This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: ssh to 2003 server exist immediately


Andrew DeFaria wrote:
Larry Hall (Cygwin) wrote:
Andrew DeFaria wrote:
Larry Hall (Cygwin) wrote:
Andrew DeFaria wrote:
I'm trying to set up ssh access to a Windows 2003 server. I am having a problem in that when I ssh to this server it immediately exits and I find the following in /var/log/sshd.log:

5 [main] sshd 12912 C:\Cygwin\usr\sbin\sshd.exe: *** fatal error - could not load ws2_32, Win32 error 0

Forgive me I did do some research about setting up ssh on a 2003 server and I believe I've very close to having it set up correctly but I'm still missing something. I created a local sshd_server user and added things like "Act as part of the operating system", "Replace process level token", etc. I did not see a setting for "Increase quota". Note that I am using a local sshd_server users (i.e. <machine>\sshd_server) as the logon for the sshd service. I don't believe I'm using privilege separation.

I had to use mmc and a Group Policy editor for the domain to add this local user into the rights at the domain level before this would work. Still when I try to ssh in I get a password prompt but after that the above gets written into the sshd.log and the prompt returns.

Note that I also use this local sshd_server user for inetd so that rsh can and does work. Insecure I know and I'd like to switch this client over to using all ssh but I gotta get it working for them.

Thanks in advance.
Why not use ssh-host-config to set up sshd? It will create sshd_server for you in the proper way.
I did! sshd_server would not have been my choice of a username had I done this by hand (the user daemon comes to mind). However that was not working. This is a domain environment so the sshd_server user could be <domain>\sshd_server or <local machine>\sshd_server. I don't think I have enough privilege to add a domain user so I made it a local user.

Plus I believe that domain policies did not allow me to modify the user rights of this local user. (From memory) I believe I went into mmc and added the Group Policy Editor snapin then attempted to add the local sshd_server to the users that have say "Act as part of the operating system" rights but the add button was grayed out. Last night while trying again I noticed I could add Domain Group Policy snapin and much to my surprise I was able to add the <local server>\sshd_server user to the "Act as part of operating system" and "replace process level token" lists. Again I didn't see an "Increase quota". This got inetd and rsh working but ssh still produces an error.

Actually, assuming I can create say a domain "daemon" user for use with sshd and inetd, etc., would it be better to do this at the domain level. I would like to allow others in the domain to set up ssh or inetd with the rights to SU...
No tweaking of the permissions for sshd_server is necessary and it's not required to add sshd_server to any other users to get things to work. sshd_server is a local user created to run the service and nothing else. To login via 'ssh' with a domain user, just make sure the domain user is in your '/etc/passwd' file and your '/etc/group' file contains the proper
domain groups. See 'man mkpasswd' and 'man mkgroup' if these users and groups are not already in these files.
/etc/passwd and /etc/group are symlinks to a shared and up to date copy of the output of mkpasswd/mkgroup. That's not the issue. As I understand it, for sshd (or in.rlogind) to "switch user" it needs special privileges. Indeed the documentation alludes to that. And until I added those permissions to the sshd_server user ssh/rsh would not work at all.


But if you ran /bin/ssh-host-config and told it to create sshd_server when
it asked you to, it will add these rights automatically.  There's no need
to do it yourself.  Just take a look at /bin/ssh-host-config.  The calls
to "editrights" in the section that handles the creation of the sshd_server
user/group specifically adds the privileges that are necessary to switch
the user context on W2K3.  If it failed to set these permission you should
have been warned.


(rsh, started from inetd that is as inetd was also logging on as the sshd_server user). Still, while rsh works, ssh refuses to work citing the error message above in /var/log/sshd.log. IOW I can rsh <server> and get in. I can also rsh <server> <command> and have <command> run on <server> (provided /etc/passwd on <server> has a blank password for the user). However I cannot ssh <server>. When I do so it prompts for the password then abruptly logs out with the only clue left in <server>:/var/log/sshd.log.


Well you can always run the client and the server in debug mode and track
each one's progress.  The server is always a little more helpful.  But if
you can't figure out anything else, I'd go back and retry running
/bin/ssh-host-config after deleting the sshd_server user/group.  Pay close
attention to what it says concerning sshd_server.


-- Larry Hall http://www.rfk.com RFK Partners, Inc. (508) 893-9779 - RFK Office 838 Washington Street (508) 893-9889 - FAX Holliston, MA 01746

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]