Re: sshd - ssh-host-config uses incorrect username for setup
On Dec 29 09:08, Brian Mc George wrote:
> Hi,
>
> I am using EC2 and need to automate the configuration of sshd
> at instance launch. If I manually rdp into the machine and execute:
> ssh-host-config --yes --privileged --user cyg_server --pwd ${PASSWORD}
>
> it will work correctly.
>
> However,
> If
> I use user data (lets you execute powershell commands on instance
> start) it will fail. It will also fail if I try execute the command
> using winrm (the windows equivalent of ssh).
>
> If I rdp into the machine and execute it manually then the cygwin name will
> be 'cyg_server'
> If I try automate it the cygwin name is +'cyg_server'
> It then cannot find the cyg_server account and fails.
I can't reproduce your scenario so I'd be grateful if you (or anybody else
having this problem) could inspect the ssh-host-config script and try to
find out how to recognize and workaround the scenario.
Thanks,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
signature.asc
Description: PGP signature
RE: sshd - ssh-host-config uses incorrect username for setup
I haven't gotten any reply for this issue. It would seem there is no way I can
fix this issue directly?
Therefore, does anyone have a guide on what permissions and tweaks are required
to run sshd as SYSTEM user instead as a workaround?
Thanks,
Brian Mc George
> From: b.mcgeo...@hotmail.com
> To: cygwin@cygwin.com
> Subject: sshd - ssh-host-config uses incorrect username for setup
> Date: Tue, 29 Dec 2015 09:08:49 +0200
>
> Hi,
>
> I am using EC2 and need to automate the configuration of sshd
> at instance launch. If I manually rdp into the machine and execute:
> ssh-host-config --yes --privileged --user cyg_server --pwd ${PASSWORD}
>
> it will work correctly.
>
> However,
> If
> I use user data (lets you execute powershell commands on instance
> start) it will fail. It will also fail if I try execute the command
> using winrm (the windows equivalent of ssh).
>
> If I rdp into the machine and execute it manually then the cygwin name will
> be 'cyg_server'
> If I try automate it the cygwin name is +'cyg_server'
> It then cannot find the cyg_server account and fails.
>
> How can I work around this? Even if it just uses SYSTEM as the account I just
> need it to work.
>
> Here is the log when I try use the aforementioned method:
>
> [1;32m*** Info:[0;0m Generating missing SSH host keys
> ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519
> [1;32m*** Info:[0;0m Creating default /etc/ssh_config file
> [1;32m*** Info:[0;0m Creating default /etc/sshd_config file
> [1;32m*** Info:[0;0m StrictModes is set to 'yes' by default.
> [1;32m*** Info:[0;0m This is the recommended setting, but it requires that
> the POSIX
> [1;32m*** Info:[0;0m permissions of the user's home directory, the user's .ssh
> [1;32m*** Info:[0;0m directory, and the user's ssh key files are tight so that
> [1;32m*** Info:[0;0m only the user has write permissions.
> [1;32m*** Info:[0;0m On the other hand, StrictModes don't work well with
> default
> [1;32m*** Info:[0;0m Windows permissions of a home directory mounted with the
> [1;32m*** Info:[0;0m 'noacl' option, and they don't work at all if the home
> [1;32m*** Info:[0;0m directory is on a FAT or FAT32 partition.
> [1;35m*** Query:[0;0m Should StrictModes be used? (yes/no) yes
> [1;32m*** Info:[0;0m Privilege separation is set to 'sandbox' by default since
> [1;32m*** Info:[0;0m OpenSSH 6.1. This is unsupported by Cygwin and has to be
> set
> [1;32m*** Info:[0;0m to 'yes' or 'no'.
> [1;32m*** Info:[0;0m However, using privilege separation requires a
> non-privileged account
> [1;32m*** Info:[0;0m called 'sshd'.
> [1;32m*** Info:[0;0m For more info on privilege separation read
> /usr/share/doc/openssh/README.privsep.
> [1;35m*** Query:[0;0m Should privilege separation be used? (yes/no) yes
> [1;32m*** Info:[0;0m Note that creating a new user requires that the current
> account have
> [1;32m*** Info:[0;0m Administrator privileges. Should this script attempt to
> create a
> [1;35m*** Query:[0;0m new local account 'sshd'? (yes/no) yes
> [1;32m*** Info:[0;0m Updating /etc/sshd_config file
> [1;35m*** Query:[0;0m Do you want to install sshd as a service?
> [1;35m*** Query:[0;0m (Say "no" if it is already installed as a service)
> (yes/no) yes
> [1;35m*** Query:[0;0m Enter the value of CYGWIN for the daemon: []
> [1;32m*** Info:[0;0m On Windows Server 2003, Windows Vista, and above, the
> [1;32m*** Info:[0;0m SYSTEM account cannot setuid to other users -- a
> capability
> [1;32m*** Info:[0;0m sshd requires. You need to have or to create a privileged
> [1;32m*** Info:[0;0m account. This script will help you do so.
> [1;32m*** Info:[0;0m It's not possible to use the LocalSystem account for
> services
> [1;32m*** Info:[0;0m that can change the user id without an explicit password
> [1;32m*** Info:[0;0m (such as passwordless logins [e.g. public key
> authentication]
> [1;32m*** Info:[0;0m via sshd) when having to create the user token from
> scratch.
> [1;32m*** Info:[0;0m For more information on this requirement, see
> [1;32m*** Info:[0;0m
> https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1
> [1;32m*** Info:[0;0m If you want to enable that functionality, it's required
> to create
> [1;32m*** Info:[0;0m a new account with special privileges (unless such an
> account
> [1;32m*** Info:[0;0m already exists). This account is then used to run these
> special
> [1;32m*** Info:[0;0m servers.
> [1;32m*** Info:[0;0m Note that creating a new user requires that the current
> account
> [1;32m*** Info:[0;0m have Administrator privileges itself.
> [1;32m*** Info:[0;0m This script plans to use 'cyg_server'.
> [1;32m*** Info:[0;0m 'cyg_server' will only be u
sshd - ssh-host-config uses incorrect username for setup
Hi,
I am using EC2 and need to automate the configuration of sshd
at instance launch. If I manually rdp into the machine and execute:
ssh-host-config --yes --privileged --user cyg_server --pwd ${PASSWORD}
it will work correctly.
However,
If
I use user data (lets you execute powershell commands on instance
start) it will fail. It will also fail if I try execute the command
using winrm (the windows equivalent of ssh).
If I rdp into the machine and execute it manually then the cygwin name will be
'cyg_server'
If I try automate it the cygwin name is +'cyg_server'
It then cannot find the cyg_server account and fails.
How can I work around this? Even if it just uses SYSTEM as the account I just
need it to work.
Here is the log when I try use the aforementioned method:
[1;32m*** Info:[0;0m Generating missing SSH host keys
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519
[1;32m*** Info:[0;0m Creating default /etc/ssh_config file
[1;32m*** Info:[0;0m Creating default /etc/sshd_config file
[1;32m*** Info:[0;0m StrictModes is set to 'yes' by default.
[1;32m*** Info:[0;0m This is the recommended setting, but it requires that the
POSIX
[1;32m*** Info:[0;0m permissions of the user's home directory, the user's .ssh
[1;32m*** Info:[0;0m directory, and the user's ssh key files are tight so that
[1;32m*** Info:[0;0m only the user has write permissions.
[1;32m*** Info:[0;0m On the other hand, StrictModes don't work well with default
[1;32m*** Info:[0;0m Windows permissions of a home directory mounted with the
[1;32m*** Info:[0;0m 'noacl' option, and they don't work at all if the home
[1;32m*** Info:[0;0m directory is on a FAT or FAT32 partition.
[1;35m*** Query:[0;0m Should StrictModes be used? (yes/no) yes
[1;32m*** Info:[0;0m Privilege separation is set to 'sandbox' by default since
[1;32m*** Info:[0;0m OpenSSH 6.1. This is unsupported by Cygwin and has to be
set
[1;32m*** Info:[0;0m to 'yes' or 'no'.
[1;32m*** Info:[0;0m However, using privilege separation requires a
non-privileged account
[1;32m*** Info:[0;0m called 'sshd'.
[1;32m*** Info:[0;0m For more info on privilege separation read
/usr/share/doc/openssh/README.privsep.
[1;35m*** Query:[0;0m Should privilege separation be used? (yes/no) yes
[1;32m*** Info:[0;0m Note that creating a new user requires that the current
account have
[1;32m*** Info:[0;0m Administrator privileges. Should this script attempt to
create a
[1;35m*** Query:[0;0m new local account 'sshd'? (yes/no) yes
[1;32m*** Info:[0;0m Updating /etc/sshd_config file
[1;35m*** Query:[0;0m Do you want to install sshd as a service?
[1;35m*** Query:[0;0m (Say "no" if it is already installed as a service)
(yes/no) yes
[1;35m*** Query:[0;0m Enter the value of CYGWIN for the daemon: []
[1;32m*** Info:[0;0m On Windows Server 2003, Windows Vista, and above, the
[1;32m*** Info:[0;0m SYSTEM account cannot setuid to other users -- a capability
[1;32m*** Info:[0;0m sshd requires. You need to have or to create a privileged
[1;32m*** Info:[0;0m account. This script will help you do so.
[1;32m*** Info:[0;0m It's not possible to use the LocalSystem account for
services
[1;32m*** Info:[0;0m that can change the user id without an explicit password
[1;32m*** Info:[0;0m (such as passwordless logins [e.g. public key
authentication]
[1;32m*** Info:[0;0m via sshd) when having to create the user token from
scratch.
[1;32m*** Info:[0;0m For more information on this requirement, see
[1;32m*** Info:[0;0m https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1
[1;32m*** Info:[0;0m If you want to enable that functionality, it's required to
create
[1;32m*** Info:[0;0m a new account with special privileges (unless such an
account
[1;32m*** Info:[0;0m already exists). This account is then used to run these
special
[1;32m*** Info:[0;0m servers.
[1;32m*** Info:[0;0m Note that creating a new user requires that the current
account
[1;32m*** Info:[0;0m have Administrator privileges itself.
[1;32m*** Info:[0;0m This script plans to use 'cyg_server'.
[1;32m*** Info:[0;0m 'cyg_server' will only be used by registered services.
[1;35m***
Query:[0;0m Create new privileged user account
'WIN-FII6OQ85EQF\cyg_server' (Cygwin name:
'win-fii6oq85eqf+cyg_server')? (yes/no) yes
[1;32m*** Info:[0;0m User 'win-fii6oq85eqf+cyg_server' has been created with
password 'XXX'.
[1;32m*** Info:[0;0m If you change the password, please remember also to change
the
[1;32m*** Info:[0;0m password for the installed services which use (or will
soon use)
[1;32m*** Info:[0;0m the 'win-fii6oq85eqf+cyg_server' account.
passwd: unknown user win-fii6oq85eqf+cyg_server
[1;33m*** Warning:[0;0m Setting password expiry for user
'win-fii6oq85eqf+cyg_server' failed!
[1;33m*** Warning:[0;0m Please check that password never expires or set it to
your needs.
No user or group 'win-fii6oq85eqf+cyg_server' known.
[1;33m*** Warning:[0;0m Assigning the appropriate privileges to user
'win-fii6oq85eqf+cyg_server' failed!
[1;31m*** ERROR:[0;0m
