sshd on W2K3 Domain Controller: Solution

Fermin Sanchez
Sat Sep 6 18:31:00 GMT 2003

I just wanted to share the solution which finally let me run the sshd on
a Windows 2003 Domain Controller. Essentially, thanks to Corinna
Vinschen, it now works. 
The details:
1. Create a new account, DO NOT name it "sshd" - I used "sshdService"
2. Add the account to the (domain local) "Administrators" group
3. Open "Active Directory Users and Computers", navigate to the "Domain
Controllers" OU -> Properties, open "Default Domain Controllers Policy".
Go to Computer Configuration -> Windows Settings -> Security Settings
->Local Policies -> User Rights Assignment. There, in the right hand
pane, doubleclick on "Create a token object" and add the "sshdService"
account. IMPORTANT: Doing this in the local security policy won't
accomplish a thing, since the settings in this group policy override any
local policy settings!
4. Install cygwin, run "ssh-host-config -y", select at least "ntsec"
security setting.
5. In Windows, open the properties of the Cygwin SSHD Service and change
the login account to "sshdService". You should get a message saying that
"sshdService" has been granted "logon as a service" right. You could
have assigned that right manually in 3.) as well.
6. chmod 740 /etc/profile (ls -l on /etc/profile showed rights
-rwx------); until now, "740" seems to work, no need to "770".
7. chmod 770 /etc/ssh_host*key (this is quick and very dirty, since it
gives the "Domain Users" group read and write access to the keys. Chown
might be the better approach)
8. chown sshdService /var/empty (/var/log/sshd.log showed "/var/empty
must be owned by root and not group or world-writable."; was owned by
SYSTEM. The error must be because sshd now doesn't run under SYSTEM
account any more).

sshd has been running for several hours now, including one reboot just
to see if it really, really likes me now ;-). There are still one or two
minor issues, though, I'll put them in an additional mail just to keep
this one "clean".
Thank you again all for your help.

Unsubscribe info:
Problem reports:

More information about the Cygwin mailing list