Jephe Wu - http://linuxtechres.blogspot.com
Environment: Windows 2000 server sp4, cygwin sshd, password authentication and public key login were working fine. After upgrading to Windows 2003 sp2 server, cygwin sshd password login still works, but public key login doesn't work anymore
Objective: to make ssh public key login work for cygwin after upgrading OS.
Steps:
1. create both sshd and sshd_server user accounts, sshd is just normal user who belongs to users group, sshd_server needs to be in Administrators groups, otherwise when you ssh into this cygwin server from Linux using public key authentication, you will encounter the errors below:
ssh from CentOS 4 to cygwin server under win2k03 server sp2:
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
Last login: Thu May 26 14:06:59 2011 from 165.114.120.117
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
Connection to web1 closed.
debug1: Transferred: stdin 0, stdout 0, stderr 34 bytes in 5.1 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 6.6
debug1: Exit status 255
however, the password login without using public key authentication will work.
run services.msc to edit cygwin service to logon as user sshd_server and type in password.
Right click on my computer, properties, configure system variables CYGWIN as "ntsec tty", use 'set' command under command prompt to confirm it's been set.
2. double click cygwin, run 'ssh-host-config' to generate configuration files, answer yes to overwrite and yes for privileges seperation.
3. generate /etc/passwd and /etc/group files after user creations for sshd and sshd_server
under cygwin prompt window, run:
mkpasswd -l > /etc/passwd
mkgroup -l > /etc/group
4. make sure the /var/empty directory has permission like this and it should be empty
chown sshd_server /var/empty
chmod 755 /var/empty
note: you might be able to use cygwin to give permission like this:
$ chown sshd_server /var/log/sshd.log $ chown -R sshd_server /var/empty $ chown sshd_server /etc/ssh*
5. make sure /etc directory and /var/log directory and all files under it should be readable by running user sshd_server
6. modify group policy for sshd_server to be able to switch user to sshd for privileges seperation
run 'gpedit.msc', go to local computer policy - computer configuration - windows settings - security settings - local policies - user rights assignment
look for 'create a token object', to add sshd_server user inside.
run 'gpupdate' to refresh group policy immediately, then restart cygwin sshd service.
Note: you don't have to add sshd_server into 'replace a process token level'.
Error messages and issues:
Isses we encountered:
a. couldnot start up cygwin sshd service
solution: check /var/log/sshd.log for error message and event log for ssh error, setting correct permission for /etc for sshd_server user to read, and /var/log/sshd.log for sshd_server to read/write
b. error messages appeared under evern log
1. The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd : PID 3996 : fatal: setreuid 1013: Permission denied.
2.
The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd : PID 4848 : starting service `' failed: redirect_fd: open (1, /var/log/sshd.log): 13, Permission denied.
3. The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd : PID 5376 : starting service `sshd' failed: execv: 1, Operation not permitted.
4. The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd : PID 4588 : starting service `sshd' failed: execv: 128, Transport endpoint is not connected.
5. The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd : PID 4668 : error: Could not load host key: /etc/ssh_host_key.
c. error message when you use public key authentication.
ssh from CentOS 4 to cygwin server under win2k03 server sp2:
# ssh -v SYSMGR@web1
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
Last login: Thu May 26 14:06:59 2011 from 1.2.3.4
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
Connection to web1 closed.
debug1: Transferred: stdin 0, stdout 0, stderr 34 bytes in 5.1 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 6.6
debug1: Exit status 255
References: