X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; q=dns; s= default; b=nsTyJNprCDYcPWuenWHLhZNynsAgJdJI6OmpNgsWN5OucfVz/TB6R D6QE/zvsfvAG7QKlK2rjgx7H12bLjPIjbYGP+++VqFd1TDLFBT9B00rnVDbLRzXB DM5UmfetgRSW9Opw8or0c7zUdvon+IlWxgt59kWuP4xiqVNm5ChmLg= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; s=default; bh=6GQZLyUheZCTPtERh6kxKy14WNo=; b=urmbamiqZnxFH1sTjNXjmS3e3b9a b0S7kh2lwDpmZlx8KHnGZ/OzV087tCnWxkE4rZeb3/Otybuvpl1gty+jUM2zprQB dshilmJ/6PeUlG+Kppf0M1gQL1XzVE1/1o4iJcmuI6+zIzNtqxJU0iYX6ncJxkij dsjO9rZdK5QWEqI= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.6 required=5.0 tests=AWL,BAYES_50,SCAM_SUBJECT autolearn=no version=3.3.2 X-HELO: calimero.vinschen.de Date: Tue, 18 Mar 2014 11:16:28 +0100 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: Silently configure sshd fails via system account Message-ID: <20140318101628.GC28387@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: <530B6ED1 DOT 2060003 AT cse DOT yorku DOT ca>

<1713042820 DOT 20140318034322 AT yandex DOT ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="XF85m9dhOBO43t/C" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) --XF85m9dhOBO43t/C Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mar 17 21:54, Lord Laraby wrote: > On Mon, Mar 17, 2014 at 7:43 PM, Andrey Repin <> wrote: > > Greetings, Lord Laraby! > > > >> Oh and I forgot the most intriguing gotcha. After creating the sshd > >> user for me (I went to service manager and discovered this) the user > >> assigned to the sshd server was actually cyg_server (not sshd)!!!!! > >> After changing all of those things the service started. > > > > That's because service is running as cyg_server, while sshd user is use= d to > > invoke login shells of connecting users. > > You just messed it all. > > > > > > -- > > WBR, > > Andrey Repin (anrdaemon AT yandex DOT ru) 18.03.2014, <03:42> > > > > Sorry for my terrible english... > > > I did not change anything. As I said originally, after running > ssh-host-config, no changes on my part, I had a slew of errors. See my > original message. I do not change things on a whim. Service failed to > start, means just what it says! Nevertheless Andrey is right. The sshd account is not meant to run the service. It's an unprivileged account used only in conjunction with privilege separation. The account you're supposed to run this under is cyg_server, which is supposed to be a special account with more privileges as a normal admin. If you already have a cyg_server account, it's utilized by default. If the cyg_server account doesn't have the required permissions, sshd is bound to fail. The /etc/ssh* files as well as /var/empty are supposed to be owned by the user account running sshd, which is cyg_server. ssh-host-config usually sets the permissions on these files accordingly. The message "/var/empty must be owned by root and not group or world-writable." is generated by sshd and it's the right message for all other POSIX systems, except Cygwin. For Cygwin "root" here denotes the user running sshd. The reason the message doesn't reflect that is the unwillingness of the upstream developers to change that just for the sake of Cygwin. I'm asking for 10 years or so to convert certain checks for uid 0 into platform-independent privilege tests. I even sent patches to that effect, but to no avail. My suggestion: Remove all files related to ssh from /etc. Remove /var/empty. Remove the ssh logs from /var/log. Remove the sshd and cyg_server accounts from your SAM. Drop both from /etc/passwd. Remove the sshd service. Start over. In another mail you wrote: > cyg_server is already taken by a non-prvileged user > connected to the cygserver service. Why? The cygserver service *can* run under a non-prvileged account, but it's not supposed to. It's not even supposed to run under the cyg_server account, but under SYSTEM (or LocalSystem) because it usually needs certain privileges. The cygserver-config script does exactly that. Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --XF85m9dhOBO43t/C Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTKBz8AAoJEPU2Bp2uRE+gPU4P/3CNtXBM+vdC8HAW4lkcoGYZ gfXNbErTdlMXAZeIL+Nkl2bbkQeorsw043xF6O0O7CqIhS+ozp+xENeaXc2nvF9h dEk/vDR990qYmoEDJavstVj9Seh9A31ZtEOysgg0x7LhGUGoSlzuTqhOMFyxEn/k Ymr60IGYTug3dJ79l3PgZRfOizEEtpz9yi6sCtuvW7v2J6NNZXOwv1Fa0x0chfBV Q5RiaGWY9b5Oiv+SrnniepcV/i1E4Zo3xR1xbIddotjV+cFN61mBT30kppoc/ysK WJbsTmDXpo7tf79ChNO3ltsDRgxNDGLglqR+MXVgQOzhaXezt/gcXnbOC5whb7cD MzifAHAKXiwnEVqD/uuzAjd76TDoOGy4pPCtY7asGpn8csylv+s5OUmge7rAeFqM 7A3KPyEQDUkq0CmOpPUVbQWpZ3tygewWi4V0vSdzmKbPfOYGVTtlZd3r+pq41kiX heVlXhePD+2mFZ7xSYufhu2YEbn1juBCSX0ZLzNMBqGK0eIjWe1v1xSAk5LyMsDM 09DMqcReUNuh8XSIyFwmHFL0yzk2n878kgHLOivo8QdsMAw/gvJFIJv9TaAyFZk/ SPtw6GlPtiAqPXtvhDGTK2e90Zlz2YNU4Ac/+nECSoopmw23P3Q5k+0r5t3fOINo 0t+BEleP1mHSzBuS8AWf =eqCf -----END PGP SIGNATURE----- --XF85m9dhOBO43t/C--