as to prevent
# cluttering setup's logfiles.
if [ "$PROGDIR" = "/etc/postinstall" ]
then
  csih_auto_answer="no"
  csih_disable_color
  opt_force=yes
fi
if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ]
then
  csih_auto_answer="no"
  csih_disable_color
  opt_force=yes
fi

# ======================================================================
# Parse options
# ======================================================================
while :
do
  case $# in
  0)
    break
    ;;
  esac

  option=$1
  shift

  case "${option}" in
  -d | --debug )
    set -x
    csih_trace_on
    ;;

  -y | --yes )
    csih_auto_answer=yes
    opt_force=yes
    ;;

  -n | --no )
    csih_auto_answer=no
    opt_force=yes
    ;;

  -c | --cygwin )
    cygwin_value="$1"
    shift
    ;;

  -p | --port )
    port_number=$1
    shift
    ;;

  -u | --user )
    user_account="$1"
    shift
    ;;
    
  -w | --pwd )
    password_value="$1"
    shift
    ;;

  --privileged )
    csih_FORCE_PRIVILEGED_USER=yes
    ;;

  *)
    echo "usage: ${progname} [OPTION]..."
    echo
    echo "This script creates an OpenSSH host configuration."
    echo
    echo "Options:"
    echo "  --debug  -d            Enable shell's debug output."
    echo "  --yes    -y            Answer all questions with \"yes\" automatically."
    echo "  --no     -n            Answer all questions with \"no\" automatically."
    echo "  --cygwin -c <options>  Use \"options\" as value for CYGWIN environment var."
    echo "  --port   -p <n>        sshd listens on port n."
    echo "  --user   -u <account>  privileged user for service, default 'cyg_server'."
    echo "  --pwd    -w <passwd>   Use \"pwd\" as password for privileged user."
    echo "  --privileged           On Windows XP, require privileged user"
    echo "                         instead of LocalSystem for sshd service."
    echo
    exit 1
    ;;

  esac
done

# ======================================================================
# Action!
# ======================================================================

# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running
if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$'
then
  echo
  csih_error "There are still ssh processes running. Please shut them down first."
fi

# Make sure the user is running in an administrative context
admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no)
if [ "${admin}" != "yes" ]
then
  echo
  csih_warning "Running this script typically requires administrator privileges!"
  csih_warning "However, it seems your account does not have these privileges."
  csih_warning "Here's the list of groups in your user token:"
  echo
  for i in $(/usr/bin/id -G)
  do
    /usr/bin/awk -F: "/[^:]*:[^:]*:$i:/{ print \"    \" \$1; }" /etc/group
  done
  echo
  csih_warning "This usually means you're running this script from a non-admin"
  csih_warning "desktop session, or in a non-elevated shell under UAC control."
  echo
  csih_warning "Make sure you have the appropriate privileges right now,"
  csih_warning "otherwise parts of this script will probably fail!"
  echo
  echo -e "${_csih_QUERY_STR} Are you sure you want to continue?  (Say \"no\" if you're not sure"
  if ! csih_request "you have the required privileges)"
  then
    echo
    csih_inform "Ok.  Exiting.  Make sure to switch to an administrative account"
    csih_inform "or to start this script from an elevated shell."
    exit 1
  fi
fi

echo

warning_cnt=0

# Check for ${SYSCONFDIR} directory
csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1
then
  csih_warning "Can't set permissions on ${SYSCONFDIR}!"
  let ++warning_cnt
fi
if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1
then
  csih_warning "Can't set extended permissions on ${SYSCONFDIR}!"
  let ++warning_cnt
fi

# Check for /var/log directory
csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1
then
  csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!"
  let ++warning_cnt
fi
if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1
then
  csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!"
  let ++warning_cnt
fi

# Create /var/log/lastlog if not already exists
if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
then
  echo
  csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \
		   "Cannot create ssh host configuration."
fi
if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
then
  /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
  if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
  then
    csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!"
    let ++warning_cnt
  fi
fi

# Create /var/empty file used as chroot jail for privilege separation
csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory."
if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
then
  csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
  let ++warning_cnt
fi
if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
then
  csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!"
  let ++warning_cnt
fi

# generate missing host keys
csih_inform "Generating missing SSH host keys"
/usr/bin/ssh-keygen -A || let warning_cnt+=$?

# handle ssh_config
csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
then
  if [ "${port_number}" != "22" ]
  then
    csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port"
    echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
    echo "    Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
  fi
fi

# handle sshd_config (and privsep)
csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
then
  ssdh_config_configured=yes
fi
sshd_strictmodes || let warning_cnt+=$?
sshd_privsep || let warning_cnt+=$?
sshd_config_tweak || let warning_cnt+=$?
update_services_file || let warning_cnt+=$?
update_inetd_conf || let warning_cnt+=$?
install_service || let warning_cnt+=$?

echo
if [ $warning_cnt -eq 0 ]
then
  csih_inform "Host configuration finished. Have fun!"
else
  csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!"
  csih_warning "Make sure that all problems reported are fixed,"
  csih_warning "then re-run ssh-host-config."
fi
exit $warning_cnt

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: Silently configure sshd fails via system account

[PolarStorm]

Corinna Vinschen-2 wrote
> I attached a new incarnation of the ssh-host-config script to this
> mail.
> ...
> - The "UsePrivilegeSeparation" setting in /etc/sshd_config now takes into
>   account that the default setting is "sandbox", which doesn't make
>   sense on Cygwin.
> ...
> I also tweaked the script slightly to support the new passwd/group code
> I'm working on, but that's not yet finished.

Great! Did you also have a chance to look at the "sshd" user's pas-wor-d 
expiration that isn't set properly in the
cygwin-service-installation-helper.sh 
script? (~ line 2932).

BTW. How come and why does this account/user even have a pas-wor-d? 
(And what is it? I certainly didn't set it...)





--
View this message in context: http://cygwin.1069669.n5.nabble.com/Silently-configure-sshd-fails-via-system-account-tp106607p107220.html
Sent from the Cygwin list mailing list archive at Nabble.com.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Silently configure sshd fails via system account

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1232 bytes --]

On Mar 19 12:35, PolarStorm wrote:
> Corinna Vinschen-2 wrote
> > I attached a new incarnation of the ssh-host-config script to this
> > mail.
> > ...
> > - The "UsePrivilegeSeparation" setting in /etc/sshd_config now takes into
> >   account that the default setting is "sandbox", which doesn't make
> >   sense on Cygwin.
> > ...
> > I also tweaked the script slightly to support the new passwd/group code
> > I'm working on, but that's not yet finished.
> 
> Great! Did you also have a chance to look at the "sshd" user's pas-wor-d 
> expiration that isn't set properly in the
> cygwin-service-installation-helper.sh 
> script? (~ line 2932).

No, csih isn't my package.  I just looked into ssh-host-config.
But /usr/share/csih/cygwin-service-installation-helper.sh is just
a shell script so you can take a look yourself.

> BTW. How come and why does this account/user even have a pas-wor-d? 
> (And what is it? I certainly didn't set it...)

No idea.  The account gets created as inactive account anyway so the
password shouldn't matter.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: Silently configure sshd fails via system account

[Andrey Repin]

Greetings, PolarStorm!

>> I attached a new incarnation of the ssh-host-config script to this
>> mail.
>> ...
>> - The "UsePrivilegeSeparation" setting in /etc/sshd_config now takes into
>>   account that the default setting is "sandbox", which doesn't make
>>   sense on Cygwin.
>> ...
>> I also tweaked the script slightly to support the new passwd/group code
>> I'm working on, but that's not yet finished.

> Great! Did you also have a chance to look at the "sshd" user's pas-wor-d 
> expiration that isn't set properly in the
> cygwin-service-installation-helper.sh 
> script? (~ line 2932).

> BTW. How come and why does this account/user even have a pas-wor-d? 
> (And what is it? I certainly didn't set it...)

Account must have a password in order to be eligible for certain API calls,
but the password itself isn't quite relevant to the question.


--
WBR,
Andrey Repin (anrdaemon@yandex.ru) 20.03.2014, <02:11>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Silently configure sshd fails via system account

[Lord Laraby]

Thanks for all the responses. I appreciate the attention given to
ssh-host-config since this problem. One of my problems was that I was
semi-braindead when I ran it and selected yes to privsep when I meant
no. It would have been simpler, I think. Really, it it had at least
done chmod on the files that sshd complained about, I would had had
few problems.

Again, thanks everyone.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Silently configure sshd fails via system account

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 909 bytes --]

On Mar 20 20:37, Lord Laraby wrote:
> Thanks for all the responses. I appreciate the attention given to
> ssh-host-config since this problem. One of my problems was that I was
> semi-braindead when I ran it and selected yes to privsep when I meant
> no. It would have been simpler, I think. Really, it it had at least
> done chmod on the files that sshd complained about, I would had had
> few problems.

It does.  Look into the code, it's just a shell script.  As for the key
files, ssh-keygen -A creates them with correct permissions, the script
just chown's them.

Apart from that, I asked for testing the new script attached to
http://cygwin.com/ml/cygwin/2014-03/msg00341.html

Without anybody testing, this will go nowhere.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: Silently configure sshd fails via system account

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 2794 bytes --]

On Mar 19 17:57, Corinna Vinschen wrote:
> On Mar 19 11:54, Paul Griffith wrote:
> > On 03/18/2014 09:24 PM, PolarStorm wrote:
> > > Paul Griffith wrote
> > >> ...
> > >> /usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd blah
> > >> ...
> > > 
> > > Just a few things...
> > > 
> > > 1) Don't do that (manually).
> > > First of all, "ntsec" is deprecated. Second, there are a lot of strange
> > > issues when
> > > using "--yes", just answer the questions manually, especially since you
> > > don't need
> > > all those keys just to have ssh work.
> > > 
> > > 2) Make sure you run the ssh-host-config from an "administrator: cygwin
> > > shell.
> > > 
> > > 3) Check your /etc/sshd-config for: "UsePrivilegeSeparation sandbox" which
> > > is
> > > the new default. The ssh-host-config script has a bug on line 169 that
> > > attempts
> > > to set this to "no", but where the regex fails. (I told people in  THIS
> > > <http://cygwin.1069669.n5.nabble.com/CSIH-SSH-setup-script-problems-on-W81-64-tp106953.html>
> > > nabble post, but I
> > > don't think it ever reached the main mailing list.)
> > > 
> > > 4) The sshd user pas-wor-d is set to expire by default after 42 days, in
> > > Windows 8.1.
> > > Fix it if you're using that.
> > > 
> > 
> > 
> > Thanks Gene for the heads up, it will help me fine tune my setup!  I need to use the "--yes" option because I am building a automated installation for Windows 7.
> 
> I attached a new incarnation of the ssh-host-config script to this
> mail.

Anybody?


> Would interested parties be so kind to test this new script?
> 
> Changes compared to the released version from the openssh package:
> 
> - The "StrictModes" setting in /etc/sshd_config is now asked for, rather than
>   setting it always to "no".
>   
>   The background is that "StrictModes yes" is the more secure setting.
>   "StrictModes no" is only required for users with home directories on a
>   "noacl" mount or on FAT/FAT32 partitions, so I think the administrator
>   should have a choice here.
> 
> - The "UsePrivilegeSeparation" setting in /etc/sshd_config now takes into
>   account that the default setting is "sandbox", which doesn't make
>   sense on Cygwin.
> 
> - Changes to /etc/sshd_config are now only written to the file, if the file
>   has been just generated or if the question
> 
>     "Overwrite existing /etc/sshd_config file?"
> 
>   has been answered with "yes".
> 
> I also tweaked the script slightly to support the new passwd/group code
> I'm working on, but that's not yet finished.
> 
> 
Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]