X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-1.4 required=5.0 	tests=AWL,BAYES_00,J_CHICKENPOX_53,SPF_PASS
X-Spam-Check-By: sourceware.org
In-Reply-To: <20090708111004.GB12258@calimero.vinschen.de>
References: <OF1BDB2765 DOT DCEF7A58-ONC12575EB DOT 0048D55B-C12575EB DOT 004AF2FB AT de DOT ibm DOT com> <20090707095139 DOT GK12258 AT calimero DOT vinschen DOT de> <OF6064C911 DOT 11E5FB16-ONC12575ED DOT 0037283D-C12575ED DOT 00376237 AT de DOT ibm DOT com> <20090708111004 DOT GB12258 AT calimero DOT vinschen DOT de>
Subject: Re: "ssh-host-config" now involves 	"cygwin-service-installation-helper.sh"
X-KeepSent: CB49BB52:E5BD1DF7-C12575F5:003EE076;  type=4; name=$KeepSent
To: cygwin AT cygwin DOT com
Message-ID: <OFCB49BB52.E5BD1DF7-ONC12575F5.003EE076-C12575F5.00420EC6@de.ibm.com>
From: Christoph Herdeg <christoph DOT herdeg AT de DOT ibm DOT com>
Date: Thu, 16 Jul 2009 14:01:38 +0200
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

                                                                                                                                         
  From:       Corinna Vinschen <corinna-cygwin AT cygwin DOT com>                                                                               
                                                                                                                                         
  To:         cygwin AT cygwin DOT com                                                                                                          
                                                                                                                                         
  Date:       08.07.2009 13:10                                                                                                           
                                                                                                                                         
  Subject:    Re: "ssh-host-config" now involves  "cygwin-service-installation-helper.sh"                                                
                                                                                                                                         







>On Jul  8 12:05, Christoph Herdeg wrote:
>> Hello Corinna,
>>
>> thank you for your answer - that's great news! Currently we're planning
to
>> stay on Cygwin 1.5 as long as 1.7 is not declared final and stable. How
>> would I be able to get OpenSSH 5.2p1-3 into my 1.5 installation?
>
>http://cygwin.com/acronyms/#TOFU
>
>You can either just try using the ssh-host-config script from the
>5.2p1-3 package, or build your own OpenSSH.  It builds out of the box,
>usually.
>
>
>Corinna
>
>--
>Corinna Vinschen                  Please, send mails regarding Cygwin to
>Cygwin Project Co-Leader          cygwin AT cygwin DOT com
>Red Hat
>
>--
>Problem reports:       http://cygwin.com/problems.html
>FAQ:                   http://cygwin.com/faq/
>Documentation:         http://cygwin.com/docs.html
>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Hello Corinna,

this time I TOFU manually, just for your pleasure :)

Regarding your above advice I can tell you that it it works just perfect on
Stand Alone hosts or Domain Members when logged in locally. But there is a
problem using this latest ssh-host-config on Domain Controllers. Although
there are no local user accounts after a member server has been promoted to
Domain Controller, ssh-host-config wants to mkpasswd(mkgroup)
-l /etc/passwd(group). Result is that the installation won't work - I've
tried to get it up and running over the last few days: (for me) not
possible. Further ssh-host-config faults about "illegal ACL entries" when
executing the following lines:

setfacl -m u:system:rwx "${SYSCONFDIR}"
setfacl -m u:system:rwx "${LOCALSTATEDIR}/log"
setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty"

But due to the fact that SYSTEM with "Full Access" is being inherited from
"c:\" I don't believe it to be important.

In the above situation I can get sshd to start after manually
chown'ing /var/empty, /var/log/lastlog and /var/log/sshd.log to cyg_server,
but a publickey login is not possible: -vvv states (after lots of positive
messages) "debug2: we sent a publickey packet, wait for reply", "Connection
closed by (myremotehostsIP)". The keys do work, have the correct
permissions and else - I don't know where to start.

But I remembered that SSH works on Domain Controllers using our last
package which includes openssh-5.0p1-1. So tentatively I included the
ssh-host-config script from that version to the currently used
openssh-5.1p1-10 package. Installation went fine; only the service wouldn't
start. But after manually chown'ing /var/empty, /var/log/lastlog
and /var/log/sshd.log to sshd_server it worked and a publickey login was
possible at the 1st shot.

I know that I can't contribute quite a lot, but let me repeat the four
different states a Windows system can have:

Stand Alone host with local user logged in,
Domain Member with local user logged in
Domain Member with domain user logged in
Domain Controller with domain user logged in

ssh-host-config and all other associated scripts and tools should in my
opinion be fully aware of all these states; currently they are not. If you
need machines for testing, I can provide you with administrative remote
access to a complete testbed domain; just let me know and I'll prepare
everything for the next day. It would be so great to simply install and use
SSH then having to tinker every single version working (no offense!!!).

Best Regards,
Christoph Herdeg




--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple