X-Recipient:	archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status:	No, hits=-0.2 required=5.0 tests=BAYES_00,SARE_OBFU_SHOULD,TW_RW,T_RP_MATCHES_RCVD
X-Spam-Check-By:	sourceware.org
From:	"Pascal J. Bourguignon" <pjb AT informatimago DOT com>
To:	cygwin AT cygwin DOT com
Subject:	openssh.README is wrong.
References:	<30963485 DOT post AT talk DOT nabble DOT com> <ijn38b$fgq$1 AT dough DOT gmane DOT org> <30963747 DOT post AT talk DOT nabble DOT com>
X-Disabled:	X-No-Archive: no
Reply-to:	pjb AT informatimago DOT com
X-PGP-Key-ID:	0xEF5E9966
X-PGP-fingerprint:	00 F5 7B DB CA 51 8A AD 04 5B 6C DE 32 60 16 8E EF 5E 99 66
X-PGP-Public-Key:	http://www.informatimago.com/pgpkey.asc
X-URL:	http://www.informatimago.com/index
Date:	Sat, 02 Apr 2011 05:26:40 +0200
In-Reply-To:	<30963747.post@talk.nabble.com> (juliosergio@gmail.com's message of "Fri, 18 Feb 2011 17:42:41 -0800 (PST)")
Message-ID:	<87mxk91ggf.fsf_-_@kuiper.lan.informatimago.com>
User-Agent:	Gnus/5.13 (Gnus v5.13) Emacs/23.2 (gnu/linux)
MIME-Version:	1.0
X-IsSubscribed:	yes
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Unsubscribe:	<mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com

openssh.README is wrong.

It says:

    This package describes important Cygwin specific stuff concerning OpenSSH.

    The binary package is usually built for recent Cygwin versions and might
    not run on older versions.  Please check http://cygwin.com/ for information
    about current Cygwin releases.

    Build instructions are at the end of the file.

    ===========================================================================
    Important change since 3.7.1p2-2:

    The ssh-host-config file doesn't create the /etc/ssh_config and
    /etc/sshd_config files from builtin here-scripts anymore, but it uses
    skeleton files installed in /etc/defaults/etc.

    Also it now tries hard to create appropriate permissions on files.
    Same applies for ssh-user-config.

    After creating the sshd service with ssh-host-config, it's advisable to
    call ssh-user-config for all affected users, also already exising user
    configurations.  In the latter case, file and directory permissions are
    checked and changed, if requireed to match the host configuration.

    Important note for Windows 2003 Server users:
    ---------------------------------------------

    2003 Server has a funny new feature.  When starting services under SYSTEM
    account, these services have nearly all user rights which SYSTEM holds...
    except for the "Create a token object" right, which is needed to allow
    public key authentication :-(

    There's no way around this, except for creating a substitute account which
    has the appropriate privileges.  Basically, this account should be member
    of the administrators group, plus it should have the following user rights:

        Create a token object
        Logon as a service
        Replace a process level token
        Increase Quota

    The ssh-host-config script asks you, if it should create such an account,
    called "sshd_server".  If you say "no" here, you're on your own.  Please
    follow the instruction in ssh-host-config exactly if possible.  Note that
    ssh-user-config sets the permissions on 2003 Server machines dependent of
    whether a sshd_server account exists or not.
    ===========================================================================

    ===========================================================================
    Important change since 3.4p1-2:

    This version adds privilege separation as default setting, see
    /usr/doc/openssh/README.privsep.  According to that document the
    privsep feature requires a non-privileged account called 'sshd'.

    The new ssh-host-config file which is part of this version asks
    to create 'sshd' as local user if you want to use privilege
    separation.  If you confirm, it creates that NT user and adds
    the necessary entry to /etc/passwd.

    On 9x/Me systems the script just sets UsePrivilegeSeparation to "no"
    since that feature doesn't make any sense on a system which doesn't
    differ between privileged and unprivileged users.

    The new ssh-host-config script also adds the /var/empty directory
    needed by privilege separation.  When creating the /var/empty directory
    by yourself, please note that in contrast to the README.privsep document
    the owner sshould not be "root" but the user which is running sshd.  So,
    in the standard configuration this is SYSTEM.  The ssh-host-config script
    chowns /var/empty accordingly.
    ===========================================================================


But when I "chown sshd /var/empty ; chmod 700 /var/empty", I still get
the error message:

    pjb AT lassell ~
    $ /usr/sbin/sshd
    /var/empty must be owned by root and not group or world-writable.

    pjb AT lassell ~
    $ ls -ld /var/empty
    drwx------+ 1 sshd root 0 Mar 29 05:51 /var/empty

    pjb AT lassell ~
    $ uname -a
    CYGWIN_NT-6.1-WOW64 lassell 1.7.8(0.236/5/3) 2011-03-01 09:36 i686 Cygwin


Installed on a Microsoft Windows 7 Ultimate 64-bit system.

I've tried to change the owner of /var/empty to various other account
without success.   What should I do?

-- 
__Pascal Bourguignon__                     http://www.informatimago.com/
A bad day in () is better than a good day in {}.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -