X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:from:to:subject:date:content-type
	:content-transfer-encoding:mime-version; q=dns; s=default; b=vGK
	UE55ki3+EotLYGmmOe+6YZnjIYpiZ7nFRLt6p6pgEwsyOJKJ6deJJAEHPWYHgtvw
	mgQp68nOntQDjUc5RnY0Xb0Rvf9VqGxmrI1jBzkS0B7fRKa1bup9sNuC5wqoAjEF
	BLk2WC4VWmA+mVVWxAaA0rEQwUqKpR+wq0blygOo=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:from:to:subject:date:content-type
	:content-transfer-encoding:mime-version; s=default; bh=cuTjTCn/7
	jVOxHQytYi/D8MbSpU=; b=RSZbo0QUEfLDXJ8emXhNrD2XNiAAntQukeQ5r++xJ
	syVQAfY3EHBRkRIe0AZMkoALSweZ+15X/5AN8094ZPsf+sd6Cfk3Eq/83hObiBNw
	2xqrgF7dZISaUQZodTtJNt59mRU/CuxrlIn4c+ScX3mEM5Cj7u5XM3eE834JqFV+
	OE=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=2.6 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,MIME_BASE64_BLANKS,RCVD_IN_DNSWL_LOW,RP_MATCHES_RCVD,SPF_PASS autolearn=ham version=3.3.2 spammy=Enter, cygwin-ug-net, cygwinugnet, tight
X-HELO: DUB004-OMC1S26.hotmail.com
X-TMN: [YBUa6AyqZ+VyQFuKrmpTEUdiemBn5I4x]
Message-ID: <DUB131-W58FF55D4021C63320241B690FC0@phx.gbl>
From: Brian Mc George <b DOT mcgeorge AT hotmail DOT com>
To: "cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>
Subject: =?windows-1256?Q?sshd_-_ssh?= =?windows-1256?Q?-host-conf?= =?windows-1256?Q?ig_uses_in?= =?windows-1256?Q?correct_us?= =?windows-1256?Q?ername_for?= =?windows-1256?Q?_setup=FE?=
Date: Tue, 29 Dec 2015 09:08:49 +0200
Content-Type: text/plain; charset="windows-1256"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id tBT797jT007201

Hi,

I am using EC2 and need to automate the configuration of sshd
 at instance launch. If I manually rdp into the machine and execute:
ssh-host-config --yes --privileged --user cyg_server --pwd ${PASSWORD}

it will work correctly.

However,
If
 I use user data (lets you execute powershell commands on instance 
start) it will fail. It will also fail if I try execute the command 
using winrm (the windows equivalent of ssh). 

If I rdp into the machine and execute it manually then the cygwin name will be 'cyg_server'
If I try automate it the cygwin name is <machine_name>+'cyg_server'
It then cannot find the cyg_server account and fails.

How can I work around this? Even if it just uses SYSTEM as the account I just need it to work.

Here is the log when I try use the aforementioned method:

[1;32m*** Info:[0;0m Generating missing SSH host keys
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519
[1;32m*** Info:[0;0m Creating default /etc/ssh_config file
[1;32m*** Info:[0;0m Creating default /etc/sshd_config file
[1;32m*** Info:[0;0m StrictModes is set to 'yes' by default.
[1;32m*** Info:[0;0m This is the recommended setting, but it requires that the POSIX
[1;32m*** Info:[0;0m permissions of the user's home directory, the user's .ssh
[1;32m*** Info:[0;0m directory, and the user's ssh key files are tight so that
[1;32m*** Info:[0;0m only the user has write permissions.
[1;32m*** Info:[0;0m On the other hand, StrictModes don't work well with default
[1;32m*** Info:[0;0m Windows permissions of a home directory mounted with the
[1;32m*** Info:[0;0m 'noacl' option, and they don't work at all if the home
[1;32m*** Info:[0;0m directory is on a FAT or FAT32 partition.
[1;35m*** Query:[0;0m Should StrictModes be used? (yes/no) yes
[1;32m*** Info:[0;0m Privilege separation is set to 'sandbox' by default since
[1;32m*** Info:[0;0m OpenSSH 6.1. This is unsupported by Cygwin and has to be set
[1;32m*** Info:[0;0m to 'yes' or 'no'.
[1;32m*** Info:[0;0m However, using privilege separation requires a non-privileged account
[1;32m*** Info:[0;0m called 'sshd'.
[1;32m*** Info:[0;0m For more info on privilege separation read /usr/share/doc/openssh/README.privsep.
[1;35m*** Query:[0;0m Should privilege separation be used? (yes/no) yes
[1;32m*** Info:[0;0m Note that creating a new user requires that the current account have
[1;32m*** Info:[0;0m Administrator privileges. Should this script attempt to create a
[1;35m*** Query:[0;0m new local account 'sshd'? (yes/no) yes
[1;32m*** Info:[0;0m Updating /etc/sshd_config file
[1;35m*** Query:[0;0m Do you want to install sshd as a service?
[1;35m*** Query:[0;0m (Say "no" if it is already installed as a service) (yes/no) yes
[1;35m*** Query:[0;0m Enter the value of CYGWIN for the daemon: []
[1;32m*** Info:[0;0m On Windows Server 2003, Windows Vista, and above, the
[1;32m*** Info:[0;0m SYSTEM account cannot setuid to other users -- a capability
[1;32m*** Info:[0;0m sshd requires. You need to have or to create a privileged
[1;32m*** Info:[0;0m account. This script will help you do so.
[1;32m*** Info:[0;0m It's not possible to use the LocalSystem account for services
[1;32m*** Info:[0;0m that can change the user id without an explicit password
[1;32m*** Info:[0;0m (such as passwordless logins [e.g. public key authentication]
[1;32m*** Info:[0;0m via sshd) when having to create the user token from scratch.
[1;32m*** Info:[0;0m For more information on this requirement, see
[1;32m*** Info:[0;0m https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1
[1;32m*** Info:[0;0m If you want to enable that functionality, it's required to create
[1;32m*** Info:[0;0m a new account with special privileges (unless such an account
[1;32m*** Info:[0;0m already exists). This account is then used to run these special
[1;32m*** Info:[0;0m servers.
[1;32m*** Info:[0;0m Note that creating a new user requires that the current account
[1;32m*** Info:[0;0m have Administrator privileges itself.
[1;32m*** Info:[0;0m This script plans to use 'cyg_server'.
[1;32m*** Info:[0;0m 'cyg_server' will only be used by registered services.
[1;35m***
 Query:[0;0m Create new privileged user account 
'WIN-FII6OQ85EQF\cyg_server' (Cygwin name: 
'win-fii6oq85eqf+cyg_server')? (yes/no) yes
[1;32m*** Info:[0;0m User 'win-fii6oq85eqf+cyg_server' has been created with password 'XXX'.
[1;32m*** Info:[0;0m If you change the password, please remember also to change the
[1;32m*** Info:[0;0m password for the installed services which use (or will soon use)
[1;32m*** Info:[0;0m the 'win-fii6oq85eqf+cyg_server' account.
passwd: unknown user win-fii6oq85eqf+cyg_server
[1;33m*** Warning:[0;0m Setting password expiry for user 'win-fii6oq85eqf+cyg_server' failed!
[1;33m*** Warning:[0;0m Please check that password never expires or set it to your needs.
No user or group 'win-fii6oq85eqf+cyg_server' known.
[1;33m*** Warning:[0;0m Assigning the appropriate privileges to user 'win-fii6oq85eqf+cyg_server' failed!
[1;31m*** ERROR:[0;0m There was a serious problem creating a privileged user.
[1;35m*** Query:[0;0m Do you want to proceed anyway? (yes/no) yes
[1;33m*** Warning:[0;0m Expected privileged user 'win-fii6oq85eqf+cyg_server' does not exist.
[1;33m*** Warning:[0;0m Defaulting to 'SYSTEM'
[1;32m*** Info:[0;0m The sshd service has been installed under the LocalSystem
[1;32m*** Info:[0;0m account (also known as SYSTEM). To start the service now, call
[1;32m*** Info:[0;0m `net start sshd' or `cygrunsrv -S sshd'. Otherwise, it
[1;32m*** Info:[0;0m will start automatically after the next reboot.
[1;33m*** Warning:[0;0m Host configuration exited with 1 errors or warnings!
[1;33m*** Warning:[0;0m Make sure that all problems reported are fixed,
[1;33m*** Warning:[0;0m then re-run ssh-host-config.

Thanks,
Brian Mc George