Struggling to setup sshd with Windows Vista

Struggling to setup sshd with Windows Vista

[Kevin Hilton]

Where to start??

I attempting to setup the sshd within Windows Vista.  For this OS
documentation seems scant.
openssh version OpenSSH_4.7p1, OpenSSL 0.9.8g 19 Oct 2007

At this point I dont care about priviledge separation.  I can use it,
or not.  I attempted to setup the daemon using ssh-host-config and
answered yes to using privledge separation.
Now Im stuck since I cant undo the process.

Im find the /usr/share/doc/openssh/README.privsep file not to be all
that helpful


Currently Im getting the following:
$ net start sshd
System error 1069 has occurred.

The service did not start due to a logon failure.

With /var/log/sshd.log Im finding:
Privilege separation user sshd does not exist

Here is my setup:
$ ssh-host-config
Overwrite existing /etc/ssh_config file? (yes/no) yes
Generating /etc/ssh_config file
Overwrite existing /etc/sshd_config file? (yes/no) yes
Privilege separation is set to yes by default since OpenSSH 3.3.
However, this requires a non-privileged account called 'sshd'.
For more info on privilege separation read /usr/share/doc/openssh/README.privsep
.

Should privilege separation be used? (yes/no) yes
Generating /etc/sshd_config file

Host configuration finished. Have fun!

$ more /etc/passwd
SYSTEM:*:18:544:,S-1-5-18::
Administrators:*:544:544:,S-1-5-32-544::
Administrator:unused_by_nt/2000/xp:500:513:U-Darien\Administrator,S-1-5-21-22494
56148-3830241392-4138796912-500:/home/Administrator:/bin/bash
Guest:unused_by_nt/2000/xp:501:513:U-Darien\Guest,S-1-5-21-2249456148-3830241392
-4138796912-501:/home/Guest:/bin/bash
IUSR_NMPR:unused_by_nt/2000/xp:1000:513:IUSR_NMPR,U-Darien\IUSR_NMPR,S-1-5-21-22
49456148-3830241392-4138796912-1000:/home/IUSR_NMPR:/bin/bash
klal:unused_by_nt/2000/xp:1001:513:U-Darien\klal,S-1-5-21-2249456148-3830241392-
4138796912-500:/home/klal:/bin/bash
sshd:unused_by_nt/2000/xp:1002:513:sshd privsep,U-Darien\sshd,S-1-5-21-224945614
8-3830241392-4138796912-1002:/var/empty:/bin/false

Its obvious I need to do something more with the sshd user?? What do I do?

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Struggling to setup sshd with Windows Vista

[Brian Dessent]

Thorsten Kampe wrote:

> > > $ /usr/sbin/sshd -d -d -d -D
> >
> > That's a very bad idea.
> 
> Kevin is obviously trying to debug things (noticed the triple "-d"?)
> so this is a really good idea...

I know what the sshd options mean, and no, it's really not a good idea
in the slightest.  Trying to debug sshd by starting it as a user is all
kinds of wrong.  All the file permissions will be wrong, so even if
things are perfectly setup correctly, this will fail.  If you modify the
permissions to make this "debugging" work then the service will then
fail to start, and as I already said normal users lack the required
privileges to switch user context so this "debugging" will do nothing
but prove you can break things.  It's a thoroughly bad idea unless you
are running a SYSTEM-owned shell.

Brian

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Struggling to setup sshd with Windows Vista

[Kevin Hilton]

Just another thing that I have noticed:

$ /usr/sbin/sshd -d -d -d -D
debug2: load_server_config: filename /etc/sshd_config
debug2: load_server_config: done config len = 210
debug2: parse_server_config: config /etc/sshd_config len 210
debug3: /etc/sshd_config:13 setting Port 22
debug3: /etc/sshd_config:21 setting Protocol 2
debug3: /etc/sshd_config:42 setting StrictModes no
debug3: /etc/sshd_config:96 setting UsePrivilegeSeparation yes
debug3: /etc/sshd_config:110 setting Subsystem sftp     /usr/sbin/sftp-server
debug1: sshd version OpenSSH_4.7p1
debug3: Not a RSA1 key file /etc/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
/var/empty must be owned by root and not group or world-writable.

Who should be the owner of /var/empty.  Right now I have:
drwxr-xr-x+  2 SYSTEM SYSTEM       0 Dec 22 22:40 empty

On Dec 23, 2007 4:22 AM, Kevin Hilton <kevhilton@gmail.com> wrote:
> Where to start??
>
> I attempting to setup the sshd within Windows Vista.  For this OS
> documentation seems scant.
> openssh version OpenSSH_4.7p1, OpenSSL 0.9.8g 19 Oct 2007
>
> At this point I dont care about priviledge separation.  I can use it,
> or not.  I attempted to setup the daemon using ssh-host-config and
> answered yes to using privledge separation.
> Now Im stuck since I cant undo the process.
>
> Im find the /usr/share/doc/openssh/README.privsep file not to be all
> that helpful
>
>
> Currently Im getting the following:
> $ net start sshd
> System error 1069 has occurred.
>
> The service did not start due to a logon failure.
>
> With /var/log/sshd.log Im finding:
> Privilege separation user sshd does not exist
>
> Here is my setup:
> $ ssh-host-config
> Overwrite existing /etc/ssh_config file? (yes/no) yes
> Generating /etc/ssh_config file
> Overwrite existing /etc/sshd_config file? (yes/no) yes
> Privilege separation is set to yes by default since OpenSSH 3.3.
> However, this requires a non-privileged account called 'sshd'.
> For more info on privilege separation read /usr/share/doc/openssh/README.privsep
> .
>
> Should privilege separation be used? (yes/no) yes
> Generating /etc/sshd_config file
>
> Host configuration finished. Have fun!
>
> $ more /etc/passwd
> SYSTEM:*:18:544:,S-1-5-18::
> Administrators:*:544:544:,S-1-5-32-544::
> Administrator:unused_by_nt/2000/xp:500:513:U-Darien\Administrator,S-1-5-21-22494
> 56148-3830241392-4138796912-500:/home/Administrator:/bin/bash
> Guest:unused_by_nt/2000/xp:501:513:U-Darien\Guest,S-1-5-21-2249456148-3830241392
> -4138796912-501:/home/Guest:/bin/bash
> IUSR_NMPR:unused_by_nt/2000/xp:1000:513:IUSR_NMPR,U-Darien\IUSR_NMPR,S-1-5-21-22
> 49456148-3830241392-4138796912-1000:/home/IUSR_NMPR:/bin/bash
> klal:unused_by_nt/2000/xp:1001:513:U-Darien\klal,S-1-5-21-2249456148-3830241392-
> 4138796912-500:/home/klal:/bin/bash
> sshd:unused_by_nt/2000/xp:1002:513:sshd privsep,U-Darien\sshd,S-1-5-21-224945614
> 8-3830241392-4138796912-1002:/var/empty:/bin/false
>
> Its obvious I need to do something more with the sshd user?? What do I do?
>



-- 
Kevin Hilton

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Struggling to setup sshd with Windows Vista

[Brian Dessent]

Kevin Hilton wrote:

> Just another thing that I have noticed:
> 
> $ /usr/sbin/sshd -d -d -d -D

That's a very bad idea.  The daemon requires privileges that normal
users (even administrators) don't have, so trying to run it like that as
a normal user is just a recipe for breaking things.  And even if you got
it to work, you'd have to change all the permissions which were set up
by the script for the daemon to be run as a service.

> Who should be the owner of /var/empty.  Right now I have:
> drwxr-xr-x+  2 SYSTEM SYSTEM       0 Dec 22 22:40 empty

That's probably correct.

You've got some indeterminate state of brokenness here.  Delete the sshd
user, delete the service, delete /var/empty, delete the sshd config
files, recreate known good passwd and group files, and then just run
"ssh-host-config -y" and let it create everything correctly.  That is
all you should ever need to do.  Messing with things manually just leads
to trouble unless you understand what's going on.

Brian

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Struggling to setup sshd with Windows Vista

[Thorsten Kampe]

* Brian Dessent (Sun, 23 Dec 2007 04:58:33 -0800)
> Kevin Hilton wrote:
> > Just another thing that I have noticed:
> > 
> > $ /usr/sbin/sshd -d -d -d -D
> 
> That's a very bad idea.

Kevin is obviously trying to debug things (noticed the triple "-d"?) 
so this is a really good idea...

Thorsten


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Struggling to setup sshd with Windows Vista

[Kevin Hilton]

QUOTE:

You've got some indeterminate state of brokenness here. Delete the sshd
user, delete the service, delete /var/empty, delete the sshd config
files, recreate known good passwd and group files, and then just run
"ssh-host-config -y" and let it create everything correctly. That is
all you should ever need to do. Messing with things manually just leads
to trouble unless you understand what's going on.

ENDQUOTE

Let me just make sure I know what you are telling me to do, since I
already did this and it didnt make a difference.  As an administrator,
I:
1. Delete the sshd user -- Ok I manually edited the /etc/passwd file
and deleted this user
2. Delete the service - Ok cygrunsrv -R sshd
3. Delete the sshd config files - rm /etc/ssh*config, rm /etc/ssh*pub
rm /etc/ssh*key
4. Recreate known good passwd and group files - I never modified the
/etc/group file.  I recreated the /etc/passwd file I had prior by just
removing the sshd user.  Is there something else I should be doing?
5. ssh-host-config -y  -- End result is the same. When I do a
net start sshd
$ net start sshd
System error 1069 has occurred.

The service did not start due to a logon failure.

/var/log/sshd.log reveals:
$ more sshd.log
Privilege separation user sshd does not exist


So how do I create the sshd user? Is there anything I am missing??
This is my first time running into problems.  Ive repeated this
process on XP boxes like 20 times without incidence.  Its even easier
on Ubuntu.  However getting this up and running on Vista is a fiasco.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Struggling to setup sshd with Windows Vista

[Kevin Hilton]

> QUOTE:
>
> You've got some indeterminate state of brokenness here. Delete the sshd
> user, delete the service, delete /var/empty, delete the sshd config
> files, recreate known good passwd and group files, and then just run
> "ssh-host-config -y" and let it create everything correctly. That is
> all you should ever need to do. Messing with things manually just leads
> to trouble unless you understand what's going on.
>
> ENDQUOTE
>
> Let me just make sure I know what you are telling me to do, since I
> already did this and it didnt make a difference.  As an administrator,
> I:
> 1. Delete the sshd user -- Ok I manually edited the /etc/passwd file
> and deleted this user
> 2. Delete the service - Ok cygrunsrv -R sshd
> 3. Delete the sshd config files - rm /etc/ssh*config, rm /etc/ssh*pub
> rm /etc/ssh*key
> 4. Recreate known good passwd and group files - I never modified the
> /etc/group file.  I recreated the /etc/passwd file I had prior by just
> removing the sshd user.  Is there something else I should be doing?
> 5. ssh-host-config -y  -- End result is the same. When I do a
> net start sshd
> $ net start sshd
> System error 1069 has occurred.
>
> The service did not start due to a logon failure.
>
> /var/log/sshd.log reveals:
> $ more sshd.log
> Privilege separation user sshd does not exist
>
>
> So how do I create the sshd user? Is there anything I am missing??
> This is my first time running into problems.  Ive repeated this
> process on XP boxes like 20 times without incidence.  Its even easier
> on Ubuntu.  However getting this up and running on Vista is a fiasco.
>


I stand corrected.  I am finding a few differences with the described
setup above (but the service fails to start):
I know have sshd and sshd_server users.  The /etc/group file is unchanged:

$ more /etc/passwd
SYSTEM:*:18:544:,S-1-5-18::
Administrators:*:544:544:,S-1-5-32-544::
Administrator:unused_by_nt/2000/xp:500:513:U-Darien\Administrator,S-1-5-21-22494
56148-3830241392-4138796912-500:/home/Administrator:/bin/bash
Guest:unused_by_nt/2000/xp:501:513:U-Darien\Guest,S-1-5-21-2249456148-3830241392
-4138796912-501:/home/Guest:/bin/bash
IUSR_NMPR:unused_by_nt/2000/xp:1000:513:IUSR_NMPR,U-Darien\IUSR_NMPR,S-1-5-21-22
49456148-3830241392-4138796912-1000:/home/IUSR_NMPR:/bin/bash
klal:unused_by_nt/2000/xp:1001:513:U-Darien\klal,S-1-5-21-2249456148-3830241392-
4138796912-500:/home/klal:/bin/bash
sshd:unused_by_nt/2000/xp:1002:513:sshd privsep,U-Darien\sshd,S-1-5-21-224945614
8-3830241392-4138796912-1002:/var/empty:/bin/false
sshd_server:unused_by_nt/2000/xp:1003:513:sshd server account,U-Darien\sshd_serv
er,S-1-5-21-2249456148-3830241392-4138796912-1003:/var/empty:/bin/false

Also the ownership of the /var/empty directory has changed:
drwxr-xr-x+  2 sshd_server Administrators    0 Dec 23 14:02 .

Should either the sshd or sshd_server user be part of the Administrator group?

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Struggling to setup sshd with Windows Vista

[Larry Hall (Cygwin)]

Kevin Hilton wrote:

<snip>

> Should either the sshd or sshd_server user be part of the Administrator group?

You really shouldn't need to worry about the groups for these users.  They
are created by the 'ssh-host-config' script with the required permissions
and groups.  They should work for you as they were created.  If you're
finding this isn't true or if you're just wondering what attributes were
used to create them, see the 'ssh-host-config' script.

The 'sshd' user should absolutely *not* be in the Administrators group.  No
way.  No how.


-- 
Larry Hall                              http://www.rfk.com
RFK Partners, Inc.                      (508) 893-9779 - RFK Office
216 Dalton Rd.                          (508) 893-9889 - FAX
Holliston, MA 01746

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Struggling to setup sshd with Windows Vista

[Kevin Hilton]

Thanks for the info, however I cant get over the hump.  I believe the
problem lies with the UAC, but I have no way of proving this.  The
sshd and sshd_server users are created.  Now what??   The service will
not start, and I have no debugging output to tell me why??  Is it
suggested I not use privilege separation, because I really dont need
this feature?? How do I start over and re-install without this
feature??  Is there any known workaround in Vista

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Struggling to setup sshd with Windows Vista

[Morgan Gangwere]

On Dec 23, 2007 7:19 PM, Kevin Hilton <kevhilton@oh-em-gee-mail.com> wrote:
> Thanks for the info, however I cant get over the hump.  I believe the
> problem lies with the UAC, but I have no way of proving this.  The
> sshd and sshd_server users are created.  Now what??   The service will
> not start, and I have no debugging output to tell me why??  Is it
> suggested I not use privilege separation, because I really dont need
> this feature?? How do I start over and re-install without this
> feature??  Is there any known workaround in Vista
>

UAC (last i saw) is tuck in Control Panel -> user stuff

this is ONLY available on Vista Home premuim and greater. standard
vista home i believe you have to use TweakVista... check out
(*woogah-advertising*) stardock.com -- they make it.

-- 
Morgan gangwere

Please Excuse TOFU. Gmail/Mobile has no Power.

"Space does not reflect society, it expresses it." -- Castells, M.,
Space of Flows, Space of Places: Materials for a Theory of Urbanism in
the Information Age, in The Cybercities Reader, S. Graham, Editor.
2004, Routledge: London. p. 82-93.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Struggling to setup sshd with Windows Vista

[Brian Dessent]

Kevin Hilton wrote:

> Let me just make sure I know what you are telling me to do, since I
> already did this and it didnt make a difference.  As an administrator,
> I:
> 1. Delete the sshd user -- Ok I manually edited the /etc/passwd file
> and deleted this user

No, I mean delete the *user*, not a line in a passwd file.  Windows has
a notion of user accounts, Cygwin does not; it just mirrors the Windows
database in the passwd and group file.  So deleting a user means doing
it in Windows, through the control panel, or with "net user".

On 2k3 and greater (including Vista) ssh-host-config should have created
both a sshd (for privsep) and a sshd_server user (for running the
service), so you'd want to run "net user sshd /delete" and "net user
sshd_server /delete".  You can run "net user" to see the list of Windows
user accounts.  If you don't see these user accounts it means the
ssh-host-config script wasn't able to create them, which is probably the
underlying cause.

The reason for suggesting to delete these users is that ssh-host-config
won't recreate them if they already exist, so if they exist and are
setup wrong, ssh-host-config can't help you.

> /var/log/sshd.log reveals:
> $ more sshd.log
> Privilege separation user sshd does not exist
> 
> So how do I create the sshd user? Is there anything I am missing??
> This is my first time running into problems.  Ive repeated this
> process on XP boxes like 20 times without incidence.  Its even easier
> on Ubuntu.  However getting this up and running on Vista is a fiasco.

Again, you shouldn't have to do anything other than run the
ssh-host-config script.  It is over 600 lines of logic and meant to take
care of everything required for any version of Windows.  There is no
manual fiddling needed.

I have a Vista test system.  I just ran "ssh-host-config -y" and it
worked perfectly, so I don't see what this "fiasco" you talk about is.

If you use UAC you you need to run Cygwin as an administrator when
running ssh-host-config otherwise it will be unable to do a lot of the
steps required.  You can do that simply by right clicking on the Cygwin
icon and choosing "Run as administrator".  Or disable UAC.

Brian

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Struggling to setup sshd with Windows Vista

[Jerry DeLisle]

Brian Dessent wrote:
> Kevin Hilton wrote:
> 
>> Let me just make sure I know what you are telling me to do, since I
>> already did this and it didnt make a difference.  As an administrator,
>> I:
>> 1. Delete the sshd user -- Ok I manually edited the /etc/passwd file
>> and deleted this user
> 
> No, I mean delete the *user*, not a line in a passwd file.  Windows has
> a notion of user accounts, Cygwin does not; it just mirrors the Windows
> database in the passwd and group file.  So deleting a user means doing
> it in Windows, through the control panel, or with "net user".
> 
> On 2k3 and greater (including Vista) ssh-host-config should have created
> both a sshd (for privsep) and a sshd_server user (for running the
> service), so you'd want to run "net user sshd /delete" and "net user
> sshd_server /delete".  You can run "net user" to see the list of Windows
> user accounts.  If you don't see these user accounts it means the
> ssh-host-config script wasn't able to create them, which is probably the
> underlying cause.
> 
> The reason for suggesting to delete these users is that ssh-host-config
> won't recreate them if they already exist, so if they exist and are
> setup wrong, ssh-host-config can't help you.
> 

I was having trouble as well, only on an XP system.  This last hint worked for 
me.  (net user sshd /delete)

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Struggling to setup sshd with Windows Vista

[Kevin Hilton]

Thanks for the last tip about deleting the sshd user.  I did that and
know everything works.

Just to summarize for anyone who is trying to get this working on Windows Vista

Open two cygwin shells - one in Administrator mode (right click->Run
Administrator mode), the other as a normal user

Uninstall Steps (From previous attempted failed installations)

In Adminstrator shell
1. net stop sshd
2. cygrunsrv -R sshd
3. net user
    Delete any user listed like sshd or sshd_server.  The following
syntax is to be used:
    net user sshd /DELETE
4. rm -R /etc/ssh*
5. mkpasswd -cl > /etc/passwd
6. mkgroup --local > /etc/group

In User shell
1. cd ~
2. rm -R .ssh

Installation Steps

In Administrator shell
1. ssh-host-config -y
2. net start sshd

In User shell
1. ssh-user-config (Answer questions as appropriate to your situation)
2. Test connection:
     ssh -vvv localhost

Things you don't need to do:
1. Turn off UAC
2. Add/Delete Users through any other interface
3. Change file permissions (on /var/empty for example)

Hopefully this will help someone -- A lot of threads out there
complaining of problems on Vista

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/