cygsshd fails due to bad ownership or modes of /cygdrive/c/Users

cygsshd fails due to bad ownership or modes of /cygdrive/c/Users

[Frank-Ulrich Sommer]

Hi,

I'm trying to run cygsshd on my PC with Windows 11 and connect from a linux machine. I have added the public key to /cygdrive/c/Users/xxx/.ssh/authorized_keys and created a symbolic link from  /cygdrive/c/Users/xxx/.ssh to /home/xxx/.ssh. As usual I checked the access rights and mode of the .ssh directory (700 and belongs to user xxx) and the authorized_keys file (600 and also belongs to user xxx) and also of the home directory (had to change ownership).

Now I get the following strange messages:

[...]
Feb  5 00:35:50 XXXXX sshd: PID 2798: debug1: temporarily_use_uid: 197609/197121 (e=18/18)
Feb  5 00:35:50 XXXXX sshd: PID 2798: debug1: trying public key file /home/xxx/.ssh/authorized_keys
Feb  5 00:35:50 XXXXX sshd: PID 2798: debug1: fd 5 clearing O_NONBLOCK
Feb  5 00:35:50 XXXXX sshd: PID 2798: Authentication refused: bad ownership or modes for directory /cygdrive/c/Users
Feb  5 00:35:50 XXXXX sshd: PID 2798: debug1: restore_uid: 18/18
[...]

Why is cygsshd complaining about the Windows "Users" directory and not about the directory of user xxx (/cygdrive/c/Users/xxx)? And how can I solve this?

Frank

Re: cygsshd fails due to bad ownership or modes of /cygdrive/c/Users

[Frank-Ulrich Sommer]

Looking at the OpenSSH source code (on Github, not from Cygwin) I found a function "safe_path" that checks that the ownership and access modes for all path components are correct.  This relies on "platform_sys_dir_uid" which checks if a UID may own a system directory. The code checks for UID zero and might also accept an OS specific second value (PLATFORM_SYS_DIR_UID) but for Cygwin this seems not to be set. But I don't know where to find the source code for the excat version that is used in Cygwin and I'm unsure about build settings.

A comment defines this a safe path as follows:
"This is defined as all components of the path to the file must be owned by either the owner of the file or root and no directories must be group or world writable."

The "Users" directory is owned by "SYSTEM" (numeric: 18 according to stat) and only writable by Administrators and SYSTEM. The mode cygwin shows for /cygdrive/c/Users is 0750 which should be OK.

So my question is: are "Administrators" and "SYSTEM" different users and does cygsshd accept SYSTEM (numeric 18) as a valid user who may own system directories? If the numeric ID is really 18 I can't see how this check can succeed but I'm not sure the code used in Cygwin is the same.

On 05.02.2024 00:53, Frank-Ulrich Sommer via Cygwin wrote:
> Hi,
>
> I'm trying to run cygsshd on my PC with Windows 11 and connect from a linux machine. I have added the public key to /cygdrive/c/Users/xxx/.ssh/authorized_keys and created a symbolic link from  /cygdrive/c/Users/xxx/.ssh to /home/xxx/.ssh. As usual I checked the access rights and mode of the .ssh directory (700 and belongs to user xxx) and the authorized_keys file (600 and also belongs to user xxx) and also of the home directory (had to change ownership).
>
> Now I get the following strange messages:
>
> [...]
> Feb  5 00:35:50 XXXXX sshd: PID 2798: debug1: temporarily_use_uid: 197609/197121 (e=18/18)
> Feb  5 00:35:50 XXXXX sshd: PID 2798: debug1: trying public key file /home/xxx/.ssh/authorized_keys
> Feb  5 00:35:50 XXXXX sshd: PID 2798: debug1: fd 5 clearing O_NONBLOCK
> Feb  5 00:35:50 XXXXX sshd: PID 2798: Authentication refused: bad ownership or modes for directory /cygdrive/c/Users
> Feb  5 00:35:50 XXXXX sshd: PID 2798: debug1: restore_uid: 18/18
> [...]
>
> Why is cygsshd complaining about the Windows "Users" directory and not about the directory of user xxx (/cygdrive/c/Users/xxx)? And how can I solve this?
>
> Frank
>

Re: cygsshd fails due to bad ownership or modes of /cygdrive/c/Users

[Eliot Moss]

On 2/5/2024 8:28 PM, Frank-Ulrich Sommer via Cygwin wrote:
> Looking at the OpenSSH source code (on Github, not from Cygwin) I found a function "safe_path" that checks that the 
> ownership and access modes for all path components are correct.  This relies on "platform_sys_dir_uid" which checks if a 
> UID may own a system directory. The code checks for UID zero and might also accept an OS specific second value 
> (PLATFORM_SYS_DIR_UID) but for Cygwin this seems not to be set. But I don't know where to find the source code for the 
> excat version that is used in Cygwin and I'm unsure about build settings.
> 
> A comment defines this a safe path as follows:
> "This is defined as all components of the path to the file must be owned by either the owner of the file or root and no 
> directories must be group or world writable."
> 
> The "Users" directory is owned by "SYSTEM" (numeric: 18 according to stat) and only writable by Administrators and 
> SYSTEM. The mode cygwin shows for /cygdrive/c/Users is 0750 which should be OK.
> 
> So my question is: are "Administrators" and "SYSTEM" different users and does cygsshd accept SYSTEM (numeric 18) as a 
> valid user who may own system directories? If the numeric ID is really 18 I can't see how this check can succeed but I'm 
> not sure the code used in Cygwin is the same.
> 
> On 05.02.2024 00:53, Frank-Ulrich Sommer via Cygwin wrote:
>> Hi,
>>
>> I'm trying to run cygsshd on my PC with Windows 11 and connect from a linux machine. I have added the public key to 
>> /cygdrive/c/Users/xxx/.ssh/authorized_keys and created a symbolic link from  /cygdrive/c/Users/xxx/.ssh to 
>> /home/xxx/.ssh. As usual I checked the access rights and mode of the .ssh directory (700 and belongs to user xxx) and 
>> the authorized_keys file (600 and also belongs to user xxx) and also of the home directory (had to change ownership).
>>
>> Now I get the following strange messages:
>>
>> [...]
>> Feb  5 00:35:50 XXXXX sshd: PID 2798: debug1: temporarily_use_uid: 197609/197121 (e=18/18)
>> Feb  5 00:35:50 XXXXX sshd: PID 2798: debug1: trying public key file /home/xxx/.ssh/authorized_keys
>> Feb  5 00:35:50 XXXXX sshd: PID 2798: debug1: fd 5 clearing O_NONBLOCK
>> Feb  5 00:35:50 XXXXX sshd: PID 2798: Authentication refused: bad ownership or modes for directory /cygdrive/c/Users
>> Feb  5 00:35:50 XXXXX sshd: PID 2798: debug1: restore_uid: 18/18
>> [...]
>>
>> Why is cygsshd complaining about the Windows "Users" directory and not about the directory of user xxx 
>> (/cygdrive/c/Users/xxx)? And how can I solve this?
>>
>> Frank

Administrators and SYSTEM are not the same.  And neither is exactly equivalent
to the concept of root in POSIX.  SYSTEM (in my experience) is used for things
like backup tools that needs access to almost every file.  Administrators is for
system administration.  I don't have deep knowledge of all of this - others can
give a deeper / more nuanced answer.

Eliot Moss

Re: cygsshd fails due to bad ownership or modes of /cygdrive/c/Users

[Brian Inglis]

On 2024-02-05 18:36, Eliot Moss via Cygwin wrote:
> On 2/5/2024 8:28 PM, Frank-Ulrich Sommer via Cygwin wrote:
>> On 05.02.2024 00:53, Frank-Ulrich Sommer via Cygwin wrote:
>>> I'm trying to run cygsshd on my PC with Windows 11 and connect from a linux 
>>> machine. I have added the public key to 
>>> /cygdrive/c/Users/xxx/.ssh/authorized_keys and created a symbolic link from  
>>> /cygdrive/c/Users/xxx/.ssh to /home/xxx/.ssh. As usual I checked the access 
>>> rights and mode of the .ssh directory (700 and belongs to user xxx) and the 
>>> authorized_keys file (600 and also belongs to user xxx) and also of the home 
>>> directory (had to change ownership).

Change the symlink from Cygwin home to your home, as symlinks have a+rwx perms, 
so you can not use one for .ssh:

	$ ln -sv `cygpath -aU "C:/Users/$USER"` /home/

>>> Now I get the following strange messages:
>>> [...]
>>> Feb  5 00:35:50 XXXXX sshd: PID 2798: debug1: temporarily_use_uid: 
>>> 197609/197121 (e=18/18)
>>> Feb  5 00:35:50 XXXXX sshd: PID 2798: debug1: trying public key file 
>>> /home/xxx/.ssh/authorized_keys
>>> Feb  5 00:35:50 XXXXX sshd: PID 2798: debug1: fd 5 clearing O_NONBLOCK
>>> Feb  5 00:35:50 XXXXX sshd: PID 2798: Authentication refused: bad ownership 
>>> or modes for directory /cygdrive/c/Users
>>> Feb  5 00:35:50 XXXXX sshd: PID 2798: debug1: restore_uid: 18/18
>>> [...]
>>> Why is cygsshd complaining about the Windows "Users" directory and not about 
>>> the directory of user xxx (/cygdrive/c/Users/xxx)? And how can I solve this?

>> Looking at the OpenSSH source code (on Github, not from Cygwin) I found a 
>> function "safe_path" that checks that the ownership and access modes for all 
>> path components are correct.  This relies on "platform_sys_dir_uid" which 
>> checks if a UID may own a system directory. The code checks for UID zero and 
>> might also accept an OS specific second value (PLATFORM_SYS_DIR_UID) but for 
>> Cygwin this seems not to be set. But I don't know where to find the source 
>> code for the exact version that is used in Cygwin and I'm unsure about build 
>> settings.

Run Cygwin setup and select package openssh Source checkbox to download the 
source package, or go to your Cygwin upstream mirror and download the source 
tarball shown in setup.ini prefixed with your nearest Cygwin mirror site e.g.

https://ftp.fau.de/cygwin/x86_64/release/openssh/openssh-9.6p1-1-src.tar.xz

Build settings are in the Cygwin package build control script definitions file 
openssh.cygport in the source tarball or build repo:

	https://cygwin.com/cgit/cygwin-packages/openssh/tree/openssh.cygport

...
	--disable-strip
	   --with-kerberos5=/usr
	       --libexecdir=/usr/sbin
	       --with-xauth=/usr/bin/xauth
	   --with-libedit
	   --with-security-key-builtin

>> A comment defines this a safe path as follows:
>> "This is defined as all components of the path to the file must be owned by 
>> either the owner of the file or root and no directories must be group or world 
>> writable."

>> The "Users" directory is owned by "SYSTEM" (numeric: 18 according to stat) and 
>> only writable by Administrators and SYSTEM. The mode cygwin shows for 
>> /cygdrive/c/Users is 0750 which should be OK.

>> So my question is: are "Administrators" and "SYSTEM" different users and does 
>> cygsshd accept SYSTEM (numeric 18) as a valid user who may own system 
>> directories? If the numeric ID is really 18 I can't see how this check can 
>> succeed but I'm not sure the code used in Cygwin is the same.

	$ id SYSTEM
	uid=18(SYSTEM) gid=18(SYSTEM) groups=544(Administrators),18(SYSTEM)

> Administrators and SYSTEM are not the same.  And neither is exactly equivalent
> to the concept of root in POSIX.  SYSTEM (in my experience) is used for things
> like backup tools that needs access to almost every file.  Administrators is for
> system administration.  I don't have deep knowledge of all of this - others can
> give a deeper / more nuanced answer.

Look at permissions at all levels:

$ lsattr -d ~/.ssh/;echo;ls -dl ~/.ssh/;echo;getfacl ~/.ssh/;\
				icacls `cygpath -m ~/.ssh`
------------ /home/BWI/.ssh/

drwx------ 1 $USER None 0 Mar  8  2023 /home/$USER/.ssh/

# file: /home/$USER/.ssh/
# owner: $USER
# group: None
user::rwx
group::---
other::---
default:user::rwx
default:group::---
default:other::---

.../.ssh/ $HOST\$USER:(F)
           $HOST\None:(Rc,S,RA)
           Everyone:(Rc,S,RA)
           CREATOR OWNER:(OI)(CI)(IO)(F)
           CREATOR GROUP:(OI)(CI)(IO)(Rc,S,RA)
           Everyone:(OI)(CI)(IO)(Rc,S,RA)

Successfully processed 1 files; Failed processing 0 files

Try:

# add perm query cmds for info before and after changes
$ chmod -c u+rwx,go-rwx	~/.ssh/
$ setfacl -b		~/.ssh/
$ chmod -c u+rwx,go-rwx	~/.ssh/	# same as before

then ls -l ~/.ssh/ and ensure that:

- non-key ssh files	...		have	u+rw-x,go-rwx 	perms,
- private key files	id_...		have	u+r-wx,go-rwx 	perms, and
- public key files	id_*.pub	have	a+r-wx 		perms.

-- 
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer     but when there is no more to cut
                                 -- Antoine de Saint-Exupéry

Re: cygsshd fails due to bad ownership or modes of /cygdrive/c/Users

[Frank-Ulrich Sommer]

On 06.02.2024 22:22, Brian Inglis via Cygwin wrote:
> On 2024-02-05 18:36, Eliot Moss via Cygwin wrote:
>> On 2/5/2024 8:28 PM, Frank-Ulrich Sommer via Cygwin wrote:
>>> On 05.02.2024 00:53, Frank-Ulrich Sommer via Cygwin wrote:
>>>> I'm trying to run cygsshd on my PC with Windows 11 and connect from a linux machine. I have added the public key to /cygdrive/c/Users/xxx/.ssh/authorized_keys and created a symbolic link from  /cygdrive/c/Users/xxx/.ssh to /home/xxx/.ssh. As usual I checked the access rights and mode of the .ssh directory (700 and belongs to user xxx) and the authorized_keys file (600 and also belongs to user xxx) and also of the home directory (had to change ownership).
>
> Change the symlink from Cygwin home to your home, as symlinks have a+rwx perms, so you can not use one for .ssh:
>
>     $ ln -sv `cygpath -aU "C:/Users/$USER"` /home/
>
Currently I'm reluctant to do this as my current cygwin home directory looks quite "clean" and does not contain hundreds of Windows files and subdirectories. I just added the link as the .ssh directory was automatically created as /cygdrive/c/Users/fus/.ssh and I wanted to have an easier access and avoid having two different .ssh directories which showed to be quite risky in the past.
>>>> Now I get the following strange messages:
>>>> [...]
>>>> Feb  5 00:35:50 XXXXX sshd: PID 2798: debug1: temporarily_use_uid: 197609/197121 (e=18/18)
>>>> Feb  5 00:35:50 XXXXX sshd: PID 2798: debug1: trying public key file /home/xxx/.ssh/authorized_keys
>>>> Feb  5 00:35:50 XXXXX sshd: PID 2798: debug1: fd 5 clearing O_NONBLOCK
>>>> Feb  5 00:35:50 XXXXX sshd: PID 2798: Authentication refused: bad ownership or modes for directory /cygdrive/c/Users
>>>> Feb  5 00:35:50 XXXXX sshd: PID 2798: debug1: restore_uid: 18/18
>>>> [...]
>>>> Why is cygsshd complaining about the Windows "Users" directory and not about the directory of user xxx (/cygdrive/c/Users/xxx)? And how can I solve this?
>
>>> Looking at the OpenSSH source code (on Github, not from Cygwin) I found a function "safe_path" that checks that the ownership and access modes for all path components are correct.  This relies on "platform_sys_dir_uid" which checks if a UID may own a system directory. The code checks for UID zero and might also accept an OS specific second value (PLATFORM_SYS_DIR_UID) but for Cygwin this seems not to be set. But I don't know where to find the source code for the exact version that is used in Cygwin and I'm unsure about build settings.
>
> Run Cygwin setup and select package openssh Source checkbox to download the source package, or go to your Cygwin upstream mirror and download the source tarball shown in setup.ini prefixed with your nearest Cygwin mirror site e.g.
>
> https://ftp.fau.de/cygwin/x86_64/release/openssh/openssh-9.6p1-1-src.tar.xz
>
> Build settings are in the Cygwin package build control script definitions file openssh.cygport in the source tarball or build repo:
>
>     https://cygwin.com/cgit/cygwin-packages/openssh/tree/openssh.cygport
>
> ...
>     --disable-strip
>        --with-kerberos5=/usr
>            --libexecdir=/usr/sbin
>            --with-xauth=/usr/bin/xauth
>        --with-libedit
>        --with-security-key-builtin
>
Thanks for that tip, I found and installed it and succeeded to build it with additional info in the error message (see below).
>>> A comment defines this a safe path as follows:
>>> "This is defined as all components of the path to the file must be owned by either the owner of the file or root and no directories must be group or world writable."
>
>>> The "Users" directory is owned by "SYSTEM" (numeric: 18 according to stat) and only writable by Administrators and SYSTEM. The mode cygwin shows for /cygdrive/c/Users is 0750 which should be OK.
>
>>> So my question is: are "Administrators" and "SYSTEM" different users and does cygsshd accept SYSTEM (numeric 18) as a valid user who may own system directories? If the numeric ID is really 18 I can't see how this check can succeed but I'm not sure the code used in Cygwin is the same.
>
>     $ id SYSTEM
>     uid=18(SYSTEM) gid=18(SYSTEM) groups=544(Administrators),18(SYSTEM)
>
OK, I get the same on my system which seems to be Windows standard.
>> Administrators and SYSTEM are not the same.  And neither is exactly equivalent
>> to the concept of root in POSIX.  SYSTEM (in my experience) is used for things
>> like backup tools that needs access to almost every file. Administrators is for
>> system administration.  I don't have deep knowledge of all of this - others can
>> give a deeper / more nuanced answer.
>
> Look at permissions at all levels:
>
> $ lsattr -d ~/.ssh/;echo;ls -dl ~/.ssh/;echo;getfacl ~/.ssh/;\
>                 icacls `cygpath -m ~/.ssh`
> ------------ /home/BWI/.ssh/
>
> drwx------ 1 $USER None 0 Mar  8  2023 /home/$USER/.ssh/
>
> # file: /home/$USER/.ssh/
> # owner: $USER
> # group: None
> user::rwx
> group::---
> other::---
> default:user::rwx
> default:group::---
> default:other::---
>
> .../.ssh/ $HOST\$USER:(F)
>           $HOST\None:(Rc,S,RA)
>           Everyone:(Rc,S,RA)
>           CREATOR OWNER:(OI)(CI)(IO)(F)
>           CREATOR GROUP:(OI)(CI)(IO)(Rc,S,RA)
>           Everyone:(OI)(CI)(IO)(Rc,S,RA)
>
> Successfully processed 1 files; Failed processing 0 files
>
this results in:

/home/fus

$ lsattr -d ~/.ssh/;echo;ls -dl ~/.ssh/;echo;getfacl ~/.ssh/;                icacls `cygpath -m ~/.ssh`
------------ /home/fus/.ssh/

drwx------+ 1 fus fus 0 Feb  4 23:35 /home/fus/.ssh/

# file: /home/fus/.ssh/
# owner: fus
# group: fus
user::rwx
group::---
group:SYSTEM:rw-        #effective:---
group:Administratoren:rw-       #effective:---
mask::---
other::---
default:user::rwx
default:group::---
default:group:SYSTEM:rw-        #effective:---
default:group:Administratoren:rw-       #effective:---
default:mask::---
default:other::---

C:/Users/fus/.ssh/ NT-AUTORITÄT\SYSTEM:(OI)(CI)(DENY)(X)
                    VORDEFINIERT\Administratoren:(OI)(CI)(DENY)(X)
                    NT-AUTORITÄT\SYSTEM:(OI)(CI)(RX,W,DC)
                    XEONE3_1245V6\fus:(F)
                    VORDEFINIERT\Administratoren:(OI)(CI)(RX,W,DC)

1 Dateien erfolgreich verarbeitet, bei 0 Dateien ist ein Verarbeitungsfehler aufgetreten.

> Try:
>
> # add perm query cmds for info before and after changes
> $ chmod -c u+rwx,go-rwx    ~/.ssh/
> $ setfacl -b        ~/.ssh/
> $ chmod -c u+rwx,go-rwx    ~/.ssh/    # same as before
>
> then ls -l ~/.ssh/ and ensure that:
>
> - non-key ssh files    ...        have    u+rw-x,go-rwx     perms,
> - private key files    id_...        have    u+r-wx,go-rwx perms, and
> - public key files    id_*.pub    have    a+r-wx         perms.
>

The problem seems to be that OpenSSH does not even arrive at checking the home diretory or the .ssh directory. It starts checking every directory in the path and fails already at "/cygdrive/c/Users". Now that I know how to get the sources I added debug output to the error message. OpenSSH sees this directory as belonging to user with UID 18 and it has mode 4750. Mode ist checked not to contain 0022 which is fine here. Then it checks that the owner is the correct system user and the only criteria is that the UID must be zero. Only for AIX and HPUX the user "bin" with UID 2 is also accepted. So this check fails and OpenSSH assumes that the directory does not belong to the correct privileged system user.

I think the only way to fix this with the current OpenSSH is disabling strict mode, but normally I'm quite reluctant to do something like that.2

Re: cygsshd fails due to bad ownership or modes of /cygdrive/c/Users

[marco atzeri]

On Wed, Feb 7, 2024 at 3:26 AM Frank-Ulrich Sommer via Cygwin
<cygwin@cygwin.com> wrote:
> On 06.02.2024 22:22, Brian Inglis via Cygwin wrote:
> > On 2024-02-05 18:36, Eliot Moss via Cygwin wrote:
> >> On 2/5/2024 8:28 PM, Frank-Ulrich Sommer via Cygwin wrote:
> >>> On 05.02.2024 00:53, Frank-Ulrich Sommer via Cygwin wrote:
> >>>> I'm trying to run cygsshd on my PC with Windows 11 and connect from a linux machine. I have added the public key to /cygdrive/c/Users/xxx/.ssh/authorized_keys and created a symbolic link from  /cygdrive/c/Users/xxx/.ssh to /home/xxx/.ssh. As usual I checked the access rights and mode of the .ssh directory (700 and belongs to user xxx) and the authorized_keys file (600 and also belongs to user xxx) and also of the home directory (had to change ownership).

> The problem seems to be that OpenSSH does not even arrive at checking the home diretory or the .ssh directory. It starts checking every directory in the path and fails already at "/cygdrive/c/Users". Now that I know how to get the sources I added debug output to the error message. OpenSSH sees this directory as belonging to user with UID 18 and it has mode 4750. Mode ist checked not to contain 0022 which is fine here. Then it checks that the owner is the correct system user and the only criteria is that the UID must be zero. Only for AIX and HPUX the user "bin" with UID 2 is also accepted. So this check fails and OpenSSH assumes that the directory does not belong to the correct privileged system user.
>
> I think the only way to fix this with the current OpenSSH is disabling strict mode, but normally I'm quite reluctant to do something like that.2
>

what is the issue on using /home/USER/.ssh folder ?

I prefer to leave the Cygwin Home and the Windows Home well separated
to avoid this ACL collision

 $ set | grep -i ^home
HOME=/home/matzeri
HOMEDRIVE=C:
HOMEPATH='\Users\matzeri'

Re: cygsshd fails due to bad ownership or modes of /cygdrive/c/Users

[matthew patton]

[-- Attachment #1: Type: text/plain, Size: 788 bytes --]

> The problem seems to be that OpenSSH does not even arrive at checking the home diretory> or the .ssh directory. It starts checking every directory in the path and fails already at "/cygdrive/c/Users"
I don't think we can win an argument with Theo over how misguided and unnecessary meddling the OpenSSH code is being. Ownership that diverges from 0 (or 2, or 18) should be a mere WARNING, not an ERROR until validity checks get to the user's actual $HOME and/or  the authorized_keys directory+file. 
/home in cygwin is just [OS drive]/cygwin64/home so that doesn't fix anything. I personally set the Cygwin FSTAB to
C:/Users /home  none    binary  0 0
Unfortunately I think we need an #IFDEF on safe_path() to force it back into it's lane.Anyone want to tangle with Theo?

Re: cygsshd fails due to bad ownership or modes of /cygdrive/c/Users

[ASSI]

Frank-Ulrich Sommer via Cygwin writes:
> I'm trying to run cygsshd on my PC with Windows 11 and connect from a
> linux machine. I have added the public key to
> /cygdrive/c/Users/xxx/.ssh/authorized_keys and created a symbolic link
> from  /cygdrive/c/Users/xxx/.ssh to /home/xxx/.ssh. As usual I checked
> the access rights and mode of the .ssh directory (700 and belongs to
> user xxx) and the authorized_keys file (600 and also belongs to user
> xxx) and also of the home directory (had to change ownership).

Just bind mount instead of symlinking .ssh and everything should work.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptations for KORG EX-800 and Poly-800MkII V0.9:
http://Synth.Stromeko.net/Downloads.html#KorgSDada

Re: cygsshd fails due to bad ownership or modes of /cygdrive/c/Users

[Corinna Vinschen]

On Feb  7 19:01, matthew patton via Cygwin wrote:
> > The problem seems to be that OpenSSH does not even arrive at checking the home diretory> or the .ssh directory. It starts checking every directory in the path and fails already at "/cygdrive/c/Users"
> I don't think we can win an argument with Theo over how misguided and unnecessary meddling the OpenSSH code is being. Ownership that diverges from 0 (or 2, or 18) should be a mere WARNING, not an ERROR until validity checks get to the user's actual $HOME and/or  the authorized_keys directory+file. 
> /home in cygwin is just [OS drive]/cygwin64/home so that doesn't fix anything. I personally set the Cygwin FSTAB to
> C:/Users /home  none    binary  0 0
> Unfortunately I think we need an #IFDEF on safe_path() to force it back into it's lane.Anyone want to tangle with Theo?

You can switch off the extended path permission checks by
changing your /etc/sshd_config file.

See the "StrictModes" setting in `man sshd_config'


Corinna

Re: cygsshd fails due to bad ownership or modes of /cygdrive/c/Users

[Corinna Vinschen]

On Feb  7 20:23, ASSI via Cygwin wrote:
> Frank-Ulrich Sommer via Cygwin writes:
> > I'm trying to run cygsshd on my PC with Windows 11 and connect from a
> > linux machine. I have added the public key to
> > /cygdrive/c/Users/xxx/.ssh/authorized_keys and created a symbolic link
> > from  /cygdrive/c/Users/xxx/.ssh to /home/xxx/.ssh. As usual I checked
> > the access rights and mode of the .ssh directory (700 and belongs to
> > user xxx) and the authorized_keys file (600 and also belongs to user
> > xxx) and also of the home directory (had to change ownership).
> 
> Just bind mount instead of symlinking .ssh and everything should work.

Assuming you have installed CYgwin under your own account, that's even
better than utilizing "StrictModes"


Corinna

Re: cygsshd fails due to bad ownership or modes of /cygdrive/c/Users

[Corinna Vinschen]

On Feb  7 20:27, Corinna Vinschen via Cygwin wrote:
> On Feb  7 20:23, ASSI via Cygwin wrote:
> > Frank-Ulrich Sommer via Cygwin writes:
> > > I'm trying to run cygsshd on my PC with Windows 11 and connect from a
> > > linux machine. I have added the public key to
> > > /cygdrive/c/Users/xxx/.ssh/authorized_keys and created a symbolic link
> > > from  /cygdrive/c/Users/xxx/.ssh to /home/xxx/.ssh. As usual I checked
> > > the access rights and mode of the .ssh directory (700 and belongs to
> > > user xxx) and the authorized_keys file (600 and also belongs to user
> > > xxx) and also of the home directory (had to change ownership).
> > 
> > Just bind mount instead of symlinking .ssh and everything should work.
> 
> Assuming you have installed CYgwin under your own account, that's even
> better than utilizing "StrictModes"

Scratch the "Assuming you have installed Cygwin under your own account"
thingy.  The safe_path() function in OpenSSH checks the path of files
in your home dir only up to the home directory itself.  However, that
depends on

  $ getent passwd <your-account-name>

returning the correct home dir.

Personally I just use Cygwin's /home/corinna as home path and symlink
or bind mount the Windows stuff into it, e.g.

  $ ln -s /proc/cygdrive/c/Users/corinna ~/winhome


Corinna

Re: cygsshd fails due to bad ownership or modes of /cygdrive/c/Users

[Frank-Ulrich Sommer]

On 07.02.2024 20:27, Corinna Vinschen via Cygwin wrote:
> On Feb  7 20:23, ASSI via Cygwin wrote:
>> Frank-Ulrich Sommer via Cygwin writes:
>>> I'm trying to run cygsshd on my PC with Windows 11 and connect from a
>>> linux machine. I have added the public key to
>>> /cygdrive/c/Users/xxx/.ssh/authorized_keys and created a symbolic link
>>> from  /cygdrive/c/Users/xxx/.ssh to /home/xxx/.ssh. As usual I checked
>>> the access rights and mode of the .ssh directory (700 and belongs to
>>> user xxx) and the authorized_keys file (600 and also belongs to user
>>> xxx) and also of the home directory (had to change ownership).
>> Just bind mount instead of symlinking .ssh and everything should work.
> Assuming you have installed CYgwin under your own account, that's even
> better than utilizing "StrictModes"
>
>
> Corinna
>

Ich decided to move the .ssh directory to /home/username/.ssh and edited nsswitch.conf to specify the home directory with "db_home: /home/%U" (all entries in this file were commented). Now sshd seems to work without deactivating strict mode. If I should still get problems with something else missing the .ssh directory in the WIndows Users directory I will try the bind mount.

I do not know how the .ssh got in /cygdrive/c/Users/... because I did not change anything manually.

Thanks for all the help!