Mail Archives: cygwin/2014/02/21/15:48:31

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2014/02/21/15:48:31

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:message-id:date:from:mime-version:to:subject

:content-type:content-transfer-encoding; q=dns; s=default; b=pwg

DsU2sk9AGcK67uFtpLWmndqIh4MRd/wzGndCiX8aPYm8BEr+K7yGESOSGDlg+ffQ

7ugWx9zwH91iTtpdLR+EWE43X9aVn54BRa3JnlsmpeKwbqx/t2TFGsWip00nF80A

6IMW+66vqc4h9hgWFHiU/7bu+rAdh93mMOAf1Zrg=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:message-id:date:from:mime-version:to:subject

:content-type:content-transfer-encoding; s=default; bh=blErgQHfu

YzyLRdWmlFCURNpm68=; b=PWIbl4k6zrXAdJGYdxltc0ifSBfW8Poid3Dpgp103

nfvWsSUqU79OuZglOZ7B4qHXgPcjA4wsfxkG1u2vFg4egAKHXs2IItcV+5iWTydt

TV8rl0pnYV2j7iaOPL9KJ3dHN1D9dxmNpBToaUQ/PNdbhmpmlkZK2DY6keHOhofs

XM=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: Yes, score=5.2 required=5.0 tests=AWL,BAYES_40,RP_MATCHES_RCVD,SCAM_SUBJECT autolearn=no version=3.3.2

X-HELO: bronze.cs.yorku.ca

Message-ID: <5307BB89.80405@cse.yorku.ca>

Date: Fri, 21 Feb 2014 15:48:09 -0500

From: Paul Griffith <paulg AT cse DOT yorku DOT ca>

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0

MIME-Version: 1.0

To: cygwin AT cygwin DOT com

Subject: Silently configure sshd fails via system account

X-Spam-Score: -1.0

X-Spam-Report: Content preview: Hi, I am using a software package called WPKG (wpkg.org) to silently deploy Cygwin and then configure SSHD. The Cygwin installation works like a charm. Configuring sshd is another story. If I run my script from a admin command prompt, I am to setup sshd. If I run that same script from WPKG, it fails. The only difference is that the WPKG agent runs as the SYSTEM user. I assume SCCM (Microsoft System Center Configuration Manager) users would have the same issue since their agent also run as SYSTEM. [...] Content analysis details: (-1.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SHORTCIRCUIT Not all rules were run, due to a shortcircuited rule -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP

X-IsSubscribed: yes

Hi,

I am using a software package called WPKG (wpkg.org) to silently deploy Cygwin and then configure SSHD. The Cygwin installation works like a charm. Configuring sshd is another story. If I run my script from a admin command prompt, I am to setup sshd. If I run that same script from WPKG, it fails. The only difference is that the WPKG agent runs as the SYSTEM user. I assume SCCM (Microsoft System Center Configuration Manager) users would have the same issue since their agent also run as SYSTEM.

Any ideas other than pulling apart /usr/bin/ssh-host-config  and trying to do this manually myself ??

Here is some of the debugging I captured. Notice how the permissions at [0] and [1] don't match, I can't explain that one. Updating Cygwin doesn't solve my problem.

Windows 7 Enterprise x64 SP 1
2GB RAM
VirtualBox 4.3.6

======
before running ssh-host-config (wpkg)
touch /var/log/sshd.log
chmod 700 /var/empty
chown SYSTEM /var/empty
ls -lad /var/empty
[0] drwx------+ 1 SYSTEM Administrators 0 Feb 21 13:07 /var/empty

/usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd blah

[1;32m*** Info:[0;0m Generating /etc/ssh_host_key
[1;32m*** Info:[0;0m Generating /etc/ssh_host_rsa_key
[1;32m*** Info:[0;0m Generating /etc/ssh_host_dsa_key
[1;32m*** Info:[0;0m Generating /etc/ssh_host_ecdsa_key
[1;32m*** Info:[0;0m Creating default /etc/ssh_config file
[1;32m*** Info:[0;0m Creating default /etc/sshd_config file
[1;32m*** Info:[0;0m Privilege separation is set to yes by default since OpenSSH 3.3.
[1;32m*** Info:[0;0m However, this requires a non-privileged account called 'sshd'.
[1;32m*** Info:[0;0m For more info on privilege separation read /usr/share/doc/openssh/README.privsep.
[1;35m*** Query:[0;0m Should privilege separation be used? (yes/no) yes
[1;33m*** Warning:[0;0m The owner and the Administrators need
[1;33m*** Warning:[0;0m to have r.x permission to /var/empty.
[1;33m*** Warning:[0;0m Here are the current permissions and ACLS:
[1] [1;33m*** Warning:[0;0m     drwxr-xr-x+ 1 SYSTEM Administrators 0 Feb 21 13:07 /var/empty
[1;33m*** Warning:[0;0m     # file: /var/empty
[1;33m*** Warning:[0;0m     # owner: SYSTEM
[1;33m*** Warning:[0;0m     # group: Administrators
[1;33m*** Warning:[0;0m     user::rwx
[1;33m*** Warning:[0;0m     group::r-x
[1;33m*** Warning:[0;0m     mask:rwx
[1;33m*** Warning:[0;0m     other:r-x
[1;33m*** Warning:[0;0m     default:user::rwx
[1;33m*** Warning:[0;0m     default:group::r-x
[1;33m*** Warning:[0;0m     default:other:r-x
[1;33m*** Warning:[0;0m     [1;33m*** Warning:[0;0m Please change the user and/or group ownership, [1;33m*** Warning:[0;0m permissions, or ACLs of /var/empty.

[1;31m*** ERROR:[0;0m Problem with /var/empty directory. Exiting.
----

I call my script like the following:
start /wait %CYGWIN_ROOT%\bin\bash.exe --login -i /cygdrive/c/windows/temp/config-sshd-win7.sh "%cyg_server_passwd%" 


config-sshd-win7.sh script:
------snip------
#/bin/sh

echo running ssh-host-config

if [ -f /cygdrive/c/netinst/logs/ssh-host-config.log ]; then 
	rm -f /cygdrive/c/netinst/logs/ssh-host-config.log 
fi


echo before ssh-host-config > /cygdrive/c/netinst/logs/ssh-host-config.log

#setup permissions and owership of files
echo setting up permissions

echo touch /var/log/sshd.log >> /cygdrive/c/netinst/logs/ssh-host-config.log
touch /var/log/sshd.log >> /cygdrive/c/netinst/logs/ssh-host-config.log

if [ ! -d /var/empty ]; then  
   mkdir /var/empty
fi

#echo chown system /var/log/sshd.log /var/empty /etc/ssh_h* >> /cygdrive/c/netinst/logs/ssh-host-config.log
chown system /var/log/sshd.log /var/empty /etc/ssh_h* >> /cygdrive/c/netinst/logs/ssh-host-config.log

#echo chmod 700 /var/empty >> /cygdrive/c/netinst/logs/ssh-host-config.log
chmod 700 /var/empty >> /cygdrive/c/netinst/logs/ssh-host-config.log

echo /usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd   >> /cygdrive/c/netinst/logs/ssh-host-config.log
/usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd "$1" >> /cygdrive/c/netinst/logs/ssh-host-config.log

echo after ssh-host-config >> /cygdrive/c/netinst/logs/ssh-host-config.log
echo ls -lad /var/empty >> /cygdrive/c/netinst/logs/ssh-host-config.log
ls -lad /var/empty >> /cygdrive/c/netinst/logs/ssh-host-config.log

#Prohibits a user or group from logging on locally at the keyboard.
editrights -a SeDenyRemoteInteractiveLogonRight -u cyg_server

echo listing services: cygrunsrv -L >> /cygdrive/c/netinst/logs/ssh-host-config.log
cygrunsrv -L >> /cygdrive/c/netinst/logs/ssh-host-config.log

echo starting sshd: cygrunsrv -S sshd >> /cygdrive/c/netinst/logs/ssh-host-config.log
cygrunsrv -S sshd


echo cd "/home/Administrator" >> /cygdrive/c/netinst/logs/ssh-host-config.log
chmod 750 /home/Administrator
cd /home/Administrator

echo mkdir .ssh >> /cygdrive/c/netinst/logs/ssh-host-config.log
mkdir .ssh

echo chmod 700 .ssh >> /cygdrive/c/netinst/logs/ssh-host-config.log
chmod 700 .ssh
ls -lad .ssh >> /cygdrive/c/netinst/logs/ssh-host-config.log

echo cp //xxxxx/xxx/site/ssh/authorized_keys .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log
cp //xxxx/xxxx/site/ssh/authorized_keys .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log

echo ls -l .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log
ls -l .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log

echo chmod 644 .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log
chmod 644 .ssh/authorized_keys 
ls -l .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log

mkpasswd -l >> /etc/passwd
mkgroup -l >> /etc/group
-------snip------

Thank You
Paul



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:content-type:content-transfer-encoding; q=dns; s=default; b=pwg
	DsU2sk9AGcK67uFtpLWmndqIh4MRd/wzGndCiX8aPYm8BEr+K7yGESOSGDlg+ffQ
	7ugWx9zwH91iTtpdLR+EWE43X9aVn54BRa3JnlsmpeKwbqx/t2TFGsWip00nF80A
	6IMW+66vqc4h9hgWFHiU/7bu+rAdh93mMOAf1Zrg=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:content-type:content-transfer-encoding; s=default; bh=blErgQHfu
	YzyLRdWmlFCURNpm68=; b=PWIbl4k6zrXAdJGYdxltc0ifSBfW8Poid3Dpgp103
	nfvWsSUqU79OuZglOZ7B4qHXgPcjA4wsfxkG1u2vFg4egAKHXs2IItcV+5iWTydt
	TV8rl0pnYV2j7iaOPL9KJ3dHN1D9dxmNpBToaUQ/PNdbhmpmlkZK2DY6keHOhofs
	XM=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	Yes, score=5.2 required=5.0 tests=AWL,BAYES_40,RP_MATCHES_RCVD,SCAM_SUBJECT autolearn=no version=3.3.2
X-HELO:	bronze.cs.yorku.ca
Message-ID:	<5307BB89.80405@cse.yorku.ca>
Date:	Fri, 21 Feb 2014 15:48:09 -0500
From:	Paul Griffith <paulg AT cse DOT yorku DOT ca>
User-Agent:	Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version:	1.0
To:	cygwin AT cygwin DOT com
Subject:	Silently configure sshd fails via system account
X-Spam-Score:	-1.0
X-Spam-Report:	Content preview: Hi, I am using a software package called WPKG (wpkg.org) to silently deploy Cygwin and then configure SSHD. The Cygwin installation works like a charm. Configuring sshd is another story. If I run my script from a admin command prompt, I am to setup sshd. If I run that same script from WPKG, it fails. The only difference is that the WPKG agent runs as the SYSTEM user. I assume SCCM (Microsoft System Center Configuration Manager) users would have the same issue since their agent also run as SYSTEM. [...] Content analysis details: (-1.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SHORTCIRCUIT Not all rules were run, due to a shortcircuited rule -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
X-IsSubscribed:	yes