Re: sshd - ssh-host-config uses incorrect username for setup
On Dec 29 09:08, Brian Mc George wrote: > Hi, > > I am using EC2 and need to automate the configuration of sshd > at instance launch. If I manually rdp into the machine and execute: > ssh-host-config --yes --privileged --user cyg_server --pwd ${PASSWORD} > > it will work correctly. > > However, > If > I use user data (lets you execute powershell commands on instance > start) it will fail. It will also fail if I try execute the command > using winrm (the windows equivalent of ssh). > > If I rdp into the machine and execute it manually then the cygwin name will > be 'cyg_server' > If I try automate it the cygwin name is +'cyg_server' > It then cannot find the cyg_server account and fails. I can't reproduce your scenario so I'd be grateful if you (or anybody else having this problem) could inspect the ssh-host-config script and try to find out how to recognize and workaround the scenario. Thanks, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat signature.asc Description: PGP signature
RE: sshd - ssh-host-config uses incorrect username for setup
I haven't gotten any reply for this issue. It would seem there is no way I can fix this issue directly? Therefore, does anyone have a guide on what permissions and tweaks are required to run sshd as SYSTEM user instead as a workaround? Thanks, Brian Mc George > From: b.mcgeo...@hotmail.com > To: cygwin@cygwin.com > Subject: sshd - ssh-host-config uses incorrect username for setup > Date: Tue, 29 Dec 2015 09:08:49 +0200 > > Hi, > > I am using EC2 and need to automate the configuration of sshd > at instance launch. If I manually rdp into the machine and execute: > ssh-host-config --yes --privileged --user cyg_server --pwd ${PASSWORD} > > it will work correctly. > > However, > If > I use user data (lets you execute powershell commands on instance > start) it will fail. It will also fail if I try execute the command > using winrm (the windows equivalent of ssh). > > If I rdp into the machine and execute it manually then the cygwin name will > be 'cyg_server' > If I try automate it the cygwin name is +'cyg_server' > It then cannot find the cyg_server account and fails. > > How can I work around this? Even if it just uses SYSTEM as the account I just > need it to work. > > Here is the log when I try use the aforementioned method: > > [1;32m*** Info:[0;0m Generating missing SSH host keys > ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519 > [1;32m*** Info:[0;0m Creating default /etc/ssh_config file > [1;32m*** Info:[0;0m Creating default /etc/sshd_config file > [1;32m*** Info:[0;0m StrictModes is set to 'yes' by default. > [1;32m*** Info:[0;0m This is the recommended setting, but it requires that > the POSIX > [1;32m*** Info:[0;0m permissions of the user's home directory, the user's .ssh > [1;32m*** Info:[0;0m directory, and the user's ssh key files are tight so that > [1;32m*** Info:[0;0m only the user has write permissions. > [1;32m*** Info:[0;0m On the other hand, StrictModes don't work well with > default > [1;32m*** Info:[0;0m Windows permissions of a home directory mounted with the > [1;32m*** Info:[0;0m 'noacl' option, and they don't work at all if the home > [1;32m*** Info:[0;0m directory is on a FAT or FAT32 partition. > [1;35m*** Query:[0;0m Should StrictModes be used? (yes/no) yes > [1;32m*** Info:[0;0m Privilege separation is set to 'sandbox' by default since > [1;32m*** Info:[0;0m OpenSSH 6.1. This is unsupported by Cygwin and has to be > set > [1;32m*** Info:[0;0m to 'yes' or 'no'. > [1;32m*** Info:[0;0m However, using privilege separation requires a > non-privileged account > [1;32m*** Info:[0;0m called 'sshd'. > [1;32m*** Info:[0;0m For more info on privilege separation read > /usr/share/doc/openssh/README.privsep. > [1;35m*** Query:[0;0m Should privilege separation be used? (yes/no) yes > [1;32m*** Info:[0;0m Note that creating a new user requires that the current > account have > [1;32m*** Info:[0;0m Administrator privileges. Should this script attempt to > create a > [1;35m*** Query:[0;0m new local account 'sshd'? (yes/no) yes > [1;32m*** Info:[0;0m Updating /etc/sshd_config file > [1;35m*** Query:[0;0m Do you want to install sshd as a service? > [1;35m*** Query:[0;0m (Say "no" if it is already installed as a service) > (yes/no) yes > [1;35m*** Query:[0;0m Enter the value of CYGWIN for the daemon: [] > [1;32m*** Info:[0;0m On Windows Server 2003, Windows Vista, and above, the > [1;32m*** Info:[0;0m SYSTEM account cannot setuid to other users -- a > capability > [1;32m*** Info:[0;0m sshd requires. You need to have or to create a privileged > [1;32m*** Info:[0;0m account. This script will help you do so. > [1;32m*** Info:[0;0m It's not possible to use the LocalSystem account for > services > [1;32m*** Info:[0;0m that can change the user id without an explicit password > [1;32m*** Info:[0;0m (such as passwordless logins [e.g. public key > authentication] > [1;32m*** Info:[0;0m via sshd) when having to create the user token from > scratch. > [1;32m*** Info:[0;0m For more information on this requirement, see > [1;32m*** Info:[0;0m > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1 > [1;32m*** Info:[0;0m If you want to enable that functionality, it's required > to create > [1;32m*** Info:[0;0m a new account with special privileges (unless such an > account > [1;32m*** Info:[0;0m already exists). This account is then used to run these > special > [1;32m*** Info:[0;0m servers. > [1;32m*** Info:[0;0m Note that creating a new user requires that the current > account > [1;32m*** Info:[0;0m have Administrator privileges itself. > [1;32m*** Info:[0;0m This script plans to use 'cyg_server'. > [1;32m*** Info:[0;0m 'cyg_server' will only be u
sshd - ssh-host-config uses incorrect username for setup
Hi, I am using EC2 and need to automate the configuration of sshd at instance launch. If I manually rdp into the machine and execute: ssh-host-config --yes --privileged --user cyg_server --pwd ${PASSWORD} it will work correctly. However, If I use user data (lets you execute powershell commands on instance start) it will fail. It will also fail if I try execute the command using winrm (the windows equivalent of ssh). If I rdp into the machine and execute it manually then the cygwin name will be 'cyg_server' If I try automate it the cygwin name is +'cyg_server' It then cannot find the cyg_server account and fails. How can I work around this? Even if it just uses SYSTEM as the account I just need it to work. Here is the log when I try use the aforementioned method: [1;32m*** Info:[0;0m Generating missing SSH host keys ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519 [1;32m*** Info:[0;0m Creating default /etc/ssh_config file [1;32m*** Info:[0;0m Creating default /etc/sshd_config file [1;32m*** Info:[0;0m StrictModes is set to 'yes' by default. [1;32m*** Info:[0;0m This is the recommended setting, but it requires that the POSIX [1;32m*** Info:[0;0m permissions of the user's home directory, the user's .ssh [1;32m*** Info:[0;0m directory, and the user's ssh key files are tight so that [1;32m*** Info:[0;0m only the user has write permissions. [1;32m*** Info:[0;0m On the other hand, StrictModes don't work well with default [1;32m*** Info:[0;0m Windows permissions of a home directory mounted with the [1;32m*** Info:[0;0m 'noacl' option, and they don't work at all if the home [1;32m*** Info:[0;0m directory is on a FAT or FAT32 partition. [1;35m*** Query:[0;0m Should StrictModes be used? (yes/no) yes [1;32m*** Info:[0;0m Privilege separation is set to 'sandbox' by default since [1;32m*** Info:[0;0m OpenSSH 6.1. This is unsupported by Cygwin and has to be set [1;32m*** Info:[0;0m to 'yes' or 'no'. [1;32m*** Info:[0;0m However, using privilege separation requires a non-privileged account [1;32m*** Info:[0;0m called 'sshd'. [1;32m*** Info:[0;0m For more info on privilege separation read /usr/share/doc/openssh/README.privsep. [1;35m*** Query:[0;0m Should privilege separation be used? (yes/no) yes [1;32m*** Info:[0;0m Note that creating a new user requires that the current account have [1;32m*** Info:[0;0m Administrator privileges. Should this script attempt to create a [1;35m*** Query:[0;0m new local account 'sshd'? (yes/no) yes [1;32m*** Info:[0;0m Updating /etc/sshd_config file [1;35m*** Query:[0;0m Do you want to install sshd as a service? [1;35m*** Query:[0;0m (Say "no" if it is already installed as a service) (yes/no) yes [1;35m*** Query:[0;0m Enter the value of CYGWIN for the daemon: [] [1;32m*** Info:[0;0m On Windows Server 2003, Windows Vista, and above, the [1;32m*** Info:[0;0m SYSTEM account cannot setuid to other users -- a capability [1;32m*** Info:[0;0m sshd requires. You need to have or to create a privileged [1;32m*** Info:[0;0m account. This script will help you do so. [1;32m*** Info:[0;0m It's not possible to use the LocalSystem account for services [1;32m*** Info:[0;0m that can change the user id without an explicit password [1;32m*** Info:[0;0m (such as passwordless logins [e.g. public key authentication] [1;32m*** Info:[0;0m via sshd) when having to create the user token from scratch. [1;32m*** Info:[0;0m For more information on this requirement, see [1;32m*** Info:[0;0m https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1 [1;32m*** Info:[0;0m If you want to enable that functionality, it's required to create [1;32m*** Info:[0;0m a new account with special privileges (unless such an account [1;32m*** Info:[0;0m already exists). This account is then used to run these special [1;32m*** Info:[0;0m servers. [1;32m*** Info:[0;0m Note that creating a new user requires that the current account [1;32m*** Info:[0;0m have Administrator privileges itself. [1;32m*** Info:[0;0m This script plans to use 'cyg_server'. [1;32m*** Info:[0;0m 'cyg_server' will only be used by registered services. [1;35m*** Query:[0;0m Create new privileged user account 'WIN-FII6OQ85EQF\cyg_server' (Cygwin name: 'win-fii6oq85eqf+cyg_server')? (yes/no) yes [1;32m*** Info:[0;0m User 'win-fii6oq85eqf+cyg_server' has been created with password 'XXX'. [1;32m*** Info:[0;0m If you change the password, please remember also to change the [1;32m*** Info:[0;0m password for the installed services which use (or will soon use) [1;32m*** Info:[0;0m the 'win-fii6oq85eqf+cyg_server' account. passwd: unknown user win-fii6oq85eqf+cyg_server [1;33m*** Warning:[0;0m Setting password expiry for user 'win-fii6oq85eqf+cyg_server' failed! [1;33m*** Warning:[0;0m Please check that password never expires or set it to your needs. No user or group 'win-fii6oq85eqf+cyg_server' known. [1;33m*** Warning:[0;0m Assigning the appropriate privileges to user 'win-fii6oq85eqf+cyg_server' failed! [1;31m*** ERROR:[0;0m