Re: ssh to 2003 server exist immediately
On Mon, 15 May 2006, Andrew DeFaria wrote: * * wrote: You might try reconfiguring with privilege separation turned on. Also, turn on auditing of failed file access, and/or run sysInternals RegMon and FileMon. Reconfigured with privilege separation turned on. Same problem. Interesting note: I removed /var/empty so that the ssh-host-config would recreate it. It does, but it's owned by my user. Starting sshd yields the following in /var/log/sshd.log: /var/empty must be owned by root and not group or world-writable. At first I did chown SYSTEM:SYSTEM /var/empty but that didn't help. It was not until I did a chown sshd_server /var/empty that I was able to start sshd. It was not apparent to me that, in this context, root == sshd_server nor that ssh-host-config, knowing that I'm running on 2003 and needing to create a local sshd_server user and using privilege separation, would not know to do a chown sshd_server on /var/empty. Bug? Perhaps. We'll need more info on this. FWIW, I used ssh-host-config to setup sshd with privilege separation, and everything just worked (tm). I think your sshd_server user doesn't have permission to execute Winsock2 which is %SYSTEMROOT%\System32\ws2_32.dll or one of it's dependencies. Did you also check the Application Event Log? Again, whenever I go to view the Application log in the Event Viewer after trying an ssh it's corrupted. I can right click on the Application log and Clear All Events, thus creating a new Application log, which works. But if I do an ssh and go back to the Event Viewer it says the Application log is corrupted! Ouch! That's not good, and most likely isn't Cygwin-related. However, you can get sshd to write somewhere other than to the event log, by setting up and starting the syslogd service -- then any events sshd produces will go to syslog. Then you'll be able to actually see them, invalid characters (if any) and all. Meantime I edited sshd_server's rights so I could do a runas /user:sshd_server cmd. From here I started bash --login -i then did an strace /usr/sbin/sshd -d /tmp/sshd.strace.log 21 (attached). The relevant part seems to be here: 277 3957121 [main] sshd 1404 C:\Cygwin\usr\sbin\sshd.exe: *** fatal error - could not load ws2_32, Win32 error 0 Your mailer wrapped the strace snippet, but this definitely seems relevant. What does getfacl /cygdrive/c/WINDOWS/system32/ws2_32.dll say? I'd appreciate any pointers (guesses) at this point? As Richard (or * *) pointed out, your sshd_server user probably doesn't have access to ws2_32.dll. Igor -- http://cs.nyu.edu/~pechtcha/ |\ _,,,---,,_ [EMAIL PROTECTED] | [EMAIL PROTECTED] ZZZzz /,`.-'`'-. ;-;;,_Igor Peshansky, Ph.D. (name changed!) |,4- ) )-,_. ,\ ( `'-'old name: Igor Pechtchanski '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow! Las! je suis sot... -Mais non, tu ne l'es pas, puisque tu t'en rends compte. But no -- you are no fool; you call yourself a fool, there's proof enough in that! -- Rostand, Cyrano de Bergerac -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: ssh to 2003 server exist immediately
Igor Peshansky wrote: Meantime I edited sshd_server's rights so I could do a runas /user:sshd_server cmd. From here I started bash --login -i then did an strace /usr/sbin/sshd -d /tmp/sshd.strace.log 21 (attached). The relevant part seems to be here: 277 3957121 [main] sshd 1404 C:\Cygwin\usr\sbin\sshd.exe: *** fatal error - could not load ws2_32, Win32 error 0 Your mailer wrapped the strace snippet, but this definitely seems relevant. What does getfacl /cygdrive/c/WINDOWS/system32/ws2_32.dll say? The above is essentially the same as message as that which was written to /var/log/sshd.log that I reported originally. In any event a getfacl returns: $ ls -l /dev/c/WINDOW/system32/ws2_32.dll -rwxrwxr--+ 1 Administrators 83968 Mar 24 2005 /dev/c/WINDOWS/system32/ws2_32.dll* $ getfacl /dev/c/WINDOWS/system32/ws2_32.dll # file: /dev/c/WINDOWS/system32/ws2_32.dll # owner: Administrators # group: user::rwx group::rwx group:SYSTEM:rwx mask:rwx other:r-- Neither Cygwin nor I have cause to twiddle the security or ACL bits on this obvious Windows dll. Does the above look correct for Windows 2003? I'd appreciate any pointers (guesses) at this point? As Richard (or * *) pointed out, your sshd_server user probably doesn't have access to ws2_32.dll. By access I assume you mean what Richard hinted at - execute access. Well above other is set to r--. I checked ws2_32.dll on my other server, which is, unfortunately Windows 2000 not Windows 2003, and I see: $ ll /dev/c/WINNT/system32/ws2_32.dll -rwxrwxr-x1 Administ SYSTEM 69904 Jun 19 2003 /dev/c/WINNT/system32/ws2_32.dll* $ getfacl /dev/c/WINNT/system32/ws2_32.dll # file: /dev/c/WINNT/system32/ws2_32.dll # owner: Administrators # group: SYSTEM user::rwx group::rwx mask:rwx other:r-x Interesting to see other set to r-x. Checked my desktop (Windows XP) and it has other set to --- (!) for this dll with no problems running ssh. Did a chmod 775 on ws2_32.dll and checked it with getfacl (Could have sworn I tried this before... Perhaps some Windows protection reverted it?) and restarted sshd. Tried ssh - still failed - same way. Perhaps somebody with a working sshd on Windows 2003 could give me the particulars about his ws2_32.dll to compare against mine. Here's the info I can see: * The above ls -l and getfacl output Looking at the file: properties version info: File version: 5.2.3790.1830 (srv03_sp1_rtm 050324-1447) Description: WIndows Socket 2.0 32-bit DLL File Size: 82.0 Kb (83,968 bytes) Security from file: properties sons-sc-cc\Administrators: Modify, Read Execute, Read, Write, Special Permissions (greyed) Everyone: Read Execute, Read sons-sc-cc\Power Users: Read Execute, Read SYSTEM: Full control, Modify, Read Execute, Read, Write sons-ss-sc\Users: Read Execute, Read Hmmm... Noticed on my XP Desktop that Administrators had Full Control so I toggled it on on the Windows 2003 server. Received an error dialog stating You are about to change the permissions settings on system folders which can result in unexpected problems and reduce security. Do you want to continue?. Continued, restarted sshd and tried an ssh - still failed! Same way. Argh... -- You have to stay in shape. My mother started walking five miles a day when she was 60. She's 97 now and we have no idea where she is. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: ssh to 2003 server exist immediately
You might try reconfiguring with privilege separation turned on. Also, turn on auditing of failed file access, and/or run sysInternals RegMon and FileMon. I think your sshd_server user doesn't have permission to execute Winsock2 which is %SYSTEMROOT%\System32\ws2_32.dll or one of it's dependencies. Did you also check the Application Event Log? -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: ssh to 2003 server exist immediately
Larry Hall (Cygwin) wrote: Andrew DeFaria wrote: Larry Hall (Cygwin) wrote: Andrew DeFaria wrote: Larry Hall (Cygwin) wrote: Andrew DeFaria wrote: I'm trying to set up ssh access to a Windows 2003 server. I am having a problem in that when I ssh to this server it immediately exits and I find the following in /var/log/sshd.log: 5 [main] sshd 12912 C:\Cygwin\usr\sbin\sshd.exe: *** fatal error - could not load ws2_32, Win32 error 0 Forgive me I did do some research about setting up ssh on a 2003 server and I believe I've very close to having it set up correctly but I'm still missing something. I created a local sshd_server user and added things like Act as part of the operating system, Replace process level token, etc. I did not see a setting for Increase quota. Note that I am using a local sshd_server users (i.e. machine\sshd_server) as the logon for the sshd service. I don't believe I'm using privilege separation. I had to use mmc and a Group Policy editor for the domain to add this local user into the rights at the domain level before this would work. Still when I try to ssh in I get a password prompt but after that the above gets written into the sshd.log and the prompt returns. Note that I also use this local sshd_server user for inetd so that rsh can and does work. Insecure I know and I'd like to switch this client over to using all ssh but I gotta get it working for them. Thanks in advance. Why not use ssh-host-config to set up sshd? It will create sshd_server for you in the proper way. I did! sshd_server would not have been my choice of a username had I done this by hand (the user daemon comes to mind). However that was not working. This is a domain environment so the sshd_server user could be domain\sshd_server or local machine\sshd_server. I don't think I have enough privilege to add a domain user so I made it a local user. Plus I believe that domain policies did not allow me to modify the user rights of this local user. (From memory) I believe I went into mmc and added the Group Policy Editor snapin then attempted to add the local sshd_server to the users that have say Act as part of the operating system rights but the add button was grayed out. Last night while trying again I noticed I could add Domain Group Policy snapin and much to my surprise I was able to add the local server\sshd_server user to the Act as part of operating system and replace process level token lists. Again I didn't see an Increase quota. This got inetd and rsh working but ssh still produces an error. Actually, assuming I can create say a domain daemon user for use with sshd and inetd, etc., would it be better to do this at the domain level. I would like to allow others in the domain to set up ssh or inetd with the rights to SU... No tweaking of the permissions for sshd_server is necessary and it's not required to add sshd_server to any other users to get things to work. sshd_server is a local user created to run the service and nothing else. To login via 'ssh' with a domain user, just make sure the domain user is in your '/etc/passwd' file and your '/etc/group' file contains the proper domain groups. See 'man mkpasswd' and 'man mkgroup' if these users and groups are not already in these files. /etc/passwd and /etc/group are symlinks to a shared and up to date copy of the output of mkpasswd/mkgroup. That's not the issue. As I understand it, for sshd (or in.rlogind) to switch user it needs special privileges. Indeed the documentation alludes to that. And until I added those permissions to the sshd_server user ssh/rsh would not work at all. But if you ran /bin/ssh-host-config and told it to create sshd_server when it asked you to, it will add these rights automatically. There's no need to do it yourself. Just take a look at /bin/ssh-host-config. The calls to editrights in the section that handles the creation of the sshd_server user/group specifically adds the privileges that are necessary to switch the user context on W2K3. If it failed to set these permission you should have been warned. I don't recall getting errors from ssh-host-config initially. I thought that perhaps some sort of domain policy might be overriding me. In any event I had high hopes that redoing this would correct the problems but it doesn't appear to have. Here's what I did: * Stopped current sshd service (net stop sshd) * Removed service (cygrunsrv -R sshd) * Removed local sshd_server account since I want ssh-host-config to recreate it * Removed /var/empty and /var/log/sshd.log, again I want ssh-host-config to create these properly * Ran ssh-host-config: $ ssh-host-config Overwrite existing /etc/ssh_config file? (yes/no) yes Generating /etc/ssh_config file Overwrite existing /etc/sshd_config file? (yes/no) yes Privilege separation is set to yes by default since OpenSSH 3.3. However, this requires a non-privileged account called 'sshd'. For more info on privilege
Re: ssh to 2003 server exist immediately
Larry Hall (Cygwin) wrote: Andrew DeFaria wrote: Andrew DeFaria wrote: /etc/passwd and /etc/group are symlinks to a shared and up to date copy of the output of mkpasswd/mkgroup. That's not the issue. As I understand it, for sshd (or in.rlogind) to switch user it needs special privileges. Indeed the documentation alludes to that. And until I added those permissions to the sshd_server user ssh/rsh would not work at all. (rsh, started from inetd that is as inetd was also logging on as the sshd_server user). Still, while rsh works, ssh refuses to work citing the error message above in /var/log/sshd.log. IOW I can rsh server and get in. I can also rsh server command and have command run on server (provided /etc/passwd on server has a blank password for the user). However I cannot ssh server. When I do so it prompts for the password then abruptly logs out with the only clue left in server:/var/log/sshd.log. A little more info. rsh server works. rsh server command hangs! sons-clearcase:rsh sons-sc-cc No directory /us/adefaria! Logging in with home = /. Last login: Wed May 10 20:31:46 from sons-clearcase.salira.com CYGWIN_NT-5.2 SONS-SC-CC 1.5.19(0.150/4/2) 2006-01-20 13:28 i686 Cygwin WARNING: HOME directory did not exist! Logging in with HOME = /tmp [EMAIL PROTECTED] ~ $ logout rlogin: connection closed. sons-clearcase:rsh sons-sc-cc id This is very frustrating because my client relies on a command I wrote called smake which essentially boils down to: rsh server -n cd directory make that is intended to perform the make on server. As you can see it relies on rsh, passwordless login to server executing a command. But with this new 2003 server rsh server command hangs! Help! Are you sure you're not getting caught by the Windows rsh? Positive: $ which rsh /bin/rsh $ rsh --help Usage: rsh [-nd] [-l USER] [EMAIL PROTECTED] [COMMAND [ARG...]] Execute COMMAND on remote system HOST -d, --debugTurn on socket debugging -l USER, --user=USER Run as USER on the remote system -n, --no-input Use /dev/null as input --help Give this help list -V, --version Print program version Submit bug reports to [EMAIL PROTECTED]. $ rsh sons-sc-cc id hangs I have seen in.rshd.exe.stackdump's but I forget where... Could this likewise be caused by that failure to load ws2_32.dll? -- If bankers can count, how come they have eight windows and only four tellers? -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: ssh to 2003 server exist immediately
Andrew DeFaria wrote: Larry Hall (Cygwin) wrote: Andrew DeFaria wrote: Larry Hall (Cygwin) wrote: Andrew DeFaria wrote: I'm trying to set up ssh access to a Windows 2003 server. I am having a problem in that when I ssh to this server it immediately exits and I find the following in /var/log/sshd.log: 5 [main] sshd 12912 C:\Cygwin\usr\sbin\sshd.exe: *** fatal error - could not load ws2_32, Win32 error 0 Forgive me I did do some research about setting up ssh on a 2003 server and I believe I've very close to having it set up correctly but I'm still missing something. I created a local sshd_server user and added things like Act as part of the operating system, Replace process level token, etc. I did not see a setting for Increase quota. Note that I am using a local sshd_server users (i.e. machine\sshd_server) as the logon for the sshd service. I don't believe I'm using privilege separation. I had to use mmc and a Group Policy editor for the domain to add this local user into the rights at the domain level before this would work. Still when I try to ssh in I get a password prompt but after that the above gets written into the sshd.log and the prompt returns. Note that I also use this local sshd_server user for inetd so that rsh can and does work. Insecure I know and I'd like to switch this client over to using all ssh but I gotta get it working for them. Thanks in advance. Why not use ssh-host-config to set up sshd? It will create sshd_server for you in the proper way. I did! sshd_server would not have been my choice of a username had I done this by hand (the user daemon comes to mind). However that was not working. This is a domain environment so the sshd_server user could be domain\sshd_server or local machine\sshd_server. I don't think I have enough privilege to add a domain user so I made it a local user. Plus I believe that domain policies did not allow me to modify the user rights of this local user. (From memory) I believe I went into mmc and added the Group Policy Editor snapin then attempted to add the local sshd_server to the users that have say Act as part of the operating system rights but the add button was grayed out. Last night while trying again I noticed I could add Domain Group Policy snapin and much to my surprise I was able to add the local server\sshd_server user to the Act as part of operating system and replace process level token lists. Again I didn't see an Increase quota. This got inetd and rsh working but ssh still produces an error. Actually, assuming I can create say a domain daemon user for use with sshd and inetd, etc., would it be better to do this at the domain level. I would like to allow others in the domain to set up ssh or inetd with the rights to SU... No tweaking of the permissions for sshd_server is necessary and it's not required to add sshd_server to any other users to get things to work. sshd_server is a local user created to run the service and nothing else. To login via 'ssh' with a domain user, just make sure the domain user is in your '/etc/passwd' file and your '/etc/group' file contains the proper domain groups. See 'man mkpasswd' and 'man mkgroup' if these users and groups are not already in these files. /etc/passwd and /etc/group are symlinks to a shared and up to date copy of the output of mkpasswd/mkgroup. That's not the issue. As I understand it, for sshd (or in.rlogind) to switch user it needs special privileges. Indeed the documentation alludes to that. And until I added those permissions to the sshd_server user ssh/rsh would not work at all. But if you ran /bin/ssh-host-config and told it to create sshd_server when it asked you to, it will add these rights automatically. There's no need to do it yourself. Just take a look at /bin/ssh-host-config. The calls to editrights in the section that handles the creation of the sshd_server user/group specifically adds the privileges that are necessary to switch the user context on W2K3. If it failed to set these permission you should have been warned. (rsh, started from inetd that is as inetd was also logging on as the sshd_server user). Still, while rsh works, ssh refuses to work citing the error message above in /var/log/sshd.log. IOW I can rsh server and get in. I can also rsh server command and have command run on server (provided /etc/passwd on server has a blank password for the user). However I cannot ssh server. When I do so it prompts for the password then abruptly logs out with the only clue left in server:/var/log/sshd.log. Well you can always run the client and the server in debug mode and track each one's progress. The server is always a little more helpful. But if you can't figure out anything else, I'd go back and retry running /bin/ssh-host-config after deleting the sshd_server user/group. Pay close attention to what it says concerning sshd_server. -- Larry Hall
Re: ssh to 2003 server exist immediately
Andrew DeFaria wrote: Andrew DeFaria wrote: /etc/passwd and /etc/group are symlinks to a shared and up to date copy of the output of mkpasswd/mkgroup. That's not the issue. As I understand it, for sshd (or in.rlogind) to switch user it needs special privileges. Indeed the documentation alludes to that. And until I added those permissions to the sshd_server user ssh/rsh would not work at all. (rsh, started from inetd that is as inetd was also logging on as the sshd_server user). Still, while rsh works, ssh refuses to work citing the error message above in /var/log/sshd.log. IOW I can rsh server and get in. I can also rsh server command and have command run on server (provided /etc/passwd on server has a blank password for the user). However I cannot ssh server. When I do so it prompts for the password then abruptly logs out with the only clue left in server:/var/log/sshd.log. A little more info. rsh server works. rsh server command hangs! sons-clearcase:rsh sons-sc-cc No directory /us/adefaria! Logging in with home = /. Last login: Wed May 10 20:31:46 from sons-clearcase.salira.com CYGWIN_NT-5.2 SONS-SC-CC 1.5.19(0.150/4/2) 2006-01-20 13:28 i686 Cygwin WARNING: HOME directory did not exist! Logging in with HOME = /tmp [EMAIL PROTECTED] ~ $ logout rlogin: connection closed. sons-clearcase:rsh sons-sc-cc id This is very frustrating because my client relies on a command I wrote called smake which essentially boils down to: rsh server -n cd directory make that is intended to perform the make on server. As you can see it relies on rsh, passwordless login to server executing a command. But with this new 2003 server rsh server command hangs! Help! Are you sure you're not getting caught by the Windows rsh? -- Larry Hall http://www.rfk.com RFK Partners, Inc. (508) 893-9779 - RFK Office 838 Washington Street (508) 893-9889 - FAX Holliston, MA 01746 -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: ssh to 2003 server exist immediately
On Wed, May 10, 2006 at 08:35:24PM -0700, Andrew DeFaria wrote: Andrew DeFaria wrote: This is very frustrating because my client relies on a command I wrote called smake which essentially boils down to: rsh server -n cd directory make that is intended to perform the make on server. As you can see it relies on rsh, passwordless login to server executing a command. But with this new 2003 server rsh server command hangs! Here is a long-shot guess. I had a situation where I could reliably do an interactive ssh between two hosts. I could not do an scp though. I use the bash shell everywhere. My problem was that my .bashrc file caused text output to occur. I had put in a debugging message echo entering .bashrc at `date` When I removed this statement from my .bashrc, I was able to use scp. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
ssh to 2003 server exist immediately
I'm trying to set up ssh access to a Windows 2003 server. I am having a problem in that when I ssh to this server it immediately exits and I find the following in /var/log/sshd.log: 5 [main] sshd 12912 C:\Cygwin\usr\sbin\sshd.exe: *** fatal error - could not load ws2_32, Win32 error 0 Forgive me I did do some research about setting up ssh on a 2003 server and I believe I've very close to having it set up correctly but I'm still missing something. I created a local sshd_server user and added things like Act as part of the operating system, Replace process level token, etc. I did not see a setting for Increase quota. Note that I am using a local sshd_server users (i.e. machine\sshd_server) as the logon for the sshd service. I don't believe I'm using privilege separation. I had to use mmc and a Group Policy editor for the domain to add this local user into the rights at the domain level before this would work. Still when I try to ssh in I get a password prompt but after that the above gets written into the sshd.log and the prompt returns. Note that I also use this local sshd_server user for inetd so that rsh can and does work. Insecure I know and I'd like to switch this client over to using all ssh but I gotta get it working for them. Thanks in advance. -- When you open a new bag of cotton balls, are you supposed to throw the top one away? -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: ssh to 2003 server exist immediately
Andrew DeFaria wrote: I'm trying to set up ssh access to a Windows 2003 server. I am having a problem in that when I ssh to this server it immediately exits and I find the following in /var/log/sshd.log: 5 [main] sshd 12912 C:\Cygwin\usr\sbin\sshd.exe: *** fatal error - could not load ws2_32, Win32 error 0 Forgive me I did do some research about setting up ssh on a 2003 server and I believe I've very close to having it set up correctly but I'm still missing something. I created a local sshd_server user and added things like Act as part of the operating system, Replace process level token, etc. I did not see a setting for Increase quota. Note that I am using a local sshd_server users (i.e. machine\sshd_server) as the logon for the sshd service. I don't believe I'm using privilege separation. I had to use mmc and a Group Policy editor for the domain to add this local user into the rights at the domain level before this would work. Still when I try to ssh in I get a password prompt but after that the above gets written into the sshd.log and the prompt returns. Note that I also use this local sshd_server user for inetd so that rsh can and does work. Insecure I know and I'd like to switch this client over to using all ssh but I gotta get it working for them. Thanks in advance. Why not use ssh-host-config to set up sshd? It will create sshd_server for you in the proper way. -- Larry Hall http://www.rfk.com RFK Partners, Inc. (508) 893-9779 - RFK Office 838 Washington Street (508) 893-9889 - FAX Holliston, MA 01746 -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: ssh to 2003 server exist immediately
Larry Hall (Cygwin) wrote: Andrew DeFaria wrote: I'm trying to set up ssh access to a Windows 2003 server. I am having a problem in that when I ssh to this server it immediately exits and I find the following in /var/log/sshd.log: 5 [main] sshd 12912 C:\Cygwin\usr\sbin\sshd.exe: *** fatal error - could not load ws2_32, Win32 error 0 Forgive me I did do some research about setting up ssh on a 2003 server and I believe I've very close to having it set up correctly but I'm still missing something. I created a local sshd_server user and added things like Act as part of the operating system, Replace process level token, etc. I did not see a setting for Increase quota. Note that I am using a local sshd_server users (i.e. machine\sshd_server) as the logon for the sshd service. I don't believe I'm using privilege separation. I had to use mmc and a Group Policy editor for the domain to add this local user into the rights at the domain level before this would work. Still when I try to ssh in I get a password prompt but after that the above gets written into the sshd.log and the prompt returns. Note that I also use this local sshd_server user for inetd so that rsh can and does work. Insecure I know and I'd like to switch this client over to using all ssh but I gotta get it working for them. Thanks in advance. Why not use ssh-host-config to set up sshd? It will create sshd_server for you in the proper way. I did! sshd_server would not have been my choice of a username had I done this by hand (the user daemon comes to mind). However that was not working. This is a domain environment so the sshd_server user could be domain\sshd_server or local machine\sshd_server. I don't think I have enough privilege to add a domain user so I made it a local user. Plus I believe that domain policies did not allow me to modify the user rights of this local user. (From memory) I believe I went into mmc and added the Group Policy Editor snapin then attempted to add the local sshd_server to the users that have say Act as part of the operating system rights but the add button was grayed out. Last night while trying again I noticed I could add Domain Group Policy snapin and much to my surprise I was able to add the local server\sshd_server user to the Act as part of operating system and replace process level token lists. Again I didn't see an Increase quota. This got inetd and rsh working but ssh still produces an error. Actually, assuming I can create say a domain daemon user for use with sshd and inetd, etc., would it be better to do this at the domain level. I would like to allow others in the domain to set up ssh or inetd with the rights to SU... -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: ssh to 2003 server exist immediately
Andrew DeFaria wrote: Larry Hall (Cygwin) wrote: Andrew DeFaria wrote: I'm trying to set up ssh access to a Windows 2003 server. I am having a problem in that when I ssh to this server it immediately exits and I find the following in /var/log/sshd.log: 5 [main] sshd 12912 C:\Cygwin\usr\sbin\sshd.exe: *** fatal error - could not load ws2_32, Win32 error 0 Forgive me I did do some research about setting up ssh on a 2003 server and I believe I've very close to having it set up correctly but I'm still missing something. I created a local sshd_server user and added things like Act as part of the operating system, Replace process level token, etc. I did not see a setting for Increase quota. Note that I am using a local sshd_server users (i.e. machine\sshd_server) as the logon for the sshd service. I don't believe I'm using privilege separation. I had to use mmc and a Group Policy editor for the domain to add this local user into the rights at the domain level before this would work. Still when I try to ssh in I get a password prompt but after that the above gets written into the sshd.log and the prompt returns. Note that I also use this local sshd_server user for inetd so that rsh can and does work. Insecure I know and I'd like to switch this client over to using all ssh but I gotta get it working for them. Thanks in advance. Why not use ssh-host-config to set up sshd? It will create sshd_server for you in the proper way. I did! sshd_server would not have been my choice of a username had I done this by hand (the user daemon comes to mind). However that was not working. This is a domain environment so the sshd_server user could be domain\sshd_server or local machine\sshd_server. I don't think I have enough privilege to add a domain user so I made it a local user. Plus I believe that domain policies did not allow me to modify the user rights of this local user. (From memory) I believe I went into mmc and added the Group Policy Editor snapin then attempted to add the local sshd_server to the users that have say Act as part of the operating system rights but the add button was grayed out. Last night while trying again I noticed I could add Domain Group Policy snapin and much to my surprise I was able to add the local server\sshd_server user to the Act as part of operating system and replace process level token lists. Again I didn't see an Increase quota. This got inetd and rsh working but ssh still produces an error. Actually, assuming I can create say a domain daemon user for use with sshd and inetd, etc., would it be better to do this at the domain level. I would like to allow others in the domain to set up ssh or inetd with the rights to SU... No tweaking of the permissions for sshd_server is necessary and it's not required to add sshd_server to any other users to get things to work. sshd_server is a local user created to run the service and nothing else. To login via 'ssh' with a domain user, just make sure the domain user is in your '/etc/passwd' file and your '/etc/group' file contains the proper domain groups. See 'man mkpasswd' and 'man mkgroup' if these users and groups are not already in these files. -- Larry Hall http://www.rfk.com RFK Partners, Inc. (508) 893-9779 - RFK Office 838 Washington Street (508) 893-9889 - FAX Holliston, MA 01746 -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: ssh to 2003 server exist immediately
Larry Hall (Cygwin) wrote: Andrew DeFaria wrote: Larry Hall (Cygwin) wrote: Andrew DeFaria wrote: I'm trying to set up ssh access to a Windows 2003 server. I am having a problem in that when I ssh to this server it immediately exits and I find the following in /var/log/sshd.log: 5 [main] sshd 12912 C:\Cygwin\usr\sbin\sshd.exe: *** fatal error - could not load ws2_32, Win32 error 0 Forgive me I did do some research about setting up ssh on a 2003 server and I believe I've very close to having it set up correctly but I'm still missing something. I created a local sshd_server user and added things like Act as part of the operating system, Replace process level token, etc. I did not see a setting for Increase quota. Note that I am using a local sshd_server users (i.e. machine\sshd_server) as the logon for the sshd service. I don't believe I'm using privilege separation. I had to use mmc and a Group Policy editor for the domain to add this local user into the rights at the domain level before this would work. Still when I try to ssh in I get a password prompt but after that the above gets written into the sshd.log and the prompt returns. Note that I also use this local sshd_server user for inetd so that rsh can and does work. Insecure I know and I'd like to switch this client over to using all ssh but I gotta get it working for them. Thanks in advance. Why not use ssh-host-config to set up sshd? It will create sshd_server for you in the proper way. I did! sshd_server would not have been my choice of a username had I done this by hand (the user daemon comes to mind). However that was not working. This is a domain environment so the sshd_server user could be domain\sshd_server or local machine\sshd_server. I don't think I have enough privilege to add a domain user so I made it a local user. Plus I believe that domain policies did not allow me to modify the user rights of this local user. (From memory) I believe I went into mmc and added the Group Policy Editor snapin then attempted to add the local sshd_server to the users that have say Act as part of the operating system rights but the add button was grayed out. Last night while trying again I noticed I could add Domain Group Policy snapin and much to my surprise I was able to add the local server\sshd_server user to the Act as part of operating system and replace process level token lists. Again I didn't see an Increase quota. This got inetd and rsh working but ssh still produces an error. Actually, assuming I can create say a domain daemon user for use with sshd and inetd, etc., would it be better to do this at the domain level. I would like to allow others in the domain to set up ssh or inetd with the rights to SU... No tweaking of the permissions for sshd_server is necessary and it's not required to add sshd_server to any other users to get things to work. sshd_server is a local user created to run the service and nothing else. To login via 'ssh' with a domain user, just make sure the domain user is in your '/etc/passwd' file and your '/etc/group' file contains the proper domain groups. See 'man mkpasswd' and 'man mkgroup' if these users and groups are not already in these files. /etc/passwd and /etc/group are symlinks to a shared and up to date copy of the output of mkpasswd/mkgroup. That's not the issue. As I understand it, for sshd (or in.rlogind) to switch user it needs special privileges. Indeed the documentation alludes to that. And until I added those permissions to the sshd_server user ssh/rsh would not work at all. (rsh, started from inetd that is as inetd was also logging on as the sshd_server user). Still, while rsh works, ssh refuses to work citing the error message above in /var/log/sshd.log. IOW I can rsh server and get in. I can also rsh server command and have command run on server (provided /etc/passwd on server has a blank password for the user). However I cannot ssh server. When I do so it prompts for the password then abruptly logs out with the only clue left in server:/var/log/sshd.log. -- A shark is the only fish that can blink with both eyes. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
