sshd - ssh-host-config uses incorrect username for setup‏

sshd - ssh-host-config uses incorrect username for setup‏

[Brian Mc George]

Hi,

I am using EC2 and need to automate the configuration of sshd
 at instance launch. If I manually rdp into the machine and execute:
ssh-host-config --yes --privileged --user cyg_server --pwd ${PASSWORD}

it will work correctly.

However,
If
 I use user data (lets you execute powershell commands on instance 
start) it will fail. It will also fail if I try execute the command 
using winrm (the windows equivalent of ssh). 

If I rdp into the machine and execute it manually then the cygwin name will be 'cyg_server'
If I try automate it the cygwin name is <machine_name>+'cyg_server'
It then cannot find the cyg_server account and fails.

How can I work around this? Even if it just uses SYSTEM as the account I just need it to work.

Here is the log when I try use the aforementioned method:

[1;32m*** Info:[0;0m Generating missing SSH host keys
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519
[1;32m*** Info:[0;0m Creating default /etc/ssh_config file
[1;32m*** Info:[0;0m Creating default /etc/sshd_config file
[1;32m*** Info:[0;0m StrictModes is set to 'yes' by default.
[1;32m*** Info:[0;0m This is the recommended setting, but it requires that the POSIX
[1;32m*** Info:[0;0m permissions of the user's home directory, the user's .ssh
[1;32m*** Info:[0;0m directory, and the user's ssh key files are tight so that
[1;32m*** Info:[0;0m only the user has write permissions.
[1;32m*** Info:[0;0m On the other hand, StrictModes don't work well with default
[1;32m*** Info:[0;0m Windows permissions of a home directory mounted with the
[1;32m*** Info:[0;0m 'noacl' option, and they don't work at all if the home
[1;32m*** Info:[0;0m directory is on a FAT or FAT32 partition.
[1;35m*** Query:[0;0m Should StrictModes be used? (yes/no) yes
[1;32m*** Info:[0;0m Privilege separation is set to 'sandbox' by default since
[1;32m*** Info:[0;0m OpenSSH 6.1. This is unsupported by Cygwin and has to be set
[1;32m*** Info:[0;0m to 'yes' or 'no'.
[1;32m*** Info:[0;0m However, using privilege separation requires a non-privileged account
[1;32m*** Info:[0;0m called 'sshd'.
[1;32m*** Info:[0;0m For more info on privilege separation read /usr/share/doc/openssh/README.privsep.
[1;35m*** Query:[0;0m Should privilege separation be used? (yes/no) yes
[1;32m*** Info:[0;0m Note that creating a new user requires that the current account have
[1;32m*** Info:[0;0m Administrator privileges. Should this script attempt to create a
[1;35m*** Query:[0;0m new local account 'sshd'? (yes/no) yes
[1;32m*** Info:[0;0m Updating /etc/sshd_config file
[1;35m*** Query:[0;0m Do you want to install sshd as a service?
[1;35m*** Query:[0;0m (Say "no" if it is already installed as a service) (yes/no) yes
[1;35m*** Query:[0;0m Enter the value of CYGWIN for the daemon: []
[1;32m*** Info:[0;0m On Windows Server 2003, Windows Vista, and above, the
[1;32m*** Info:[0;0m SYSTEM account cannot setuid to other users -- a capability
[1;32m*** Info:[0;0m sshd requires. You need to have or to create a privileged
[1;32m*** Info:[0;0m account. This script will help you do so.
[1;32m*** Info:[0;0m It's not possible to use the LocalSystem account for services
[1;32m*** Info:[0;0m that can change the user id without an explicit password
[1;32m*** Info:[0;0m (such as passwordless logins [e.g. public key authentication]
[1;32m*** Info:[0;0m via sshd) when having to create the user token from scratch.
[1;32m*** Info:[0;0m For more information on this requirement, see
[1;32m*** Info:[0;0m https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1
[1;32m*** Info:[0;0m If you want to enable that functionality, it's required to create
[1;32m*** Info:[0;0m a new account with special privileges (unless such an account
[1;32m*** Info:[0;0m already exists). This account is then used to run these special
[1;32m*** Info:[0;0m servers.
[1;32m*** Info:[0;0m Note that creating a new user requires that the current account
[1;32m*** Info:[0;0m have Administrator privileges itself.
[1;32m*** Info:[0;0m This script plans to use 'cyg_server'.
[1;32m*** Info:[0;0m 'cyg_server' will only be used by registered services.
[1;35m***
 Query:[0;0m Create new privileged user account 
'WIN-FII6OQ85EQF\cyg_server' (Cygwin name: 
'win-fii6oq85eqf+cyg_server')? (yes/no) yes
[1;32m*** Info:[0;0m User 'win-fii6oq85eqf+cyg_server' has been created with password 'XXX'.
[1;32m*** Info:[0;0m If you change the password, please remember also to change the
[1;32m*** Info:[0;0m password for the installed services which use (or will soon use)
[1;32m*** Info:[0;0m the 'win-fii6oq85eqf+cyg_server' account.
passwd: unknown user win-fii6oq85eqf+cyg_server
[1;33m*** Warning:[0;0m Setting password expiry for user 'win-fii6oq85eqf+cyg_server' failed!
[1;33m*** Warning:[0;0m Please check that password never expires or set it to your needs.
No user or group 'win-fii6oq85eqf+cyg_server' known.
[1;33m*** Warning:[0;0m Assigning the appropriate privileges to user 'win-fii6oq85eqf+cyg_server' failed!
[1;31m*** ERROR:[0;0m There was a serious problem creating a privileged user.
[1;35m*** Query:[0;0m Do you want to proceed anyway? (yes/no) yes
[1;33m*** Warning:[0;0m Expected privileged user 'win-fii6oq85eqf+cyg_server' does not exist.
[1;33m*** Warning:[0;0m Defaulting to 'SYSTEM'
[1;32m*** Info:[0;0m The sshd service has been installed under the LocalSystem
[1;32m*** Info:[0;0m account (also known as SYSTEM). To start the service now, call
[1;32m*** Info:[0;0m `net start sshd' or `cygrunsrv -S sshd'. Otherwise, it
[1;32m*** Info:[0;0m will start automatically after the next reboot.
[1;33m*** Warning:[0;0m Host configuration exited with 1 errors or warnings!
[1;33m*** Warning:[0;0m Make sure that all problems reported are fixed,
[1;33m*** Warning:[0;0m then re-run ssh-host-config.

Thanks,
Brian Mc George 		 	   		  

RE: sshd - ssh-host-config uses incorrect username for setup‏

[Brian Mc George]

I haven't gotten any reply for this issue. It would seem there is no way I can fix this issue directly?
Therefore, does anyone have a guide on what permissions and tweaks are required to run sshd as SYSTEM user instead as a workaround?

Thanks,
Brian Mc George
----------------------------------------
> From: b.mcgeorge@hotmail.com
> To: cygwin@cygwin.com
> Subject: sshd - ssh-host-config uses incorrect username for setup‏
> Date: Tue, 29 Dec 2015 09:08:49 +0200
>
> Hi,
>
> I am using EC2 and need to automate the configuration of sshd
> at instance launch. If I manually rdp into the machine and execute:
> ssh-host-config --yes --privileged --user cyg_server --pwd ${PASSWORD}
>
> it will work correctly.
>
> However,
> If
> I use user data (lets you execute powershell commands on instance
> start) it will fail. It will also fail if I try execute the command
> using winrm (the windows equivalent of ssh).
>
> If I rdp into the machine and execute it manually then the cygwin name will be 'cyg_server'
> If I try automate it the cygwin name is <machine_name>+'cyg_server'
> It then cannot find the cyg_server account and fails.
>
> How can I work around this? Even if it just uses SYSTEM as the account I just need it to work.
>
> Here is the log when I try use the aforementioned method:
>
> [1;32m*** Info:[0;0m Generating missing SSH host keys
> ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519
> [1;32m*** Info:[0;0m Creating default /etc/ssh_config file
> [1;32m*** Info:[0;0m Creating default /etc/sshd_config file
> [1;32m*** Info:[0;0m StrictModes is set to 'yes' by default.
> [1;32m*** Info:[0;0m This is the recommended setting, but it requires that the POSIX
> [1;32m*** Info:[0;0m permissions of the user's home directory, the user's .ssh
> [1;32m*** Info:[0;0m directory, and the user's ssh key files are tight so that
> [1;32m*** Info:[0;0m only the user has write permissions.
> [1;32m*** Info:[0;0m On the other hand, StrictModes don't work well with default
> [1;32m*** Info:[0;0m Windows permissions of a home directory mounted with the
> [1;32m*** Info:[0;0m 'noacl' option, and they don't work at all if the home
> [1;32m*** Info:[0;0m directory is on a FAT or FAT32 partition.
> [1;35m*** Query:[0;0m Should StrictModes be used? (yes/no) yes
> [1;32m*** Info:[0;0m Privilege separation is set to 'sandbox' by default since
> [1;32m*** Info:[0;0m OpenSSH 6.1. This is unsupported by Cygwin and has to be set
> [1;32m*** Info:[0;0m to 'yes' or 'no'.
> [1;32m*** Info:[0;0m However, using privilege separation requires a non-privileged account
> [1;32m*** Info:[0;0m called 'sshd'.
> [1;32m*** Info:[0;0m For more info on privilege separation read /usr/share/doc/openssh/README.privsep.
> [1;35m*** Query:[0;0m Should privilege separation be used? (yes/no) yes
> [1;32m*** Info:[0;0m Note that creating a new user requires that the current account have
> [1;32m*** Info:[0;0m Administrator privileges. Should this script attempt to create a
> [1;35m*** Query:[0;0m new local account 'sshd'? (yes/no) yes
> [1;32m*** Info:[0;0m Updating /etc/sshd_config file
> [1;35m*** Query:[0;0m Do you want to install sshd as a service?
> [1;35m*** Query:[0;0m (Say "no" if it is already installed as a service) (yes/no) yes
> [1;35m*** Query:[0;0m Enter the value of CYGWIN for the daemon: []
> [1;32m*** Info:[0;0m On Windows Server 2003, Windows Vista, and above, the
> [1;32m*** Info:[0;0m SYSTEM account cannot setuid to other users -- a capability
> [1;32m*** Info:[0;0m sshd requires. You need to have or to create a privileged
> [1;32m*** Info:[0;0m account. This script will help you do so.
> [1;32m*** Info:[0;0m It's not possible to use the LocalSystem account for services
> [1;32m*** Info:[0;0m that can change the user id without an explicit password
> [1;32m*** Info:[0;0m (such as passwordless logins [e.g. public key authentication]
> [1;32m*** Info:[0;0m via sshd) when having to create the user token from scratch.
> [1;32m*** Info:[0;0m For more information on this requirement, see
> [1;32m*** Info:[0;0m https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1
> [1;32m*** Info:[0;0m If you want to enable that functionality, it's required to create
> [1;32m*** Info:[0;0m a new account with special privileges (unless such an account
> [1;32m*** Info:[0;0m already exists). This account is then used to run these special
> [1;32m*** Info:[0;0m servers.
> [1;32m*** Info:[0;0m Note that creating a new user requires that the current account
> [1;32m*** Info:[0;0m have Administrator privileges itself.
> [1;32m*** Info:[0;0m This script plans to use 'cyg_server'.
> [1;32m*** Info:[0;0m 'cyg_server' will only be used by registered services.
> [1;35m***
> Query:[0;0m Create new privileged user account
> 'WIN-FII6OQ85EQF\cyg_server' (Cygwin name:
> 'win-fii6oq85eqf+cyg_server')? (yes/no) yes
> [1;32m*** Info:[0;0m User 'win-fii6oq85eqf+cyg_server' has been created with password 'XXX'.
> [1;32m*** Info:[0;0m If you change the password, please remember also to change the
> [1;32m*** Info:[0;0m password for the installed services which use (or will soon use)
> [1;32m*** Info:[0;0m the 'win-fii6oq85eqf+cyg_server' account.
> passwd: unknown user win-fii6oq85eqf+cyg_server
> [1;33m*** Warning:[0;0m Setting password expiry for user 'win-fii6oq85eqf+cyg_server' failed!
> [1;33m*** Warning:[0;0m Please check that password never expires or set it to your needs.
> No user or group 'win-fii6oq85eqf+cyg_server' known.
> [1;33m*** Warning:[0;0m Assigning the appropriate privileges to user 'win-fii6oq85eqf+cyg_server' failed!
> [1;31m*** ERROR:[0;0m There was a serious problem creating a privileged user.
> [1;35m*** Query:[0;0m Do you want to proceed anyway? (yes/no) yes
> [1;33m*** Warning:[0;0m Expected privileged user 'win-fii6oq85eqf+cyg_server' does not exist.
> [1;33m*** Warning:[0;0m Defaulting to 'SYSTEM'
> [1;32m*** Info:[0;0m The sshd service has been installed under the LocalSystem
> [1;32m*** Info:[0;0m account (also known as SYSTEM). To start the service now, call
> [1;32m*** Info:[0;0m `net start sshd' or `cygrunsrv -S sshd'. Otherwise, it
> [1;32m*** Info:[0;0m will start automatically after the next reboot.
> [1;33m*** Warning:[0;0m Host configuration exited with 1 errors or warnings!
> [1;33m*** Warning:[0;0m Make sure that all problems reported are fixed,
> [1;33m*** Warning:[0;0m then re-run ssh-host-config.
>
> Thanks,
> Brian Mc George
 		 	   		  

Re: sshd - ssh-host-config uses incorrect username for setup‏

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1115 bytes --]

On Dec 29 09:08, Brian Mc George wrote:
> Hi,
> 
> I am using EC2 and need to automate the configuration of sshd
>  at instance launch. If I manually rdp into the machine and execute:
> ssh-host-config --yes --privileged --user cyg_server --pwd ${PASSWORD}
> 
> it will work correctly.
> 
> However,
> If
>  I use user data (lets you execute powershell commands on instance 
> start) it will fail. It will also fail if I try execute the command 
> using winrm (the windows equivalent of ssh). 
> 
> If I rdp into the machine and execute it manually then the cygwin name will be 'cyg_server'
> If I try automate it the cygwin name is <machine_name>+'cyg_server'
> It then cannot find the cyg_server account and fails.

I can't reproduce your scenario so I'd be grateful if you (or anybody else
having this problem) could inspect the ssh-host-config script and try to
find out how to recognize and workaround the scenario.


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]