X-Spam-Check-By: sourceware.org
To: cygwin AT cygwin DOT com
From: =?UTF-8?B?UmVuw6kgQmVyYmVy?= <r DOT berber AT computer DOT org>
Subject:  Re: sshd: fork of unprivileged child failed
Date:  Sun, 04 Jun 2006 19:06:41 -0500
Lines: 66
Message-ID: <e5vsig$7h8$1@sea.gmane.org>
References:  <BEA70E0A3FEDAAAA547BDE99 AT qjunbur DOT quns DOT cam DOT ac DOT uk>  <e5vj89$ei7$1 AT sea DOT gmane DOT org> <DCC7FC49D8D827F89594463A AT qjunbur DOT quns DOT cam DOT ac DOT uk>
Mime-Version:  1.0
Content-Type:  text/plain; charset=UTF-8
Content-Transfer-Encoding:  quoted-printable
User-Agent: Thunderbird 1.5.0.4 (Windows/20060516)
In-Reply-To: <DCC7FC49D8D827F89594463A@qjunbur.quns.cam.ac.uk>
OpenPGP: url=hkp://random.sks.keyserver.penguin.de
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Robin Walker wrote:
> --On 04 June 2006 16:27 -0500 Ren=C3=A9 Berber <ARG!!> wrote:

Please sanitize the responses, we don't want our e-mail addresses in the op=
en.

>> Robin Walker wrote:
>>
>>> I have a system with Cygwin sshd installed that refuses to accept
>>> connections.  sshd is running and listening on port 22.
>>>
>>> In the Windows Application Log there are, for each failed connection
>>> attempt, entries of the form:
>>>
>>> sshd: PID xxxx: fatal: fork of unprivileged child failed.
>>
>> What is you configuration in respect to privilege separation?
>=20
> UsePrivilegeSeparation yes

Did you check if the rest of the configuration for using privilege separati=
on
was done (i.e. the creation of the unprivileged user sshd, the creation of =
the
/var/empty directory with owner SYSTEM and all access).

The error message shows that the main sshd server is running but it cannot =
spawn
child processes, which it always does on a new connection (privilege or not=
) so
the second process failure is the interesting part.  The error message does=
n't
show anything from that second process.

You could try changing that setting, sshd will spawn a second process but t=
his
time under user SYSTEM... if that works then we can narrow the possibilitie=
s.

To be more precise, from /usr/share/doc/openssh/README.privsep: "On Cygwin.=
..
only the pre-authentication part of privsep is supported."  So before auth =
there
is a process running under sshd and after the second process runs under SYS=
TEM.
 That is why I would check if that user exists in Windows, in /etc/passwd, =
and
the part about /var/empty.

>> And a few more details could be useful, version of Windows,
>=20
> XP Pro, fully up to date.
>=20
>> any special ssh configuration?
>=20
> I have not configured anything.  It used to work: now it doesn't.
>=20
>> was sshd and users installed following the provided documentation?
>=20
> To what provided documentation are you referring?

/usr/share/doc/Cygwin/openssh.README and for WinXP the recommendation is on=
ly to
use ssh-host-config and ssh-user-config.
--=20
Ren=C3=A9 Berber


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/