This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Silently configure sshd fails via system account


On Mar 17 21:54, Lord Laraby wrote:
> On Mon, Mar 17, 2014 at 7:43 PM, Andrey Repin <> wrote:
> > Greetings, Lord Laraby!
> >
> >> Oh and I forgot the most intriguing gotcha. After creating the sshd
> >> user for me (I went to service manager and discovered this) the user
> >> assigned to the sshd server was actually cyg_server (not sshd)!!!!!
> >> After changing all of those things the service started.
> >
> > That's because service is running as cyg_server, while sshd user is used to
> > invoke login shells of connecting users.
> > You just messed it all.
> >
> >
> > --
> > WBR,
> > Andrey Repin (anrdaemon@yandex.ru) 18.03.2014, <03:42>
> >
> > Sorry for my terrible english...
> >
> I did not change anything. As I said originally, after running
> ssh-host-config, no changes on my part, I had a slew of errors. See my
> original message. I do not change things on a whim. Service failed to
> start, means just what it says!

Nevertheless Andrey is right.  The sshd account is not meant to run the
service.  It's an unprivileged account used only in conjunction with
privilege separation.  The account you're supposed to run this under is
cyg_server, which is supposed to be a special account with more
privileges as a normal admin.  If you already have a cyg_server account,
it's utilized by default.  If the cyg_server account doesn't have the
required permissions, sshd is bound to fail.

The /etc/ssh* files as well as /var/empty are supposed to be owned by
the user account running sshd, which is cyg_server.  ssh-host-config
usually sets the permissions on these files accordingly.  The message
"/var/empty must be owned by root and not group or world-writable." is
generated by sshd and it's the right message for all other POSIX
systems, except Cygwin.  For Cygwin "root" here denotes the user running
sshd.  The reason the message doesn't reflect that is the unwillingness
of the upstream developers to change that just for the sake of Cygwin.
I'm asking for 10 years or so to convert certain checks for uid 0 into
platform-independent privilege tests.  I even sent patches to that
effect, but to no avail.

My suggestion: Remove all files related to ssh from /etc.  Remove
/var/empty.  Remove the ssh logs from /var/log.  Remove the sshd
and cyg_server accounts from your SAM.  Drop both from /etc/passwd.
Remove the sshd service.  Start over.

In another mail you wrote:

> cyg_server is already taken by a non-prvileged user
> connected to the cygserver service.

Why?  The cygserver service *can* run under a non-prvileged account,
but it's not supposed to.  It's not even supposed to run under the
cyg_server account, but under SYSTEM (or LocalSystem) because it
usually needs certain privileges.  The cygserver-config script does
exactly that.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pgpQWYzR15gAb.pgp
Description: PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]