This is the mail archive of the
cygwin
mailing list for the Cygwin project.
cygwin-1.7 sshd/ssh-host-config install issues on Vista
- From: Herb Maeder <maeder-cygml at maeder dot org>
- To: cygwin at cygwin dot com
- Date: Fri, 17 Oct 2008 12:50:48 -0700
- Subject: cygwin-1.7 sshd/ssh-host-config install issues on Vista
On a fresh install of the cygwin-1.7 base package + openssh, I believe we
should expect the following to work for installing and testing sshd:
ssh-host-config -y
cygrunsrv --start sshd
ssh localhost pwd
If sshd had been previously installed on the system, the following
cleanup should be performed before invoking ssh-host-config:
# Remove sshd service
cygrunsrv --stop sshd
cygrunsrv --remove sshd
# Delete any sshd or related users (such as cyg_server) from /etc/passwd
# (use your favorite editor)
# Delete any sshd or relaged users (such as cyg_server) from the system
net user sshd /delete
net user cyg_server /delete
But in trying to run the test case, I ran into a number of issues when
running on Vista (and some on XP). I've been able to workaround all but
the last one.
1. (Vista) ssh-host-config needs to run with elevated permissions
This is not really a problem since we expected elevated permissions to be
required, but there are some issues surrounding it. I believe the current
recommendation is to run ssh-host-config in a bash shell started with
"RightClick->Run As Administrator".
But given that this requirement is specific to Vista, it might be worth a
check at the start of the script to make sure that run permissions are
good enough avoid the more obscure errors later on. An error statement
indicating the preferred way to invoke ssh-host-config will hopefully
cut down on noise to the list from people switching to Vista.
BTW, is there a simple command to unobtrusively detect if the runtime
permissions are correct?.
Also, running a bash shell as administrator is less than ideal. It may
encourage always run as administrators even when not necessary, plus
administrator shells are not easily distinguishable from normal shells.
I'm curious... is there a way to elevate permissions from a bash command
line (kind of like a poor man's sudo)? The point would not be to avoid
the UAC prompt, but be able to invoke it when needed from the command line
rather than just getting permission denied errors.
I have come up with a couple of solutions to do this, but they have too
many drawbacks to be really useful (e.g. output ends up in a new cmd
window, UAC prompt lists wrong program,...)
2. (Vista/XP) The tcp_wrappers dependency is missing in openssh/setup.hint
Sincd sshd.exe depends on cygwrap-0.dll, the tcp_wrappers package must be
installed in order to avoid this error when starting up the sshd service:
$ cygrunsrv --start sshd
cygrunsrv: Error starting a service: QueryServiceStatus: Win32 error
1062: The service has not been started.
But the tcp_wrappers package is not listed as a dependency in the openssh
setup.hint file.
It seems others have hit this problem already, but it hasn't been fixed at
the root of the problem yet:
http://www.cygwin.com/ml/cygwin/2008-08/msg00746.html
3. (Vista) "ssh-host-config -y" still prompts for user input
The -y option to ssh-host-config should set up sshd with a usable default
configuration without any further user input.
But since the default for the "Do you want to use a different name?"
question is "yes", the user will be queried for the privileged user name
(and may not end up with the defauilt configuration):
$ ssh-host-config -y
<snip>
*** Info: Note that creating a new user requires that the current account have
*** Info: Administrator privileges itself.
*** Info: No privileged account could be found.
*** Info: This script plans to use 'cyg_server'.
*** Info: 'cyg_server' will only be used by registered services.
*** Query: Do you want to use a different name? (yes/no) yes
*** Query: Enter the new user name:
The question should probably rephrased so that yes will keep the stock
name by default, for example, "Do you want to use this name? (yes/no)".
Or perhaps the "different name" question should come after the "Create new
privileged user account 'cyg_server'?" question (if it is answered 'no').
This seems to be in the csih package, in the csih_select_privileged_username()
function.
4. (Vista) Missing warning if cyg_server exists in /etc/passwd but not in SAM
If the cyg_server account is deleted from the local machine, but its entry
is still left in /etc/passwd, the next run of ssh-host-config will not
issue a warning. Instead it will just result in a "Win32 error 1057":
*** Info: The following privileged accounts were found: 'cyg_server' .
*** Info: This script plans to use 'cyg_server'.
*** Info: 'cyg_server' will only be used by registered services.
*** Query: Do you want to use a different name? (yes/no) no
*** Query: Please enter the password for user 'cyg_server':
*** Query: Reenter:
cygrunsrv: Error installing a service: CreateService: Win32 error 1057: The account name is invalid or does not exist, or the password is invalid for the account name specified.
*** Warning: Something went wrong installing the sshd service.
Unfortunately, this does not indicate the real root of the problem, so it
makes it a bit difficult for users to debug. Perhaps a similar warning
for the sshd case should be issued:
*** Warning: sshd is in /etc/passwd, but the
*** Warning: local machine's SAM does not know about sshd.
*** Warning: Perhaps sshd is a pre-existing domain account.
*** Warning: Continuing, but check if this is ok.
5. (Vista) "ssh localhost pwd" gives 'ssh_exchange_identification' error
After running ssh-host-config and starting the server on Vista, the ssh
test gives the following error:
$ ssh localhost pwd
ssh_exchange_identification: Connection closed by remote host
This error is specific to using 'localhost' or a loopback ip address.
Using a real hostname does not generate this error. I have the firewall
turned off. Curious that it does not show up on an equivalent XP setup.
On the server side, "sshd -d" shows that the 'Connection refused by tcp
wrapper'.
My /etc/hosts.allow looks like this, which appears to be the default
configuration:
ALL : PARANOID : deny
sshd: ALL
I can work around the problem by putting a "sshd: ALL" or "sshd: PARANOID"
line first, but I don't think those are the right solution.
There's something else going on in tcp_wrapper with the address/name
matching for localhost, but I can't quite figure out what. I couldn't get
it to work by putting other lines first, like "ALL: localhost", "sshd:
KNOWN", "sshd: UNKNOWN" or any other variant I could think of.
Can others reproduce this problem?
6. (Vista) error in setting cyg_server passwd expiry
When ssh-host-config tries to set the expiry on the cyg_server group, I
get the following error:
passwd: unknown user herb
*** Warning: Setting password expiry for user 'cyg_server' failed!
*** Warning: Please check that password never expires or set it to your needs.
The command that generates the unknown user error is "passwd -e
cyg_server" from the csih script. Note that it complains about the login
user, not the cyg_server user.
>From my read of passwd.c, I'm not sure that 'passwd -e' can really be used
to set the expiry on a local user if the login user is a domain user.
7. (Vista) sshd responds to connection with "initgroups: Permission denied"
This one is the showstopper. It is preventing me from being able to ssh
into a Vista machine at all. I haven't found a workaround it or determine
the root of problem.
Any attempt to ssh results in this error:
% ssh localhost pwd
herb@localhost's password:
initgroups: Permission denied
I think that this should be easily reproducible on a fresh install of
cygwin-1.7 base + openssh. But if not, I can provide more information
about my specific situation.
As near as I can tell (using "strace /usr/sbin/sshd -dd") the problem
appears to come from the call to NetUserGetGroups() in
sec_auth.cc:get_user_groups(), which returns an error. But I have not
been able to determine the root of the problem yet.
Herb.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/