This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: sshd not working on nineteen w2k servers (/var/empty must be owned by root) works on five win2k servers, works with svc acct and works on w2k3

Joel Harrison wrote:
First of all, kudos to the cygwin team for making this work so well on
my twenty w2k3 servers and thanks to all the contributors in the

After installing cygwin on each server, I ran "ssh-host-config -y -c
"binmode tty ntsec" -w '!pwforj00!' ; net start sshd" (no it's not my
real pw) :-) This works great on 2k3, but on most w2k servers the
services don't start and there's no log output. It does work on some
of them though.

You don't need to pass the "binmode tty ntsec" flags along. These are the defaults.

If the above works just fine for you on W2K3, it's because this creates a
service account for you (sshd_server).  If it doesn't work on W2K, there's
one difference.  If you force it to create the service account for you
on these W2K machines, does that solve the problem?  If so, you have your
answer - LOCALSYSTEM on these machines is missing a key permission to
run as a service.  If not, you have a more basic problem on you hands.
You need to look at what other things you have running that could be
blocking the 'sshd' service.

Please do not try to start 'sshd' as your or any other user from the
raw command line.  This can mess up permissions on important files.  If
you want to try running 'sshd' from the command line, please use a
system-owned window (Google the Cygwin list for "system-owned" to find
pointers on how to do this).  Then you'll be running as LOCALSYSTEM
and you won't mess up the permissions.  Of course, on any system that
you already have tried to run 'sshd' from the command line without
being in a system-owned console, you're already hosed.  So try it on
a freshly minted machine.

If I try an administrative account instead of localsystem, I get the
/var/log/sshd output "/var/empty must be owned by root and not group
or world-writable.", otherwise I get no log output even if I chmod 777

Which suggests, as I mentioned above ,that your permissions are now
messed up because you started 'sshd' as 'adminstrator'.

broken and working directory permissions both look the same by default:

$ ls -l
total 0
drwxr-x---+ 3 g000283 mkgroup-l-d 0 Aug  7 09:14 cache
drwxr-xr-x+ 2 SYSTEM  root        0 Aug  7 09:17 empty
drwxr-x---+ 3 g000283 mkgroup-l-d 0 Aug  7 09:13 lib
drwxr-x---+ 2 g000283 mkgroup-l-d 0 Aug  7 09:17 log
drwxr-x---+ 2 g000283 mkgroup-l-d 0 Aug  7 09:12 run
drwxr-x---+ 2 g000283 mkgroup-l-d 0 Aug  7 09:12 tmp

One way I've found to make it work is to chown /var/empty to an
administrator account

Yep, that's not going to work in the long haul.

$ /usr/sbin/sshd -D
/var/empty must be owned by root and not group or world-writable.

$ chown g000283 empty/

$ /usr/sbin/sshd.exe -D

$ net start sshd
The CYGWIN sshd service is starting.
The CYGWIN sshd service could not be started.

The service did not report an error.

More help is available by typing NET HELPMSG 3534.

Expected. See above.

If I use the same admin credentials as the service account the service begins working.

$ net start sshd
The CYGWIN sshd service is starting.
The CYGWIN sshd service was started successfully.

So it seems cygwin doesn't feel that SYSTEM is an administrator aka
root on most of these sytems by default, or that LOCALSYSTEM has the
needed "root" permissions.  Why would that be?  Working around this is
(after much struggle) a two step process now.. 1> chown administrator
/var/empty, 2> set service account to admin acct.

The only reason I can think of is that the permissions were removed from
the SYSTEM account on those systems.  See the openssh.README file in
'/usr/share/doc/Cygwin' for the required permissions to switch user
contexts.  Make sure LOCALSYSTEM has these.  If that's not enough, check the
differences in permissions between the W2K machines that do and don't work.


-- Larry Hall RFK Partners, Inc. (508) 893-9779 - RFK Office 216 Dalton Rd. (508) 893-9889 - FAX Holliston, MA 01746


A: Yes.
> Q: Are you sure?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting annoying in email?

Unsubscribe info:
Problem reports:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]