This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: "ssh-host-config" now involves ""

  From:       Corinna Vinschen <>                                                                               
  Date:       08.07.2009 13:10                                                                                                           
  Subject:    Re: "ssh-host-config" now involves  ""                                                

>On Jul  8 12:05, Christoph Herdeg wrote:
>> Hello Corinna,
>> thank you for your answer - that's great news! Currently we're planning
>> stay on Cygwin 1.5 as long as 1.7 is not declared final and stable. How
>> would I be able to get OpenSSH 5.2p1-3 into my 1.5 installation?
>You can either just try using the ssh-host-config script from the
>5.2p1-3 package, or build your own OpenSSH.  It builds out of the box,
>Corinna Vinschen                  Please, send mails regarding Cygwin to
>Cygwin Project Co-Leader          cygwin AT cygwin DOT com
>Red Hat
>Problem reports:
>Unsubscribe info:

Hello Corinna,

this time I TOFU manually, just for your pleasure :)

Regarding your above advice I can tell you that it it works just perfect on
Stand Alone hosts or Domain Members when logged in locally. But there is a
problem using this latest ssh-host-config on Domain Controllers. Although
there are no local user accounts after a member server has been promoted to
Domain Controller, ssh-host-config wants to mkpasswd(mkgroup)
-l /etc/passwd(group). Result is that the installation won't work - I've
tried to get it up and running over the last few days: (for me) not
possible. Further ssh-host-config faults about "illegal ACL entries" when
executing the following lines:

setfacl -m u:system:rwx "${SYSCONFDIR}"
setfacl -m u:system:rwx "${LOCALSTATEDIR}/log"
setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty"

But due to the fact that SYSTEM with "Full Access" is being inherited from
"c:\" I don't believe it to be important.

In the above situation I can get sshd to start after manually
chown'ing /var/empty, /var/log/lastlog and /var/log/sshd.log to cyg_server,
but a publickey login is not possible: -vvv states (after lots of positive
messages) "debug2: we sent a publickey packet, wait for reply", "Connection
closed by (myremotehostsIP)". The keys do work, have the correct
permissions and else - I don't know where to start.

But I remembered that SSH works on Domain Controllers using our last
package which includes openssh-5.0p1-1. So tentatively I included the
ssh-host-config script from that version to the currently used
openssh-5.1p1-10 package. Installation went fine; only the service wouldn't
start. But after manually chown'ing /var/empty, /var/log/lastlog
and /var/log/sshd.log to sshd_server it worked and a publickey login was
possible at the 1st shot.

I know that I can't contribute quite a lot, but let me repeat the four
different states a Windows system can have:

Stand Alone host with local user logged in,
Domain Member with local user logged in
Domain Member with domain user logged in
Domain Controller with domain user logged in

ssh-host-config and all other associated scripts and tools should in my
opinion be fully aware of all these states; currently they are not. If you
need machines for testing, I can provide you with administrative remote
access to a complete testbed domain; just let me know and I'll prepare
everything for the next day. It would be so great to simply install and use
SSH then having to tinker every single version working (no offense!!!).

Best Regards,
Christoph Herdeg

Problem reports:
Unsubscribe info:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]