X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; q=dns; s= default; b=M93PGqWzE1Xmaa+BJGp/ix34OLmmmtUXfPbefDk4ByLEdaLfPQjt7 miaIuK8xzn5LT/dc7z+5KZLU/d6pQScSCyyToL7skusy9QrUfQelni5KcdDHwEnW TSXIabPJIu/3VdaWLykhv+qBd2Uaic1HOWClHAYeZjpIBey6i32ZdY= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; s=default; bh=TOyk+23mXX4405MUPShCfVrmOR4=; b=bPaXrUqlqqlqUhCObP62cnn0DrZf +u9rJjLhxT5Zq3wBHQ/97peGHI6rrrqvUP3eATxRVsfKSDY6R+nFYQs3RAdUNZQn l2WdmjD0eENs71FgNBFXPILJLIDEkBu7Fr0XzhEjlAxiIOwSOCylAf5yQ/kgf2Q0 8meFaJIYvu2vuZo= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.4 required=5.0 tests=AWL,BAYES_00,SCAM_SUBJECT,URI_HEX autolearn=no version=3.3.2 X-HELO: calimero.vinschen.de Date: Tue, 1 Apr 2014 10:34:58 +0200 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: Silently configure sshd fails via system account Message-ID: <20140401083458.GA13005@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: <5307BB89 DOT 80405 AT cse DOT yorku DOT ca> <1395192297365-107203 DOT post AT n5 DOT nabble DOT com> <5329BDA5 DOT 8060507 AT cse DOT yorku DOT ca> <20140319165724 DOT GE2715 AT calimero DOT vinschen DOT de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="MGYHOYXEY6WxJCY8" Content-Disposition: inline In-Reply-To: <20140319165724.GE2715@calimero.vinschen.de> User-Agent: Mutt/1.5.21 (2010-09-15) --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mar 19 17:57, Corinna Vinschen wrote: > On Mar 19 11:54, Paul Griffith wrote: > > On 03/18/2014 09:24 PM, PolarStorm wrote: > > > Paul Griffith wrote > > >> ... > > >> /usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pw= d blah > > >> ... > > >=20 > > > Just a few things... > > >=20 > > > 1) Don't do that (manually). > > > First of all, "ntsec" is deprecated. Second, there are a lot of stran= ge > > > issues when > > > using "--yes", just answer the questions manually, especially since y= ou > > > don't need > > > all those keys just to have ssh work. > > >=20 > > > 2) Make sure you run the ssh-host-config from an "administrator: cygw= in > > > shell. > > >=20 > > > 3) Check your /etc/sshd-config for: "UsePrivilegeSeparation sandbox" = which > > > is > > > the new default. The ssh-host-config script has a bug on line 169 that > > > attempts > > > to set this to "no", but where the regex fails. (I told people in TH= IS > > > > > > nabble post, but I > > > don't think it ever reached the main mailing list.) > > >=20 > > > 4) The sshd user pas-wor-d is set to expire by default after 42 days,= in > > > Windows 8.1. > > > Fix it if you're using that. > > >=20 > >=20 > >=20 > > Thanks Gene for the heads up, it will help me fine tune my setup! I ne= ed to use the "--yes" option because I am building a automated installation= for Windows 7. >=20 > I attached a new incarnation of the ssh-host-config script to this > mail. Anybody? > Would interested parties be so kind to test this new script? >=20 > Changes compared to the released version from the openssh package: >=20 > - The "StrictModes" setting in /etc/sshd_config is now asked for, rather = than > setting it always to "no". >=20=20=20 > The background is that "StrictModes yes" is the more secure setting. > "StrictModes no" is only required for users with home directories on a > "noacl" mount or on FAT/FAT32 partitions, so I think the administrator > should have a choice here. >=20 > - The "UsePrivilegeSeparation" setting in /etc/sshd_config now takes into > account that the default setting is "sandbox", which doesn't make > sense on Cygwin. >=20 > - Changes to /etc/sshd_config are now only written to the file, if the fi= le > has been just generated or if the question >=20 > "Overwrite existing /etc/sshd_config file?" >=20 > has been answered with "yes". >=20 > I also tweaked the script slightly to support the new passwd/group code > I'm working on, but that's not yet finished. >=20 >=20 Thanks, Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --MGYHOYXEY6WxJCY8 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTOnoyAAoJEPU2Bp2uRE+gCccP/1b/bAPw8uAAkmWpooxQteiI zxAtIxkoicc42ytBSJ3jUu6yJ/NzbAAp4IopW2oQQEeTyFUEazkW8WgdtlxUuerU QCkE10tv+yoyltEchSiGuun+bx6ChAIo61EvRXZmQtMfysWDC6ME7XztQsxfRMir Rxd/2uG+wXOb9IG9cySh+5tnAmSRvuDl7Cg9a8HzWSBlrslTu0hDrIPxYe5BmypD qvjZX4zPcjRt9ggg/LknL7JoGpMZ9AxaGlOa80W6V+zbkjY0LEbxXNmySB2mDqcf wVN0XiTgDSWW6DTT2IHtPV+WlF5A8vqB/fE26YHkFzBXw76e248TSsUfXdU/OI+8 CwIXbpPS6SeAxhbh7BaUGCgv34W/DWTHiuaD6KOf+CrT8qboeb384NxBrCJWUza3 JvNaqJEbo5u7bHQaUqmV5DNlUJXSDzuqIjQaGFfux3MWDspC+UYIncwyhBJ/DjJu luo3u+8IBMbrZBjM6okZWCHNLpPrvxjh7012TTHKh0LIp398IlWov9VT2/qZ1M2D IcbAFa1QpO37qWO3mu/VnNH2g1cd4iJ6yuKQS1SF0/jxAuqhqVjWw+3EBMYCJDHD Bn0aLgd++IvgqHaI76oJl3juJplUBCymmzrRxSM+DjG5tIKBi96JaaUOEFP33l6y 8/5k/GtFhfRqh1bfRqAL =KljU -----END PGP SIGNATURE----- --MGYHOYXEY6WxJCY8--