X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:from:mime-version:to:subject :content-type:content-transfer-encoding; q=dns; s=default; b=pwg DsU2sk9AGcK67uFtpLWmndqIh4MRd/wzGndCiX8aPYm8BEr+K7yGESOSGDlg+ffQ 7ugWx9zwH91iTtpdLR+EWE43X9aVn54BRa3JnlsmpeKwbqx/t2TFGsWip00nF80A 6IMW+66vqc4h9hgWFHiU/7bu+rAdh93mMOAf1Zrg= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:from:mime-version:to:subject :content-type:content-transfer-encoding; s=default; bh=blErgQHfu YzyLRdWmlFCURNpm68=; b=PWIbl4k6zrXAdJGYdxltc0ifSBfW8Poid3Dpgp103 nfvWsSUqU79OuZglOZ7B4qHXgPcjA4wsfxkG1u2vFg4egAKHXs2IItcV+5iWTydt TV8rl0pnYV2j7iaOPL9KJ3dHN1D9dxmNpBToaUQ/PNdbhmpmlkZK2DY6keHOhofs XM= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: Yes, score=5.2 required=5.0 tests=AWL,BAYES_40,RP_MATCHES_RCVD,SCAM_SUBJECT autolearn=no version=3.3.2 X-HELO: bronze.cs.yorku.ca Message-ID: <5307BB89.80405@cse.yorku.ca> Date: Fri, 21 Feb 2014 15:48:09 -0500 From: Paul Griffith User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: cygwin AT cygwin DOT com Subject: Silently configure sshd fails via system account Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Score: -1.0 X-Spam-Report: Content preview: Hi, I am using a software package called WPKG (wpkg.org) to silently deploy Cygwin and then configure SSHD. The Cygwin installation works like a charm. Configuring sshd is another story. If I run my script from a admin command prompt, I am to setup sshd. If I run that same script from WPKG, it fails. The only difference is that the WPKG agent runs as the SYSTEM user. I assume SCCM (Microsoft System Center Configuration Manager) users would have the same issue since their agent also run as SYSTEM. [...] Content analysis details: (-1.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SHORTCIRCUIT Not all rules were run, due to a shortcircuited rule -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP X-IsSubscribed: yes Hi, I am using a software package called WPKG (wpkg.org) to silently deploy Cygwin and then configure SSHD. The Cygwin installation works like a charm. Configuring sshd is another story. If I run my script from a admin command prompt, I am to setup sshd. If I run that same script from WPKG, it fails. The only difference is that the WPKG agent runs as the SYSTEM user. I assume SCCM (Microsoft System Center Configuration Manager) users would have the same issue since their agent also run as SYSTEM. Any ideas other than pulling apart /usr/bin/ssh-host-config and trying to do this manually myself ?? Here is some of the debugging I captured. Notice how the permissions at [0] and [1] don't match, I can't explain that one. Updating Cygwin doesn't solve my problem. Windows 7 Enterprise x64 SP 1 2GB RAM VirtualBox 4.3.6 ====== before running ssh-host-config (wpkg) touch /var/log/sshd.log chmod 700 /var/empty chown SYSTEM /var/empty ls -lad /var/empty [0] drwx------+ 1 SYSTEM Administrators 0 Feb 21 13:07 /var/empty /usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd blah *** Info: Generating /etc/ssh_host_key *** Info: Generating /etc/ssh_host_rsa_key *** Info: Generating /etc/ssh_host_dsa_key *** Info: Generating /etc/ssh_host_ecdsa_key *** Info: Creating default /etc/ssh_config file *** Info: Creating default /etc/sshd_config file *** Info: Privilege separation is set to yes by default since OpenSSH 3.3. *** Info: However, this requires a non-privileged account called 'sshd'. *** Info: For more info on privilege separation read /usr/share/doc/openssh/README.privsep. *** Query: Should privilege separation be used? (yes/no) yes *** Warning: The owner and the Administrators need *** Warning: to have r.x permission to /var/empty. *** Warning: Here are the current permissions and ACLS: [1] *** Warning: drwxr-xr-x+ 1 SYSTEM Administrators 0 Feb 21 13:07 /var/empty *** Warning: # file: /var/empty *** Warning: # owner: SYSTEM *** Warning: # group: Administrators *** Warning: user::rwx *** Warning: group::r-x *** Warning: mask:rwx *** Warning: other:r-x *** Warning: default:user::rwx *** Warning: default:group::r-x *** Warning: default:other:r-x *** Warning: *** Warning: Please change the user and/or group ownership, *** Warning: permissions, or ACLs of /var/empty. *** ERROR: Problem with /var/empty directory. Exiting. ---- I call my script like the following: start /wait %CYGWIN_ROOT%\bin\bash.exe --login -i /cygdrive/c/windows/temp/config-sshd-win7.sh "%cyg_server_passwd%" config-sshd-win7.sh script: ------snip------ #/bin/sh echo running ssh-host-config if [ -f /cygdrive/c/netinst/logs/ssh-host-config.log ]; then rm -f /cygdrive/c/netinst/logs/ssh-host-config.log fi echo before ssh-host-config > /cygdrive/c/netinst/logs/ssh-host-config.log #setup permissions and owership of files echo setting up permissions echo touch /var/log/sshd.log >> /cygdrive/c/netinst/logs/ssh-host-config.log touch /var/log/sshd.log >> /cygdrive/c/netinst/logs/ssh-host-config.log if [ ! -d /var/empty ]; then mkdir /var/empty fi #echo chown system /var/log/sshd.log /var/empty /etc/ssh_h* >> /cygdrive/c/netinst/logs/ssh-host-config.log chown system /var/log/sshd.log /var/empty /etc/ssh_h* >> /cygdrive/c/netinst/logs/ssh-host-config.log #echo chmod 700 /var/empty >> /cygdrive/c/netinst/logs/ssh-host-config.log chmod 700 /var/empty >> /cygdrive/c/netinst/logs/ssh-host-config.log echo /usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd >> /cygdrive/c/netinst/logs/ssh-host-config.log /usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd "$1" >> /cygdrive/c/netinst/logs/ssh-host-config.log echo after ssh-host-config >> /cygdrive/c/netinst/logs/ssh-host-config.log echo ls -lad /var/empty >> /cygdrive/c/netinst/logs/ssh-host-config.log ls -lad /var/empty >> /cygdrive/c/netinst/logs/ssh-host-config.log #Prohibits a user or group from logging on locally at the keyboard. editrights -a SeDenyRemoteInteractiveLogonRight -u cyg_server echo listing services: cygrunsrv -L >> /cygdrive/c/netinst/logs/ssh-host-config.log cygrunsrv -L >> /cygdrive/c/netinst/logs/ssh-host-config.log echo starting sshd: cygrunsrv -S sshd >> /cygdrive/c/netinst/logs/ssh-host-config.log cygrunsrv -S sshd echo cd "/home/Administrator" >> /cygdrive/c/netinst/logs/ssh-host-config.log chmod 750 /home/Administrator cd /home/Administrator echo mkdir .ssh >> /cygdrive/c/netinst/logs/ssh-host-config.log mkdir .ssh echo chmod 700 .ssh >> /cygdrive/c/netinst/logs/ssh-host-config.log chmod 700 .ssh ls -lad .ssh >> /cygdrive/c/netinst/logs/ssh-host-config.log echo cp //xxxxx/xxx/site/ssh/authorized_keys .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log cp //xxxx/xxxx/site/ssh/authorized_keys .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log echo ls -l .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log ls -l .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log echo chmod 644 .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log chmod 644 .ssh/authorized_keys ls -l .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log mkpasswd -l >> /etc/passwd mkgroup -l >> /etc/group -------snip------ Thank You Paul -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple