Mail Archives: cygwin/2014/03/18/06:16:57

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2014/03/18/06:16:57

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:date:from:to:subject:message-id:reply-to

:references:mime-version:content-type:in-reply-to; q=dns; s=

default; b=nsTyJNprCDYcPWuenWHLhZNynsAgJdJI6OmpNgsWN5OucfVz/TB6R

D6QE/zvsfvAG7QKlK2rjgx7H12bLjPIjbYGP+++VqFd1TDLFBT9B00rnVDbLRzXB

DM5UmfetgRSW9Opw8or0c7zUdvon+IlWxgt59kWuP4xiqVNm5ChmLg=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:date:from:to:subject:message-id:reply-to

:references:mime-version:content-type:in-reply-to; s=default;

bh=6GQZLyUheZCTPtERh6kxKy14WNo=; b=urmbamiqZnxFH1sTjNXjmS3e3b9a

b0S7kh2lwDpmZlx8KHnGZ/OzV087tCnWxkE4rZeb3/Otybuvpl1gty+jUM2zprQB

dshilmJ/6PeUlG+Kppf0M1gQL1XzVE1/1o4iJcmuI6+zIzNtqxJU0iYX6ncJxkij

dsjO9rZdK5QWEqI=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=-1.6 required=5.0 tests=AWL,BAYES_50,SCAM_SUBJECT autolearn=no version=3.3.2

X-HELO: calimero.vinschen.de

Date: Tue, 18 Mar 2014 11:16:28 +0100

From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>

To: cygwin AT cygwin DOT com

Subject: Re: Silently configure sshd fails via system account

Message-ID: <20140318101628.GC28387@calimero.vinschen.de>

Reply-To: cygwin AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

References: <530B6ED1 DOT 2060003 AT cse DOT yorku DOT ca> <CAG9p0OSzrhsqf+gZjduxU0bxzovPY31kDwH=gJ3ZUtHuj8iBZQ AT mail DOT gmail DOT com> <f5bmwgowkuh DOT fsf AT troutbeck DOT inf DOT ed DOT ac DOT uk> <CAG9p0OT0282=+dGWuOjk2MxMSJX0E6irg-+hD9dE1vfqDLOVyA AT mail DOT gmail DOT com> <CAG9p0OS65OC-5o-wEre+2K7+NQHQE_OzmLW9HAN8bmcYzEoG3A AT mail DOT gmail DOT com> <CAG9p0OQ3Hr0wVq7eYQRHGwW79U9uAb1_13BqqY4qxuR2m8VMAQ AT mail DOT gmail DOT com> <CAG9p0OT9a9VZ3hx7DzQAKz1Lr2Y0niC21xr4AiYJekpMGJb2Jw AT mail DOT gmail DOT com> <CAG9p0OTzEQM4vV+jaCJUzKGaJRDCvrR=ASu8_D39W8+OiNgn1g AT mail DOT gmail DOT com> <1713042820 DOT 20140318034322 AT yandex DOT ru> <CAG9p0ORJQ6bHwjGBHUH2A75pU_--_DDqQsOPaVTLdnkhiCK2rA AT mail DOT gmail DOT com>

MIME-Version: 1.0

In-Reply-To: <CAG9p0ORJQ6bHwjGBHUH2A75pU_--_DDqQsOPaVTLdnkhiCK2rA@mail.gmail.com>

User-Agent: Mutt/1.5.21 (2010-09-15)

--XF85m9dhOBO43t/C
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mar 17 21:54, Lord Laraby wrote:
> On Mon, Mar 17, 2014 at 7:43 PM, Andrey Repin <> wrote:
> > Greetings, Lord Laraby!
> >
> >> Oh and I forgot the most intriguing gotcha. After creating the sshd
> >> user for me (I went to service manager and discovered this) the user
> >> assigned to the sshd server was actually cyg_server (not sshd)!!!!!
> >> After changing all of those things the service started.
> >
> > That's because service is running as cyg_server, while sshd user is use=
d to
> > invoke login shells of connecting users.
> > You just messed it all.
> >
> >
> > --
> > WBR,
> > Andrey Repin (anrdaemon AT yandex DOT ru) 18.03.2014, <03:42>
> >
> > Sorry for my terrible english...
> >
> I did not change anything. As I said originally, after running
> ssh-host-config, no changes on my part, I had a slew of errors. See my
> original message. I do not change things on a whim. Service failed to
> start, means just what it says!

Nevertheless Andrey is right.  The sshd account is not meant to run the
service.  It's an unprivileged account used only in conjunction with
privilege separation.  The account you're supposed to run this under is
cyg_server, which is supposed to be a special account with more
privileges as a normal admin.  If you already have a cyg_server account,
it's utilized by default.  If the cyg_server account doesn't have the
required permissions, sshd is bound to fail.

The /etc/ssh* files as well as /var/empty are supposed to be owned by
the user account running sshd, which is cyg_server.  ssh-host-config
usually sets the permissions on these files accordingly.  The message
"/var/empty must be owned by root and not group or world-writable." is
generated by sshd and it's the right message for all other POSIX
systems, except Cygwin.  For Cygwin "root" here denotes the user running
sshd.  The reason the message doesn't reflect that is the unwillingness
of the upstream developers to change that just for the sake of Cygwin.
I'm asking for 10 years or so to convert certain checks for uid 0 into
platform-independent privilege tests.  I even sent patches to that
effect, but to no avail.

My suggestion: Remove all files related to ssh from /etc.  Remove
/var/empty.  Remove the ssh logs from /var/log.  Remove the sshd
and cyg_server accounts from your SAM.  Drop both from /etc/passwd.
Remove the sshd service.  Start over.

In another mail you wrote:

> cyg_server is already taken by a non-prvileged user
> connected to the cygserver service.

Why?  The cygserver service *can* run under a non-prvileged account,
but it's not supposed to.  It's not even supposed to run under the
cyg_server account, but under SYSTEM (or LocalSystem) because it
usually needs certain privileges.  The cygserver-config script does
exactly that.

Corinna

--=20
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--XF85m9dhOBO43t/C
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTKBz8AAoJEPU2Bp2uRE+gPU4P/3CNtXBM+vdC8HAW4lkcoGYZ
gfXNbErTdlMXAZeIL+Nkl2bbkQeorsw043xF6O0O7CqIhS+ozp+xENeaXc2nvF9h
dEk/vDR990qYmoEDJavstVj9Seh9A31ZtEOysgg0x7LhGUGoSlzuTqhOMFyxEn/k
Ymr60IGYTug3dJ79l3PgZRfOizEEtpz9yi6sCtuvW7v2J6NNZXOwv1Fa0x0chfBV
Q5RiaGWY9b5Oiv+SrnniepcV/i1E4Zo3xR1xbIddotjV+cFN61mBT30kppoc/ysK
WJbsTmDXpo7tf79ChNO3ltsDRgxNDGLglqR+MXVgQOzhaXezt/gcXnbOC5whb7cD
MzifAHAKXiwnEVqD/uuzAjd76TDoOGy4pPCtY7asGpn8csylv+s5OUmge7rAeFqM
7A3KPyEQDUkq0CmOpPUVbQWpZ3tygewWi4V0vSdzmKbPfOYGVTtlZd3r+pq41kiX
heVlXhePD+2mFZ7xSYufhu2YEbn1juBCSX0ZLzNMBqGK0eIjWe1v1xSAk5LyMsDM
09DMqcReUNuh8XSIyFwmHFL0yzk2n878kgHLOivo8QdsMAw/gvJFIJv9TaAyFZk/
SPtw6GlPtiAqPXtvhDGTK2e90Zlz2YNU4Ac/+nECSoopmw23P3Q5k+0r5t3fOINo
0t+BEleP1mHSzBuS8AWf
=eqCf
-----END PGP SIGNATURE-----

--XF85m9dhOBO43t/C--

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=nsTyJNprCDYcPWuenWHLhZNynsAgJdJI6OmpNgsWN5OucfVz/TB6R
	D6QE/zvsfvAG7QKlK2rjgx7H12bLjPIjbYGP+++VqFd1TDLFBT9B00rnVDbLRzXB
	DM5UmfetgRSW9Opw8or0c7zUdvon+IlWxgt59kWuP4xiqVNm5ChmLg=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	bh=6GQZLyUheZCTPtERh6kxKy14WNo=; b=urmbamiqZnxFH1sTjNXjmS3e3b9a
	b0S7kh2lwDpmZlx8KHnGZ/OzV087tCnWxkE4rZeb3/Otybuvpl1gty+jUM2zprQB
	dshilmJ/6PeUlG+Kppf0M1gQL1XzVE1/1o4iJcmuI6+zIzNtqxJU0iYX6ncJxkij
	dsjO9rZdK5QWEqI=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=-1.6 required=5.0 tests=AWL,BAYES_50,SCAM_SUBJECT autolearn=no version=3.3.2
X-HELO:	calimero.vinschen.de
Date:	Tue, 18 Mar 2014 11:16:28 +0100
From:	Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To:	cygwin AT cygwin DOT com
Subject:	Re: Silently configure sshd fails via system account
Message-ID:	<20140318101628.GC28387@calimero.vinschen.de>
Reply-To:	cygwin AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
References:	<530B6ED1 DOT 2060003 AT cse DOT yorku DOT ca> <CAG9p0OSzrhsqf+gZjduxU0bxzovPY31kDwH=gJ3ZUtHuj8iBZQ AT mail DOT gmail DOT com> <f5bmwgowkuh DOT fsf AT troutbeck DOT inf DOT ed DOT ac DOT uk> <CAG9p0OT0282=+dGWuOjk2MxMSJX0E6irg-+hD9dE1vfqDLOVyA AT mail DOT gmail DOT com> <CAG9p0OS65OC-5o-wEre+2K7+NQHQE_OzmLW9HAN8bmcYzEoG3A AT mail DOT gmail DOT com> <CAG9p0OQ3Hr0wVq7eYQRHGwW79U9uAb1_13BqqY4qxuR2m8VMAQ AT mail DOT gmail DOT com> <CAG9p0OT9a9VZ3hx7DzQAKz1Lr2Y0niC21xr4AiYJekpMGJb2Jw AT mail DOT gmail DOT com> <CAG9p0OTzEQM4vV+jaCJUzKGaJRDCvrR=ASu8_D39W8+OiNgn1g AT mail DOT gmail DOT com> <1713042820 DOT 20140318034322 AT yandex DOT ru> <CAG9p0ORJQ6bHwjGBHUH2A75pU_--_DDqQsOPaVTLdnkhiCK2rA AT mail DOT gmail DOT com>
MIME-Version:	1.0
In-Reply-To:	<CAG9p0ORJQ6bHwjGBHUH2A75pU_--_DDqQsOPaVTLdnkhiCK2rA@mail.gmail.com>
User-Agent:	Mutt/1.5.21 (2010-09-15)