Secure Shell Demon setup under Windows XP / Windows Server 2003

Secure Shell Demon setup under Windows XP / Windows Server 2003 Configuration inside of Cygwin $ chgrp Administrators /var/{run,log,empty} $ chown Administrators /var/{run,log,empty} $ chmod 775 /var/{run,log} $ chmod 755 /var/empty $ ssh-host-config *** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes *** Info: Creating default /etc/ssh_config file *** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes *** Info: Creating default /etc/sshd_config file *** Info: Privilege separation is set to yes by default since OpenSSH 3.3. *** Info: However, this requires a non-privileged account called 'sshd'. *** Info: For more info on privilege separation read /usr/share/doc/openssh/readme.privsep. *** Query: Should privilege separation be used? (yes/no) yes *** Info: Updating /etc/sshd_config file *** Warning: The following functions require administrator privileges! *** Query: Do you want to install sshd as a service? *** Query: (Say "no" if it is already installed as a service) (yes/no) yes *** Query: Enter the value of CYGWIN for the daemon: [] ntsec binmode nodosfilewarning *** Info: On Windows Server 2003, Windows Vista, and above, the *** Info: SYSTEM account cannot setuid to other users -- a capability *** Info: sshd requires. You need to have or to create a privileged *** Info: account. This script will help you do so. *** Info: You appear to be running Windows 2003 Server or later. On 2003 *** Info: and later systems, it's not possible to use the LocalSystem *** Info: account for services that can change the user id without an *** Info: explicit password (such as passwordless logins [e.g. public key *** Info: authentication] via sshd). *** Info: If you want to enable that functionality, it's required to create *** Info: a new account with special privileges (unless a similar account *** Info: already exists). This account is then used to run these special

*** Info: servers. *** Info: Note that creating a new user requires that the current account *** Info: have Administrator privileges itself. *** Info: The following privileged accounts were found: 'cyg_server'. *** Info: This script plans to use 'cyg_server'. *** Info: 'cyg_server' will only be used by registered services. *** Query: Do you want to use a different name? (yes/no) no *** Query: Please enter the password for user 'cyg_server': *** Query: Reenter: *** Info: The sshd service has been installed under the 'cyg_server' *** Info: account. To start the service now, call `net start sshd' or *** Info: `cygrunsrv -S sshd'. Otherwise, it will start automatically *** Info: after the next reboot. *** Info: Host configuration finished. Have fun! Under Windows XP there is no mentioning of the cyg_server account, instead it will say at the end *** Info: The sshd service has been installed under the LocalSystem *** Info: account (also known as SYSTEM). To start the service now, call *** Info: `net start sshd' or `cygrunsrv -S sshd'. Otherwise, it *** Info: will start automatically after the next reboot. Ultimately the sshd service is to be run as user cyg_server (Windows Server 2003) or SYSTEM (Windows XP). Make sure the /var/empty directory has the right owner and permissions. Note that this is somewhat of a catch 22, the ssh-host-config script needs it set to owner Administrators, while to run the sshd service /var/emtpy needs to be set as said in the previous sentence. # Windows Server 2003 $ chown cyg_server /var/empty $ chmod 755 /var/empty # Windows XP $ chown SYSTEM /var/empty $ chmod 755 /var/empty

If the ssh-host-config script output above does not say anything about installing the service, then it was already installed, and may work for you. If it does not work, then you can remove the service with $ cygrunsrv -R sshd You may have this only take effect upon a reboot on some systems. Then you install the service again with $ cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd and you start it with $ cygrunsrv -S sshd

Troubleshooting Below you find a list of errors and fixes, in no particular order. Access is denied, Win32 error 5 Starting the sshd service may fail with cygrunsrv: Error starting a service: StartService: Win32 error 5: Access is denied. Another error like this may be $ cygrunsrv -S sshd cygrunsrv: Error starting a service: StartService: Win32 error 1069: The service did not start due to a logon failure. Equivalently, if you used $ net start sshd You may get the error message System error 5 has occurred. Access is denied. Then likely the user under which the service is set to start is not correctly set up. Go to the Services panel (usually found under Start Menu -> Control Panel -> Administrative Tools -> Services, or Start Menu -> Control Panel -> Computer Management, Services and Applications entry). The service manager is hard to find on some Windows Server 2003 servers where it s not under the administrative tools. One way of getting there is via the Start Menu -> Control Panel -> Administrative Tools -> List of Common Administrative Tasks -> Managing Services -> Open Services. Another way is to run it directly with Start Menu -> Run, and type in services.msc.

From the right-click menu, open the Properties panel, the Log On tab.

Under Windows XP this should be set to run under the Local System Account.

Under Windows Server 2003 this has to run as the cyg_server user (don t enter the.\ as part of the user name, this is automatically added), specify the password you set earlier:

Cygwin binaries permissions wrong If it still fails, with an Access Denied error (same error number 5), then make sure that the execution path and elements are all accessible and/or executable by the SYSTEM (Windows XP) or cyg_server (Windows Server 2003) user, that is in particular check the permissions of C:\cygwin\usr\sbin\sshd.exe and C:\cygwin\usr\bin\cygrunsrv.exe. $ ls -l /usr/bin/cygrunsrv.exe -rwxr-x--- 1 user1 Users 68096 Mar 18 2008 /usr/bin/cygrunsrv.exe The above is wrong, the Local System Account (Windows XP) or the cyg_server user (Windows Server 2003) cannot run the cygrunsrv program. The same error can happen with the sshd executable. Here is the fix. $ chgrp Administrators /usr/bin/cygrunsrv.exe /usr/sbin/sshd.exe /usr/bin /usr/sbin /usr $ chmod 775 /usr/bin/cygrunsrv.exe /usr/sbin/sshd.exe /usr/bin /usr/sbin /usr If it still fails, make sure you also check the path of your cygwin installation, which is usually C:\cygwin, running the same chgrp and chmod commands: $ chgrp Administrators C:\cygwin $ chmod 775 C:\Cygwin The CYGWIN sshd service on Local Computer started and then stopped, Win32 error 1062 You may get yet another error when you try to start the service through the Windows Admin Tools services interface: The CYGWIN sshd service on Local Computer started and then stopped. Some services stop automatically if they have no work to do, for example, the Performance Logs and Alerts service. If you tried this from the command line instead, you may get a different error message: $ cygrunsrv -S sshd cygrunsrv: Error starting a service: QueryServiceStatus: Win32 error 1062: The service has not been started. Since the service may have started and then stopped (at least when you start from the Services panel, that s what it claimed), its error message may also be available from the Cygwin error log (and may give more detailed information):

/var/empty permission issue $ cat /var/log/sshd.log /var/empty must be owned by root and not group or world-writable. That means that the user starting sshd was not the one owning /var/empty (the error message stems from the Unix world where sshd usually gets started by the system administrator, who is called root under Unix, and is a bit misleading here). Windows Server 2003: We want to run sshd under the user cyg_server: $ chown cyg_server /var/empty $ chmod 755 /var/empty $ ls -ld /var/empty drwxr-xr-x+ 1 cyg_server Administrators 0 Feb 9 2009 /var/empty Windows XP: We want to run sshd under the Local System Account: $ chown SYSTEM /var/empty $ chmod 755 /var/empty $ ls -ld /var/empty $ ls -ld /var/empty drwxr-xr-x+ 1 SYSTEM Administrators 0 Oct 8 2008 /var/empty ssh_exchange_identification: Connection closed by remote host Not really an sshd error, but this is an error message you may get when sshd is running successfully and you are trying to connect from a client machine but the client machine is not allowed to connect because the client machine is either included in /etc/hosts.deny, or not specifically allowed in /etc/hosts.allow. If you get this error, and you have the /etc/hosts.allow or /etc/hosts.deny files on the server, then move them temporarily to some other directory. If that allows you to connect, then you know what the problem was and you have to fix your /etc/hosts.allow or /etc/hosts.deny setup. User sshd does not exist The same error 1062 (or from the Windows services panel: the service started and then stopped) may also indicate some other error. Once again it is back to reading the log file, at least the service started, so you should get something there. One possible error may be: $ cat /var/log/sshd.log Privilege separation user sshd does not exist If you get that, go ahead and make that user (see below in this Howto).

Unprotected Private Key File The same error 1062 (or from the Windows services panel: the service started and then stopped) may also indicate yet another error. Once again it is back to reading the log file: $ cat /var/log/sshd.log @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0664 for '/etc/ssh_host_dsa_key' are too open. It is recommended that your private key files are NOT accessible by others. This private key will be ignored. bad permissions: ignore key: /etc/ssh_host_dsa_key Could not load host key: /etc/ssh_host_dsa_key Disabling protocol version 2. Could not load host key sshd: no hostkeys available -- exiting. If you get that, go ahead and change the permissions of the private key file with chmod 600 /etc/ssh_host_dsa_key You might get this error also for the other private key files /etc/ssh_host_key and /etc/ssh_host_rsa_key. Client-side warning about tty when connecting via ssh This likely has to do with the CYGWIN variable set up during sshd installation on the server to which you are connecting. Up to begin of 2012 the value tty was allowed as being part of the CYGWIN environment variable, since then it s flagged as obsolete. The solution is to remove the sshd service (with cygrunsrv -R sshd) and to reconfigure and reinstall it with ssh-host-config, this time making sure that CYGWIN is set to ntsec binmode nodosfilewarning" as described in the first section of this guide. There is no need to resave / write over the existing /etc/ssh_config and /etc/sshd_config configuration files.

User Setup See the section above on ssh-host-config first, this will generate the users cyg_server (Windows Server 2003) and sshd in case they are not already there. This section here describes how set up users manually, but you should not have to do this. Run Start Menu -> Run lusrmgr.msc. The following screenshot is fromwindows Server 2003, where a special privileged user cyg_server is needed. Under Windows XP, this is not the case, the privileged user is simply the local system account. On any case one needs a non-privileged account sshd. The screenshot here is from Windows Server 2003.

If you don t have the users sshd and cyg_server (the latter is not needed for Windows XP), then right-click in the right user list panel, and choose New User. Again, only do this after you have tried Cygwin s script ssh-host-config, because usually this script will do this for you. The screenshot here shows the setup of the sshd acount. For the cyg_server account see further below. Fill in the dialog box. If there is an existing user you want to modify, ignore this step and continue below. Don t forget to add the user to /etc/passwd: $ mkpasswd -l -u sshd sed -e 's/\/home\/sshd/\/var\/empty/' >> /etc/passwd Password change: For an existing user, right-click on the user, and select password change. Read the warnings, and ignore them for sshd and cyg_server, since they do not have local files they need (see what happens under C:\Documents and Settings\ and clean up).

User sshd In the lusrmgr.msc panel, right-click on the sshd user and verify its properties. The main properties screen should look like one of the following (either one works).

User cyg_server In the lusrmgr.msc panel, right-click on the cyg_server user and verify its properties.

Appendix If all else fails, and you just cannot get the service set up, but you manage to run sshd under your own user name (to try this make sure your user owns /var/empty), you can try to add the starting of the secure shell demon as a scheduled task at system startup. This way at least you can use ssh until you have more time to investigate. Setting up a scheduled task can be done through the Start Menu -> Control Panel -> Scheduled Task. You ll need a pair of DOS and shell scripts, placed under C:\cygwin\, and you set sshd.bat as a scheduled task to run at system startup under your own user name. sshd.bat ======== @echo off C: chdir \cygwin\bin set path=.;c:\cygwin\bin;c:\cygwin\usr\sbin;%path% sh /sshd.sh sshd.sh ======= #!/bin/sh echo "$1" if [ 0 -eq `ps -ef grep sshd grep -v grep wc -l` ]; then # avoids duplicate ssh demons running /usr/sbin/sshd fi