Re: sshd as service under win2003

From: Andre Blanchard <andre_at_**********.***>
Date: Fri Dec 19 2003 - 13:08:32 EST

Hello, Scott:

Running the script with the -y option should be fine. Assuming that
you have the latest (P2) update of openssh, the script should have the
necessary logic. Some things to verify:

a). uname needs to return CYGWIN_NT-5.3 for the script logic to behave
as expected.

b). This following message should be displayed:

          echo
          echo "You appear to be running Windows 2003 Server or later.
On 2003
and"
          echo "later systems, it's not possible to use the LocalSystem
account"
          echo "if sshd should allow passwordless logon (e. g. public
key authen
tication)."
          echo "If you want to enable that functionality, it's required
to creat
e a new"
          echo "account 'sshd_server' with special privileges, which is
then use
d to run"
          echo "the sshd service under."
          echo
          echo "Should this script create a new local
account 'sshd_server' whic
h has"

If you saw this and set up the sshd_server account then you should
verify the following:

Go into the services list of your host (The GUI interface) and check
for the status of the sshd service. It should clearly indicate what
this previous message indicates; i.e. a user account sshd_server is
interfacing with this service (as opposed to the Local Account). If
that looks ok but the service is not started, then attempt to start it
via the Start button. If that fails then you need to troubleshoot.

If you did not see this afore-mentioned prompt during the config phase
of the server then you need to run config again. You can check the
logic in the script as well but to summarize what it takes for this to
work correctly (at least one method):

1). Remove user sshd and sshd_server from the list of user accounts
2). Remove the sshd files in /etc (NOTE: you may want to archive them
via tar JIC)
3). Make sure the service sshd is completely removed from the list of
available services, i.e.

cygrunsrv -Q sshd and if necessary
cygrunsrv -R sshd followed by a cygrunsrv -Q sshd to verify action

run the script again (sshd-host-config -y), Verify the creation of user
sshd_server, verify that user sshd_server is in /etc/password, verify
the existence of the appropriate *ssh* files in /etc and then attempt
to start up the service (Remember the PITA reference about
configuration?)

HTH and Good Luck! 

---
Mens nobilis regnum possidet
----- Original Message -----
From: Scott Dudley <scott@telesoft.com>
Date: Friday, December 19, 2003 12:09 pm
Subject: Re: sshd as service under win2003
> 
> 
> Andre Blanchard wrote:
> 
> >Also, JIC:  This is not a 2003 server, right?  Otherwise the use 
> model 
> >is different wrt the users (sshd, vs sshd_server) as well as the 
> >services configuration (See the link in the email I submitted a 
> couple 
> >of days ago).  The setup process (ssh-host-config) should have 
> alerted 
> >you to this.
> >
> Yes Andre, it is Win2003 Server.  I didn't run ssh-host-config 
> interactively.  Instead, I ran it with the -y flag as noted in the 
> instructions provided at http://tech.erdelynet.com/cygwin-
> sshd.html.  If 
> there was an error/warning, I didn't see it.  What should I do 
> differently?
> >
> >Good Luck!
> >
> >OMT:  This is my list of ssh config files in /etc
> >
> >-rw-------    1 SYSTEM   SYSTEM        668 Dec 15 17:12 
> ssh_host_dsa_key>-rw-------    1 SYSTEM   SYSTEM        887 Dec 15 
> 17:12 ssh_host_rsa_key
> >-rw-------    1 SYSTEM   SYSTEM        601 Dec 15 16:11 
> >ssh_host_dsa_key.pub
> >-rw-------    1 SYSTEM   SYSTEM        221 Dec 15 16:11 
> >ssh_host_rsa_key.pub
> >-rw-------    1 SYSTEM   SYSTEM        526 Dec 15 16:11 ssh_host_key
> >-rw-------    1 SYSTEM   SYSTEM        330 Dec 15 16:11 
> ssh_host_key.pub>
> >
> >
> >Andre'
> >
> >---
> >Mens nobilis regnum possidet
> >
> >----- Original Message -----
> >From: Scott Dudley <scott@telesoft.com>
> >Date: Thursday, December 18, 2003 7:01 pm
> >Subject: Re: sshd as service under win2003
> >
> >  
> >
> >>Andre,
> >>
> >>Still no luck.
> >>
> >>sadudley@win2003 ~
> >>$ ls -l /etc/ssh*
> >>-rw-------    1 SYSTEM   SYSTEM       1159 Dec 16 17:06 
> >>/etc/ssh_config-rw-------    1 SYSTEM   SYSTEM        668 Dec 16 
> >>15:48 
> >>/etc/ssh_host_dsa_key
> >>-rw-------    1 SYSTEM   SYSTEM        606 Dec 16 15:48 
> >>/etc/ssh_host_dsa_key.pu
> >>b
> >>-rw-------    1 SYSTEM   SYSTEM        531 Dec 16 15:48 
> >>/etc/ssh_host_key-rw-------    1 SYSTEM   SYSTEM        335 Dec 
> 16 
> >>15:48 
> >>/etc/ssh_host_key.pub
> >>-rw-------    1 SYSTEM   SYSTEM        887 Dec 16 15:48 
> >>/etc/ssh_host_rsa_key
> >>-rw-------    1 SYSTEM   SYSTEM        226 Dec 16 15:48 
> >>/etc/ssh_host_rsa_key.pu
> >>b
> >>-rw-------    1 SYSTEM   SYSTEM       2427 Dec 16 17:35 
> >>/etc/sshd_config
> >>sadudley@win2003 ~
> >>$ cygrunsrv -S sshd
> >>cygrunsrv: Error starting a service: QueryServiceStatus:  Win32 
> >>error 1062:
> >>The service has not been started.
> >>
> >>
> >>Andre Blanchard wrote:
> >>
> >>    
> >>
> >>>Been there done that!  The configuration for this is a real 
> PITA. 
> >>>      
> >>>
> >>It 
> >>    
> >>
> >>>requirements are rigid; conversely when not properly configured 
> >>>      
> >>>
> >>you get 
> >>    
> >>
> >>>spurious or vague explanations.  That said, make sure of the 
> >>>      
> >>>
> >>following:>
> >>    
> >>
> >>>If you run sshd via the services (cygrunsrv), i.e. the default 
> >>>      
> >>>
> >>use mode:
> >>    
> >>
> >>>Make sure all ssh files in etc are owned and grouped to SYSTEM
> >>>Make sure all ssh files in etc have permissions of 600
> >>>
> >>>Make sure /var/empty is owned and 'grouped' by SYSTEM
> >>>
> >>>If you wish to run standalone you can do the following:
> >>>
> >>>Change the owner of /var/empty to the owner of the account you 
> >>>      
> >>>
> >>manually 
> >>    
> >>
> >>>run sshd from.
> >>>
> >>>Do the same for the ssh files in /etc
> >>>
> >>>Check the /var/log/sshd.log file for possible errors, i.e. if 
> it 
> >>>      
> >>>
> >>is 
> >>    
> >>
> >>>empty then the daemon started successfully.  If not, see what 
> >>>      
> >>>
> >>failure 
> >>    
> >>
> >>>is indicated and correct
> >>>
> >>>HTH
> >>>----- Original Message -----
> >>>From: Scott Dudley <scott@telesoft.com>
> >>>Date: Thursday, December 18, 2003 3:52 pm
> >>>Subject: sshd as service under win2003
> >>>
> >>> 
> >>>
> >>>      
> >>>
> >>>>I recently install Cygwin on a Win2003 machine and am 
> attempting 
> >>>>to 
> >>>>install sshd as a service.  I followed the instructions from 
> the 
> >>>>following page:
> >>>>
> >>>>  http://tech.erdelynet.com/cygwin-sshd.html
> >>>>
> >>>>At first attempt, I got an error related to permissions on the 
> >>>>files 
> >>>>/etc/ssh_host_*key.  Sorry, I didn't note the exact error.  
> >>>>        
> >>>>
> >>Making 
> >>    
> >>
> >>>>the 
> >>>>files group-writable placated that one.  Next, I got the 
> following:>>>>
> >>>>  sadudley@win2003 ~
> >>>>  $ cygrunsrv -S sshd
> >>>>  cygrunsrv: Error starting a service: QueryServiceStatus:  Win32
> >>>>  error 1062: The service has not been started.
> >>>>
> >>>>If I invoke from command-line, I get this:
> >>>>
> >>>>  sadudley@win2003 ~
> >>>>  $ /usr/sbin/sshd
> >>>>  /var/empty must be owned by root and not group or world-
> writable.>>>>
> >>>>Here's what things look like:
> >>>>
> >>>>  sadudley@win2003 ~
> >>>>  $ ls -ld /var/empty
> >>>>  drwx------+   2 SYSTEM   SYSTEM          0 Dec 16 15:48 
> >>>>        
> >>>>
> >>/var/empty>>
> >>    
> >>
> >>>>  sadudley@win2003 ~
> >>>>  $ getfacl /var/empty
> >>>>  # file: /var/empty
> >>>>  # owner: SYSTEM
> >>>>  # group: SYSTEM
> >>>>  user::rwx
> >>>>  group::rwx
> >>>>  mask:rwx
> >>>>  other:---
> >>>>  default:user::rwx
> >>>>  default:group::r-x
> >>>>  default:other:r-x
> >>>>
> >>>>A search of google as well as this list's archives didn't 
> >>>>        
> >>>>
> >>readily 
> >>    
> >>
> >>>>reveal 
> >>>>any solutions however, I found a number of like posts.  I did 
> >>>>        
> >>>>
> >>find 
> >>    
> >>
> >>>>one 
> >>>>reference to doing this on a PDC at: 
> >>>>http://www.cygwin.com/ml/cygwin/2003-09/msg00435.html.  I'm 
> >>>>installing 
> >>>>on a machine that is part of a domain and does authenticate 
> >>>>against a 
> >>>>PDC but don't know what implications that might have.
> >>>>
> >>>>I'd very much like to get this working.  Any and all 
> assistance 
> >>>>        
> >>>>
> >>is 
> >>    
> >>
> >>>>greatly appreciated.
> >>>>
> >>>>-- 
> >>>>
> >>>>Regards,
> >>>>
> >>>>Scott Dudley
> >>>>
> >>>>
> >>>>--
> >>>>List Information: 
> http://tech.erdelynet.com/mailman/listinfo/ssh-l/
> >>>>List Archives:    http://erdelynet.com/archive/ssh-l/
> >>>>To Unsubscribe: Go to 
> >>>>http://tech.erdelynet.com/mailman/options/ssh-l#subscribers
> >>>>and enter your email address at the bottom.
> >>>>If you don't know your password, have it emailed to you. Then 
> >>>>unsubscribe.
> >>>>   
> >>>>
> >>>>        
> >>>>
> >>>--
> >>>List Information: 
> http://tech.erdelynet.com/mailman/listinfo/ssh-l/
> >>>List Archives:    http://erdelynet.com/archive/ssh-l/
> >>>To Unsubscribe: Go to 
> >>>      
> >>>
> >>http://tech.erdelynet.com/mailman/options/ssh-l#subscribers
> >>    
> >>
> >>>and enter your email address at the bottom.
> >>>If you don't know your password, have it emailed to you. Then 
> >>>      
> >>>
> >>unsubscribe.>
> >>    
> >>
> >>> 
> >>>
> >>>      
> >>>
> >>-- 
> >>
> >>Regards,
> >>
> >>Scott Dudley
> >>
> >>
> >>
> >>--
> >>List Information: http://tech.erdelynet.com/mailman/listinfo/ssh-l/
> >>List Archives:    http://erdelynet.com/archive/ssh-l/
> >>To Unsubscribe: Go to 
> >>http://tech.erdelynet.com/mailman/options/ssh-l#subscribers
> >>and enter your email address at the bottom.
> >>If you don't know your password, have it emailed to you. Then 
> >>unsubscribe.
> >>    
> >>
> >
> >--
> >List Information: http://tech.erdelynet.com/mailman/listinfo/ssh-l/
> >List Archives:    http://erdelynet.com/archive/ssh-l/
> >To Unsubscribe: Go to 
> http://tech.erdelynet.com/mailman/options/ssh-l#subscribers
> >and enter your email address at the bottom.
> >If you don't know your password, have it emailed to you. Then 
> unsubscribe.>
> >
> >  
> >
> 
> -- 
> 
> Regards,
> 
> Scott Dudley
> 
> 
> 
> --
> List Information: http://tech.erdelynet.com/mailman/listinfo/ssh-l/
> List Archives:    http://erdelynet.com/archive/ssh-l/
> To Unsubscribe: Go to 
> http://tech.erdelynet.com/mailman/options/ssh-l#subscribers
> and enter your email address at the bottom.
> If you don't know your password, have it emailed to you. Then 
> unsubscribe.
--
List Information: http://tech.erdelynet.com/mailman/listinfo/ssh-l/
List Archives:    http://erdelynet.com/archive/ssh-l/
To Unsubscribe: Go to http://tech.erdelynet.com/mailman/options/ssh-l#subscribers
and enter your email address at the bottom.
If you don't know your password, have it emailed to you. Then unsubscribe.
Received on Fri Dec 19 15:31:47 2003

This archive was generated by hypermail 2.1.8 : Fri Jul 29 2005 - 17:34:04 EDT