Re: [1.7.15-1] Installing sshd fails

[Andrey Repin <anrdaemon at freemail dot ru>]

Greetings, Andre Loker!

> I'm trying to install cygwin 1.7.15-1 on a new Windows Server 2008 R2
> machine. I can't get sshd to install properly.

> When I run ssh-host-config the script says that creation of the user 
> sshd has failed:

Do you start it in an elevated console?

> ------------------------------------
> $ ssh-host-config

> *** Info: Generating /etc/ssh_host_key
> *** Info: Generating /etc/ssh_host_rsa_key
> *** Info: Generating /etc/ssh_host_dsa_key
> *** Info: Generating /etc/ssh_host_ecdsa_key
> *** Info: Creating default /etc/ssh_config file
> *** Info: Creating default /etc/sshd_config file
> *** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
> *** Info: However, this requires a non-privileged account called 'sshd'.
> *** Info: For more info on privilege separation read 
> /usr/share/doc/openssh/README.privsep.
> *** Query: Should privilege separation be used? (yes/no) yes
> *** Info: Note that creating a new user requires that the current 
> account have
> *** Info: Administrator privileges.  Should this script attempt to create a
> *** Query: new local account 'sshd'? (yes/no) yes
> *** Warning: Creating the user 'sshd' failed!
> *** ERROR: Couldn't create user 'sshd'!
> *** ERROR: Privilege separation set to 'no' again!
> *** ERROR: Check your /etc/sshd_config file!
> *** Info: Updating /etc/sshd_config file
> ------------------------------------

> However, the sshd user has in fact been created in Windows. If I re-run 
> ssh-host-config now and confirm to overwrite the config files, the 
> scripts runs further but fails when creating cyg_server:

> ------------------------------------
> $ ssh-host-config

> *** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes
> *** Info: Creating default /etc/ssh_config file
> *** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
> *** Info: Creating default /etc/sshd_config file
> *** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
> *** Info: However, this requires a non-privileged account called 'sshd'.
> *** Info: For more info on privilege separation read 
> /usr/share/doc/openssh/README.privsep.
> *** Query: Should privilege separation be used? (yes/no) yes
> *** Info: Updating /etc/sshd_config file

> *** Query: Do you want to install sshd as a service?
> *** Query: (Say "no" if it is already installed as a service) (yes/no) yes
> *** Query: Enter the value of CYGWIN for the daemon: []
> *** Info: On Windows Server 2003, Windows Vista, and above, the
> *** Info: SYSTEM account cannot setuid to other users -- a capability
> *** Info: sshd requires.  You need to have or to create a privileged
> *** Info: account.  This script will help you do so.

> *** Info: You appear to be running Windows XP 64bit, Windows 2003 Server,
> *** Info: or later.  On these systems, it's not possible to use the 
> LocalSystem
> *** Info: account for services that can change the user id without an
> *** Info: explicit password (such as passwordless logins [e.g. public key
> *** Info: authentication] via sshd).

> *** Info: If you want to enable that functionality, it's required to create
> *** Info: a new account with special privileges (unless a similar account
> *** Info: already exists). This account is then used to run these special
> *** Info: servers.

> *** Info: Note that creating a new user requires that the current account
> *** Info: have Administrator privileges itself.

> *** Info: No privileged account could be found.

> *** Info: This script plans to use 'cyg_server'.
> *** Info: 'cyg_server' will only be used by registered services.
> *** Query: Do you want to use a different name? (yes/no) no
> *** Query: Create new privileged user account 'cyg_server'? (yes/no) yes
> *** Info: Please enter a password for new user cyg_server.  Please be sure
> *** Info: that this password matches the password rules given on your 
> system.
> *** Info: Entering no password will exit the configuration.
> *** Query: Please enter the password:
> *** Query: Reenter:

> *** Warning: Creating the user 'cyg_server' failed!  Reason:
> The user or group account specified cannot be found.

> The user was successfully created but could not be added
> to the USERS local group.

> More help is available by typing NET HELPMSG 3774.


> *** Info: Please enter a password for new user cyg_server.  Please be sure
> *** Info: that this password matches the password rules given on your 
> system.
> *** Info: Entering no password will exit the configuration.
> *** Query: Please enter the password:
> ------------------------------------

> It then hangs in a loop asking for the password. At this point the 
> cyg_server user has been created but is not member of any group.
> If I now manually add cyg_server to Users and Administrators and once 
> again rerun the ssh-host-config:


> ------------------------------------
> $ ssh-host-config

> *** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes
> *** Info: Creating default /etc/ssh_config file
> *** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
> *** Info: Creating default /etc/sshd_config file
> *** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
> *** Info: However, this requires a non-privileged account called 'sshd'.
> *** Info: For more info on privilege separation read 
> /usr/share/doc/openssh/README.privsep.
> *** Query: Should privilege separation be used? (yes/no) yes
> *** Info: Updating /etc/sshd_config file

> *** Query: Do you want to install sshd as a service?
> *** Query: (Say "no" if it is already installed as a service) (yes/no) yes
> *** Query: Enter the value of CYGWIN for the daemon: []
> *** Info: On Windows Server 2003, Windows Vista, and above, the
> *** Info: SYSTEM account cannot setuid to other users -- a capability
> *** Info: sshd requires.  You need to have or to create a privileged
> *** Info: account.  This script will help you do so.

> *** Info: You appear to be running Windows XP 64bit, Windows 2003 Server,
> *** Info: or later.  On these systems, it's not possible to use the 
> LocalSystem
> *** Info: account for services that can change the user id without an
> *** Info: explicit password (such as passwordless logins [e.g. public key
> *** Info: authentication] via sshd).

> *** Info: If you want to enable that functionality, it's required to create
> *** Info: a new account with special privileges (unless a similar account
> *** Info: already exists). This account is then used to run these special
> *** Info: servers.

> *** Info: Note that creating a new user requires that the current account
> *** Info: have Administrator privileges itself.

> *** Info: The following privileged accounts were found: 'cyg_server' .

> *** Info: This script plans to use 'cyg_server'.
> *** Info: 'cyg_server' will only be used by registered services.
> *** Query: Do you want to use a different name? (yes/no) no
> *** Query: Please enter the password for user 'cyg_server':
> *** Query: Reenter:

> *** Warning: User cyg_server does not appear in /etc/passwd.

> *** Info: The sshd service has been installed under the 'cyg_server'
> *** Info: account.  To start the service now, call `net start sshd' or
> *** Info: `cygrunsrv -S sshd'.  Otherwise, it will start automatically
> *** Info: after the next reboot.
> *** Warning: Couldn't change owner of /etc/ssh_config!
> *** Warning: Couldn't change owner of /etc/sshd_config!
> *** Warning: Couldn't change owner of /etc/ssh_host_dsa_key!
> *** Warning: Couldn't change owner of /etc/ssh_host_ecdsa_key!
> *** Warning: Couldn't change owner of /etc/ssh_host_key!
> *** Warning: Couldn't change owner of /etc/ssh_host_rsa_key!
> *** Warning: Couldn't change owner of /etc/ssh_host_dsa_key.pub!
> *** Warning: Couldn't change owner of /etc/ssh_host_ecdsa_key.pub!
> *** Warning: Couldn't change owner of /etc/ssh_host_key.pub!
> *** Warning: Couldn't change owner of /etc/ssh_host_rsa_key.pub!
> *** Warning: Couldn't change owner of /var/empty!
> *** Warning: Couldn't change owner of /var/log/lastlog!
> *** Warning: Couldn't change owner of important files to cyg_server!
> *** Warning: This may cause the sshd service to fail!  Please make sure that
> *** Warning: you have suufficient permissions to change the ownership of 
> files
> *** Warning: and try to run the ssh-host-config script again.

> *** Warning: Host configuration exited with 12 errors or warnings!
> *** Warning: Make sure that all problems reported are fixed,
> *** Warning: then re-run ssh-host-config.
> ------------------------------------

> Finally: if I update /etc/passwd:
$ mkpasswd -l >> /etc/passwd

> and rerun the script I get:
> ------------------------------------

> $ ssh-host-config

> *** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes
> *** Info: Creating default /etc/ssh_config file
> *** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
> *** Info: Creating default /etc/sshd_config file
> *** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
> *** Info: However, this requires a non-privileged account called 'sshd'.
> *** Info: For more info on privilege separation read 
> /usr/share/doc/openssh/README.privsep.
> *** Query: Should privilege separation be used? (yes/no) yes
> *** Info: Updating /etc/sshd_config file

> *** Info: Sshd service is already installed.
> *** Warning: Couldn't determine name of user running sshd service from 
> /etc/passwd!
> *** Warning: As a result, this script cannot make sure that the files used
> *** Warning: by the sshd service belong to the user running the service.
> *** Warning: Please re-run the mkpasswd tool to make sure the /etc/passwd
> *** Warning: file is in a good shape.

> *** Warning: Host configuration exited with 1 errors or warnings!
> *** Warning: Make sure that all problems reported are fixed,
> *** Warning: then re-run ssh-host-config.
> ------------------------------------

> I have successfully installed pre 1.7.15 versions on identical machines 
> so I assume something has changed in 1.7.15 that causes those errors. 
> I'm running the Cygwin Terminal with elevated rights, of course.

> Any help to fix this is much appreciated.

> With kind regards,
> Andre Loker




> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple



--
WBR,
Andrey Repin (anrdaemon@freemail.ru) 11.05.2012, <12:54>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple