Sie sind auf Seite 1von 22

Secure Shell Demon setup under Windows XP / Windows Server 2003

Configuration inside of Cygwin

$ chgrp Administrators /var/{run,log,empty}


$ chown Administrators /var/{run,log,empty}
$ chmod 775 /var/{run,log}
$ chmod 755 /var/empty
$ ssh-host-config
*** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes
*** Info: Creating default /etc/ssh_config file
*** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
*** Info: Creating default /etc/sshd_config file
*** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
*** Info: However, this requires a non-privileged account called 'sshd'.
*** Info: For more info on privilege separation read /usr/share/doc/openssh/README.privsep.
*** Query: Should privilege separation be used? (yes/no) yes
*** Info: Updating /etc/sshd_config file

*** Warning: The following functions require administrator privileges!

*** Query: Do you want to install sshd as a service?


*** Query: (Say "no" if it is already installed as a service) (yes/no) yes
*** Query: Enter the value of CYGWIN for the daemon: [] ntsec tty binmode server nodosfilewarning
*** Info: On Windows Server 2003, Windows Vista, and above, the
*** Info: SYSTEM account cannot setuid to other users -- a capability
*** Info: sshd requires. You need to have or to create a privileged
*** Info: account. This script will help you do so.

*** Info: You appear to be running Windows 2003 Server or later. On 2003
*** Info: and later systems, it's not possible to use the LocalSystem
*** Info: account for services that can change the user id without an
*** Info: explicit password (such as passwordless logins [e.g. public key
*** Info: authentication] via sshd).

*** Info: If you want to enable that functionality, it's required to create
*** Info: a new account with special privileges (unless a similar account
*** Info: already exists). This account is then used to run these special
*** Info: servers.

*** Info: Note that creating a new user requires that the current account
*** Info: have Administrator privileges itself.

*** Info: The following privileged accounts were found: 'cyg_server' .

*** Info: This script plans to use 'cyg_server'.


*** Info: 'cyg_server' will only be used by registered services.
*** Query: Do you want to use a different name? (yes/no) no
*** Query: Please enter the password for user 'cyg_server':
*** Query: Reenter:

*** Info: The sshd service has been installed under the 'cyg_server'
*** Info: account. To start the service now, call `net start sshd' or
*** Info: `cygrunsrv -S sshd'. Otherwise, it will start automatically
*** Info: after the next reboot.

*** Info: Host configuration finished. Have fun!

Under Windows XP there is no mentioning of the cyg_server account, instead it will say at the end

*** Info: The sshd service has been installed under the LocalSystem
*** Info: account (also known as SYSTEM). To start the service now, call
*** Info: `net start sshd' or `cygrunsrv -S sshd'. Otherwise, it
*** Info: will start automatically after the next reboot.

Ultimately the sshd service is to be run as user cyg_server (Windows Server 2003) or SYSTEM (Windows XP). Make sure the
/var/empty directory has the right owner and permissions. Note that this is somewhat of a catch 22, the ssh-host-config script needs it
set to owner Administrators, while to run the sshd service /var/emtpy needs to be set as said in the previous sentence.

# Windows Server 2003


$ chown cyg_server /var/empty
$ chmod 755 /var/empty

# Windows XP
$ chown SYSTEM /var/empty
$ chmod 755 /var/empty
If the ssh-host-config script output above does not say anything about installing the service, then it was already installed, and may
work for you. If it does not work, then you can remove the service with

$ cygrunsrv -R sshd

You may only take effect upon a reboot on some systems. Then you install the service again with

$ cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd

and you start it with

$ cygrunsrv -S sshd
Troubleshooting
Below you find a list of errors and fixes, in no particular order.

Access is denied, Win32 error 5


Starting the sshd service may fail with

cygrunsrv: Error starting a service: StartService: Win32 error 5:


Access is denied.

Another error like this may be

$ cygrunsrv -S sshd
cygrunsrv: Error starting a service: StartService: Win32 error 1069:
The service did not start due to a logon failure.

Equivalently, if you used

$ net start sshd

You may get the error message

System error 5 has occurred.

Access is denied.

Then likely the user under which the service is set to start is not correctly set up. Go to the Services panel (usually found under Start
Menu -> Control Panel -> Administrative Tools -> Services, or Start Menu -> Control Panel -> Computer Management, Services and
Applications entry). The service manager is hard to find on some Windows Server 2003 servers where it’s not under the
administrative tools. One way of getting there is via the Start Menu -> Control Panel -> Administrative Tools -> List of Common
Administrative Tasks -> Managing Services -> Open Services.
From the right-click menu, open the Properties panel, the Log On tab.
Under Windows XP this should be set to run under the Local System Account.
Under Windows Server 2003 this has to run as the cyg_server user (don’t enter the “.\” as part of the user name, this is automatically
added), specify the password you set earlier:
Cygwin binaries permissions wrong
If it still fails, with an Access Denied error (same error number 5), then make sure that the execution path and elements are all
accessible and/or executable by the SYSTEM (Windows XP) or cyg_server (Windows Server 2003) user, that is in particular check
the permissions of C:\cygwin\usr\sbin\sshd.exe and C:\cygwin\usr\bin\cygrunsrv.exe.

$ ls -l /usr/bin/cygrunsrv.exe
-rwxr-x--- 1 user1 Users 68096 Mar 18 2008 /usr/bin/cygrunsrv.exe

The above is wrong, the Local System Account (Windows XP) or the cyg_server user (Windows Server 2003) cannot run the
cygrunsrv program. The same error can happen with the sshd executable. Here is the fix.

$ chgrp Administrators /usr/bin/cygrunsrv.exe /usr/sbin/sshd.exe /usr/bin /usr/sbin /usr


$ chmod 775 /usr/bin/cygrunsrv.exe /usr/sbin/sshd.exe /usr/bin /usr/sbin /usr

If it still fails, make sure you also check the path of your cygwin installation, which is usually C:\cygwin, running the same chgrp and
chmod commands:

$ chgrp Administrators ’C:\cygwin’


$ chmod 775 ’C:\Cygwin’

The CYGWIN sshd service on Local Computer started and then stopped, Win32 error 1062
You may get yet another error when you try to start the service through the Windows Admin Tools services interface:

The CYGWIN sshd service on Local Computer started and then stopped. Some services stop automatically if
they have no work to do, for example, the Performance Logs and Alerts service.

If you tried this from the command line instead, you may get a different error message:

$ cygrunsrv -S sshd
cygrunsrv: Error starting a service: QueryServiceStatus: Win32 error 1062:
The service has not been started.

Since the service may have started and then stopped (at least when you start from the Services panel, that’s what it claimed), its error
message may also be available from the Cygwin error log (and may give more detailed information):
/var/empty permission issue
$ cat /var/logs/sshd
/var/empty must be owned by root and not group or world-writable.

That means that the user starting sshd was not the one owning /var/empty (the error message stems from the Unix world where sshd
usually gets started by the system administrator, who is called “root” under Unix, and is a bit misleading here).

Windows Server 2003: We want to run sshd under the user cyg_server:
$ chown cyg_server /var/empty
$ chmod 755 /var/empty
$ ls -ld /var/empty
drwxr-xr-x+ 1 cyg_server Administrators 0 Feb 9 2009 /var/empty

Windows XP: We want to run sshd under the Local System Account:
$ chown SYSTEM /var/empty
$ chmod 755 /var/empty
$ ls -ld /var/empty
$ ls -ld /var/empty
drwxr-xr-x+ 1 SYSTEM Administrators 0 Oct 8 2008 /var/empty

ssh_exchange_identification: Connection closed by remote host


Not really an sshd error, but this is an error message you may get when sshd is running successfully and you are trying to connect
from a client machine but the client machine is not allowed to connect because the client machine is either included in /etc/hosts.deny,
or not specifically allowed in /etc/hosts.allow. If you get this error, and you have the /etc/hosts.allow or /etc/hosts.deny files on the
server, then move them temporarily to some other directory. If that allows you to connect, then you know what the problem was and
you have to fix your /etc/hosts.allow or /etc/hosts.deny setup.

User sshd does not exist


The same error 1062 (or from the Windows services panel: the service started and then stopped) may also indicate some other error.
Once again it is back to reading the log file, at least the service started, so you should get something there. One possible error may be:

$ cat /var/logs/sshd
Privilege separation user sshd does not exist

If you get that, go ahead and make that user (see below in this Howto).
Unprotected Private Key File
The same error 1062 (or from the Windows services panel: the service started and then stopped) may also indicate yet another error.
Once again it is back to reading the log file:

$ cat /var/logs/sshd
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0664 for '/etc/ssh_host_dsa_key' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_dsa_key
Could not load host key: /etc/ssh_host_dsa_key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.

If you get that, go ahead and change the permissions of the private key file with

chmod 600 /etc/ssh_host_dsa_key

You might get this error also for the other private key files /etc/ssh_host_key and /etc/ssh_host_rsa_key.
User Setup
See the section above on ssh-host-config first, this will generate the users cyg_server (Windows Server 2003) and sshd in case
they are not already there. This section here describes how set up users manually, but you should not have to do this.
Run Start Menu -> Run “lusrmgr.msc”. The following screenshot is fromWindows Server 2003, where a special privileged user
“cyg_server” is needed. Under Windows XP, this is not the case, the privileged user is simply the local system account. On any case
one needs a non-privileged account “sshd”. The screenshot here is from Windows Server 2003.
If you don’t have the users sshd and cyg_server (the latter is not needed for Windows XP), then right-click in the right user list panel,
and choose “New User”. Again, only do this after you have tried Cygwin’s script ssh-host-config, because usually this script will do
this for you. The screenshot here shows the setup of the sshd acount. For the cyg_server account see further below. Fill in the dialog
box. If there is an existing user you want to modify, ignore this step and continue below.

Don’t forget to add the user to /etc/passwd:


$ mkpasswd -l -u sshd | sed -e 's/\/home\/sshd/\/var\/empty/' >> /etc/passwd

Password change: For an existing user, right-click on the user, and select password change. Read the warnings, and ignore them for
sshd and cyg_server, since they do not have local files they need (see what happens under C:\Documents and Settings\ and clean up).
User sshd
In the lusrmgr.msc panel, right-click on the sshd user and verify its properties. The main properties screen should look like one of the
following (either one works).
User cyg_server
In the lusrmgr.msc panel, right-click on the cyg_server user and verify its properties.
Appendix
If all else fails, and you just cannot get the service set up, but you manage to run sshd under your own user name (to try this make sure
your user owns /var/empty), you can try to add the starting of the secure shell demon as a scheduled task at system startup. This way at
least you can use ssh until you have more time to investigate. Setting up a scheduled task can be done through the Start Menu ->
Control Panel -> Scheduled Task. You’ll need a pair of DOS and shell scripts, placed under C:\cygwin\, and you set sshd.bat as a
scheduled task to run at system startup under your own user name.

sshd.bat
========
@echo off
C:
chdir \cygwin\bin
set path=.;c:\cygwin\bin;c:\cygwin\usr\sbin;%path%
sh /sshd.sh

sshd.sh
=======
#!/bin/sh
echo "$1"
if [ 0 -eq `ps -ef | grep sshd | grep -v grep | wc -l` ]; then
# avoids duplicate ssh demons running
/usr/sbin/sshd
fi

Das könnte Ihnen auch gefallen