Re: Sshd cannot be manually restarted

["Larry Hall (Cygwin)" <reply-to-list-only-lh at cygwin dot com>]

On 5/2/2013 10:04 AM, Johnson, Matt wrote:
> I am having difficulty getting the sshd service to run through Cygwin.
> Attached is the cygcheck output for the server that I am having problems with.

OK, let's start with this as a backdrop for this discussion.  sshd is
difficult to configure because of the security restrictions it imposes (by
definition).  While it's possible to configure it to work in all kinds of
situations, it requires allot of knowledge, lots of experimentation, or
both.  To make things easier for the typical usage, ssh-host-config script
exists.  This has its limitations, of course.  In particular, it makes a
special local account to run sshd under with the proper permissions to
support public key authentication for local users (plus general password
authentication).  From the information you've provided below, you've clearly
taken a different route to configure your system.  While you are free to
do so, that puts you in fairly uncharted territory.  So let's proceed with
this as a basis of understanding.

> Attached is a batch file which I initially used to install Cygwin and
> configure sshd (used this script because it worked on 2 other servers).

Oops.  No script attached.  This is both a red flag (use of some unknown
and unsupported script) and a pointer to a possible solution for you.  If
you've used this script successfully on 2 other servers, you have a basis
for comparison between non-working and working servers to find what's
getting in your way here.

> Everything worked fine until trying to start the service. Odd behavior is
> that rebooting the machine results in the service running fine (it is set to
> automatic startup). Stopping the service and trying to start it again
> results in the failures below. I can run /usr/sbin/sshd -D from a Cygwin
> prompt and it works fine.

OK, generally speaking, starting sshd from the command line as your user is
a big 'no-no', assuming you care about public key authentication at least.
You may not care or you may have set your account up with all the necessary
permissions to do this (even domain-wide).  Either one of these courses of
action is fine so long as you understand the limits and/or what needs to be
done to achieve success.  But if what I've just said puts you outside of
your comfort zone, it's best to stop right here and reassess what you're
trying to do.

> Starting from the Services snap-in results in "Windows could not start
> the  CYGWIN sshd service on Local Computer. Error 1067: The process terminated
> unexpectedly." There are no entries in the Application event log related to
> (Cygwin) sshd. Entry in System event log: " The CYGWIN sshd service
> terminated unexpectedly. It has done this 26 time(s)."

You may find more useful information in /var/log/sshd/log.  Based on your
cygcheck output, I would expect that you will find all sorts of log info
there, since you're running a debug session of sshd (good!).  So there will
be all sorts of log info that you can look at and will likely provide some
insight.  Keep in mind, running sshd as debug, while very helpful in for
diagnostics, means that each disconnected session will terminate the sshd
service.

> Admin command prompt:
> ---- Output ----
> C:\>net start sshd
> The CYGWIN sshd service is starting.
> The CYGWIN sshd service could not be started.
>
> A system error has occurred.
>
> System error 1067 has occurred.
>
> The process terminated unexpectedly.
>
> C:\>C:\cygwin\Cygwin.bat
>
> sdoracle@STREAMINGDEV ~
> $ cygrunsrv -S sshd
> cygrunsrv: Error starting a service: QueryServiceStatus:  Win32 error 1062:
> The service has not been started.
>
>
> sdoracle@STREAMINGDEV ~
> $
> ---- End Output ----
>
> Things I have tried:
> Used a local privileged user to run the service
> Used a different domain user that successfully runs the sshd service on a different machine
> Created a fresh domain account to run the sshd service
> Searched for duplicate cygwin1.dll's - none found
> Applied full control to SYSTEM to C:\cygwin, C:\cygwin\var, and C:\cygwin\var\log

I'd be careful about setting permissions, especially globally.  Unless
you're going to turn off permission checking for sshd, it's going to be
pretty picky about what it expects where.  Setting things globally usually
results in, frankly, wrong permissions in spots where it counts.  Remember
sshd is trying to maintain some amount of security so it's not only looking
for access in certain areas but also lack of access to groups and others.
See ssh-host-config for details here.

> Removed local group policy object and rebooted machine
> Compared Local Security options and User Rights to working servers (identical except for administrator account name)
> Turned Windows firewall on and off

Sounds like your best bet is to review ssh-host-config comparing
permissions it sets for files and directories with those that
you have on the non-working and working servers.  Also, I'd
recommend carefully going through the sshd.log from your debug
session.  Separately or in combination, I think these two
avenues will help you allot.

--
Larry

_____________________________________________________________________

A: Yes.
> Q: Are you sure?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple