This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Silently configure sshd fails via system account

On Mar 19 11:54, Paul Griffith wrote:
> On 03/18/2014 09:24 PM, PolarStorm wrote:
> > Paul Griffith wrote
> >> ...
> >> /usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd blah
> >> ...
> > 
> > Just a few things...
> > 
> > 1) Don't do that (manually).
> > First of all, "ntsec" is deprecated. Second, there are a lot of strange
> > issues when
> > using "--yes", just answer the questions manually, especially since you
> > don't need
> > all those keys just to have ssh work.
> > 
> > 2) Make sure you run the ssh-host-config from an "administrator: cygwin
> > shell.
> > 
> > 3) Check your /etc/sshd-config for: "UsePrivilegeSeparation sandbox" which
> > is
> > the new default. The ssh-host-config script has a bug on line 169 that
> > attempts
> > to set this to "no", but where the regex fails. (I told people in  THIS
> > <>
> > nabble post, but I
> > don't think it ever reached the main mailing list.)
> > 
> > 4) The sshd user pas-wor-d is set to expire by default after 42 days, in
> > Windows 8.1.
> > Fix it if you're using that.
> > 
> Thanks Gene for the heads up, it will help me fine tune my setup!  I need to use the "--yes" option because I am building a automated installation for Windows 7.

I attached a new incarnation of the ssh-host-config script to this

Would interested parties be so kind to test this new script?

Changes compared to the released version from the openssh package:

- The "StrictModes" setting in /etc/sshd_config is now asked for, rather than
  setting it always to "no".
  The background is that "StrictModes yes" is the more secure setting.
  "StrictModes no" is only required for users with home directories on a
  "noacl" mount or on FAT/FAT32 partitions, so I think the administrator
  should have a choice here.

- The "UsePrivilegeSeparation" setting in /etc/sshd_config now takes into
  account that the default setting is "sandbox", which doesn't make
  sense on Cygwin.

- Changes to /etc/sshd_config are now only written to the file, if the file
  has been just generated or if the question

    "Overwrite existing /etc/sshd_config file?"

  has been answered with "yes".

I also tweaked the script slightly to support the new passwd/group code
I'm working on, but that's not yet finished.

Thanks a lot,

Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: ssh-host-config
Description: Text document

Attachment: pgpurKMpHWAgc.pgp
Description: PGP signature

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]