This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Silently configure sshd fails via system account


On Mar 19 17:57, Corinna Vinschen wrote:
> On Mar 19 11:54, Paul Griffith wrote:
> > On 03/18/2014 09:24 PM, PolarStorm wrote:
> > > Paul Griffith wrote
> > >> ...
> > >> /usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd blah
> > >> ...
> > > 
> > > Just a few things...
> > > 
> > > 1) Don't do that (manually).
> > > First of all, "ntsec" is deprecated. Second, there are a lot of strange
> > > issues when
> > > using "--yes", just answer the questions manually, especially since you
> > > don't need
> > > all those keys just to have ssh work.
> > > 
> > > 2) Make sure you run the ssh-host-config from an "administrator: cygwin
> > > shell.
> > > 
> > > 3) Check your /etc/sshd-config for: "UsePrivilegeSeparation sandbox" which
> > > is
> > > the new default. The ssh-host-config script has a bug on line 169 that
> > > attempts
> > > to set this to "no", but where the regex fails. (I told people in  THIS
> > > <http://cygwin.1069669.n5.nabble.com/CSIH-SSH-setup-script-problems-on-W81-64-tp106953.html>
> > > nabble post, but I
> > > don't think it ever reached the main mailing list.)
> > > 
> > > 4) The sshd user pas-wor-d is set to expire by default after 42 days, in
> > > Windows 8.1.
> > > Fix it if you're using that.
> > > 
> > 
> > 
> > Thanks Gene for the heads up, it will help me fine tune my setup!  I need to use the "--yes" option because I am building a automated installation for Windows 7.
> 
> I attached a new incarnation of the ssh-host-config script to this
> mail.

Anybody?


> Would interested parties be so kind to test this new script?
> 
> Changes compared to the released version from the openssh package:
> 
> - The "StrictModes" setting in /etc/sshd_config is now asked for, rather than
>   setting it always to "no".
>   
>   The background is that "StrictModes yes" is the more secure setting.
>   "StrictModes no" is only required for users with home directories on a
>   "noacl" mount or on FAT/FAT32 partitions, so I think the administrator
>   should have a choice here.
> 
> - The "UsePrivilegeSeparation" setting in /etc/sshd_config now takes into
>   account that the default setting is "sandbox", which doesn't make
>   sense on Cygwin.
> 
> - Changes to /etc/sshd_config are now only written to the file, if the file
>   has been just generated or if the question
> 
>     "Overwrite existing /etc/sshd_config file?"
> 
>   has been answered with "yes".
> 
> I also tweaked the script slightly to support the new passwd/group code
> I'm working on, but that's not yet finished.
> 
> 
Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pgpCysR6ONJR5.pgp
Description: PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]