This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

SSHd configuration problems (System error 1376)


So it's that time of the year again, when one need to install SSHd on some
machine...
and as usual (?) that's when the Cygwin ssh-host-config script fails. I say
as usual, 
because last time I posted to these forums it was the same problem. So I
must 
really question whether or not the Cygwin developers actually test their
latest 
updates before releasing?

Anyway, here we go:
#==========================================================
$ ssh-host-config

*** Info: Generating missing SSH host keys
ssh-keygen: generating new host keys: RSA1 RSA DSA ECDSA ED25519
*** Info: Creating default /etc/ssh_config file
*** Info: Creating default /etc/sshd_config file

*** Info: StrictModes is set to 'yes' by default.
*** Info: This is the recommended setting, but it requires that the POSIX
*** Info: permissions of the user's home directory, the user's .ssh
*** Info: directory, and the user's ssh key files are tight so that
*** Info: only the user has write permissions.
*** Info: On the other hand, StrictModes don't work well with default
*** Info: Windows permissions of a home directory mounted with the
*** Info: 'noacl' option, and they don't work at all if the home
*** Info: directory is on a FAT or FAT32 partition.
*** Query: Should StrictModes be used? (yes/no) yes

*** Info: Privilege separation is set to 'sandbox' by default since
*** Info: OpenSSH 6.1.  This is unsupported by Cygwin and has to be set
*** Info: to 'yes' or 'no'.
*** Info: However, using privilege separation requires a non-privileged
account
*** Info: called 'sshd'.
*** Info: For more info on privilege separation read
/usr/share/doc/openssh/README.privsep.
*** Query: Should privilege separation be used? (yes/no) yes
*** Info: Note that creating a new user requires that the current account
have
*** Info: Administrator privileges.  Should this script attempt to create a
*** Query: new local account 'sshd'? (yes/no) yes
*** Info: Updating /etc/sshd_config file

*** Query: Do you want to install sshd as a service?
*** Query: (Say "no" if it is already installed as a service) (yes/no) yes
*** Query: Enter the value of CYGWIN for the daemon: []
*** Info: On Windows Server 2003, Windows Vista, and above, the
*** Info: SYSTEM account cannot setuid to other users -- a capability
*** Info: sshd requires.  You need to have or to create a privileged
*** Info: account.  This script will help you do so.

*** Info: It's not possible to use the LocalSystem account for services
*** Info: that can change the user id without an explicit password
*** Info: (such as passwordless logins [e.g. public key authentication]
*** Info: via sshd) when having to create the user token from scratch.
*** Info: For more information on this requirement, see
*** Info: https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1

*** Info: If you want to enable that functionality, it's required to create
*** Info: a new account with special privileges (unless such an account
*** Info: already exists). This account is then used to run these special
*** Info: servers.

*** Info: Note that creating a new user requires that the current account
*** Info: have Administrator privileges itself.

*** Info: No privileged account could be found.

*** Info: This script plans to use 'cyg_server'.
*** Info: 'cyg_server' will only be used by registered services.
*** Query: Do you want to use a different name? (yes/no) no
*** Query: Create new privileged user account 'XXXX\cyg_server' (Cygwin
name: 'cyg_server')? (yes/no) yes
*** Info: Please enter a password for new user cyg_server.  Please be sure
*** Info: that this password matches the password rules given on your
system.
*** Info: Entering no password will exit the configuration.
*** Query: Please enter the password:
*** Query: Reenter:
*** Query: Please enter the password:
*** Query: Reenter:

*** Info: User 'cyg_server' has been created with password 'XXXXXX'.
*** Info: If you change the password, please remember also to change the
*** Info: password for the installed services which use (or will soon use)
*** Info: the 'cyg_server' account.

System error 1376 has occurred.

The specified local group does not exist.

*** Warning: Adding user 'cyg_server' to local group 'root' failed!
*** Warning: Please add 'cyg_server' to local group 'root' before
*** Warning: starting any of the services which depend upon this user!
*** ERROR: There was a serious problem creating a privileged user.
*** Query: Do you want to proceed anyway? (yes/no) yes
*** Warning: Expected privileged user 'cyg_server' does not exist.
*** Warning: Defaulting to 'SYSTEM'

*** Info: The sshd service has been installed under the LocalSystem
*** Info: account (also known as SYSTEM). To start the service now, call
*** Info: `net start sshd' or `cygrunsrv -S sshd'.  Otherwise, it
*** Info: will start automatically after the next reboot.

*** Warning: Host configuration exited with 1 errors or warnings!
*** Warning: Make sure that all problems reported are fixed,
*** Warning: then re-run ssh-host-config.
#==========================================================
# We can check what that error means with:

$ NET HELPMSG 1376
The specified local group does not exist.


Now, the reason for that is that there is no "root" group
in Windows. Instead it's called "Administrators". To see 
the available local groups, use:

$ NET LOCALGROUP
...
*Administrators
...

To fix this, you have 2 options (choose one): 
1) From Windows Users Accounts Control Panel
2) From Cygwin command line

(1) Now open the Windows control panel and navigate to User Accounts. 
There you will find a new account called "Priviledged server", which is the 
"cyg_server" account. You need to change the account type of that from 
"Standard" to "Administrator". 

(2) From Cygwin (Administrator) command line (with Windows PATH):

$ net localgroup Administrators sshd /ADD

Once you have completed this, check that the "cyg_server" belong to the 
group "Administrators" with:

$ net user cyg_server
...

========================================================
So to summarize, the following issues have not been addressed:

(a) The user "sshd" user account password expires after 42 days.
(b) The user is not part of "Administrator" group, severely limiting its
usability.
(c) An artificial 3rd user is still needed to be able to login remotely
using SSH,
     if the "regular" Cygwin Windows user have chosen not tu have a
passworkd.
(d) The error messages are incomprehensible.
(e) The text "Query: Enter the value of CYGWIN for the daemon: []" is
incomprehensible

For everybody convenience, to fix the password expiration (a), use this
line:

$ wmic useraccount where "Name='sshd'" set PasswordExpires=FALSE

(The extra quotes there are crucial!)

Happy Holiday Wishes!

# CYGWIN_NT-6.3 xxxx 1.7.33-2(0.280/5/3) 2014-11-13 15:47 x86_64 Cygwin




--
View this message in context: http://cygwin.1069669.n5.nabble.com/SSHd-configuration-problems-System-error-1376-tp113637.html
Sent from the Cygwin list mailing list archive at Nabble.com.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]