I need help configuring OpenSSH on Win2008 via CYGWIN!
THANKS in advance!
I am trying to configure an OpenSSH server on Windows Server 2008 Datacenter via CYGWIN. I have installed and configured CYGWIN with OpenSSH and Basic LinuxUtils. I am logging onto the system on a Domain named CNO.LOCAL with the username kgraves. What I have done so far:
1.Granted Local Permissions to user CNO.LOCAL\kgraves using secpol.msc
- Adjust memory quotas for a process.
- Create a token object.
- Log on as a service.
- Replace a process-level token.
2.Created and Edited the /etc/passwd file
$ mkpasswd -l > /etc/passwd
$ mkpasswd -u kgraves -D CNO.LOCAL -S '_' >> /etc/passwd
/etc/passwd looks like this:
SYSTEM:*:18:544:,S-1-5-18::
LocalService:*:19:544:U-NT AUTHORITY\LocalService,S-1-5-19::
NetworkService:*:20:544:U-NT AUTHORITY\NetworkService,S-1-5-20::
Administrators:*:544:544:,S-1-5-32-544::
TrustedInstaller:*:4294967294:4294967294:U-NT SERVICE\TrustedInstaller,S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464::
Administrator:unused:500:513:U-DUCLAW\Administrator,S-1-5-21-1295458589-1267770145-4179728800-500:/home/Administrator:/bin/bash
Guest:unused:501:513:U-DUCLAW\Guest,S-1-5-21-1295458589-1267770145-4179728800-501:/home/Guest:/bin/bash
CNO_kgraves:unused:11276:10513:Kent Graves,U-CNO\kgraves,S-1-5-21-350539814-2465610117-2008212152-1276:/home/kgraves:/bin/bash
sshd:unused:1014:513:sshd privsep,U-DUCLAW\sshd,S-1-5-21-1295458589-1267770145-4179728800-1014:/var/empty:/bin/false
3.Created and Edited the /etc/group file
$ mkgroup -l > /etc/group
$ mkgroup -D -S '_' >> /etc/group
/etc/group file looks like this:
SYSTEM:S-1-5-18:18:
TrustedInstaller:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:4294967294:
Administrators:S-1-5-32-544:544:
Backup Operators:S-1-5-32-551:551:
Certificate Service DCOM Access:S-1-5-32-574:574:
Cryptographic Operators:S-1-5-32-569:569:
Distributed COM Users:S-1-5-32-562:562:
Event Log Readers:S-1-5-32-573:573:
Guests:S-1-5-32-546:546:
IIS_IUSRS:S-1-5-32-568:568:
Network Configuration Operators:S-1-5-32-556:556:
Performance Log Users:S-1-5-32-559:559:
Performance Monitor Users:S-1-5-32-558:558:
Power Users:S-1-5-32-547:547:
Print Operators:S-1-5-32-550:550:
Remote Desktop Users:S-1-5-32-555:555:
Replicator:S-1-5-32-552:552:
Users:S-1-5-32-545:545:
None:S-1-5-21-1295458589-1267770145-4179728800-513:513:
SYSTEM:S-1-5-18:18:
TrustedInstaller:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:4294967294:
Administrators:S-1-5-32-544:544:
Users:S-1-5-32-545:545:
Guests:S-1-5-32-546:546:
Print Operators:S-1-5-32-550:550:
Backup Operators:S-1-5-32-551:551:
Replicator:S-1-5-32-552:552:
Remote Desktop Users:S-1-5-32-555:555:
Network Configuration Operators:S-1-5-32-556:556:
Performance Monitor Users:S-1-5-32-558:558:
Performance Log Users:S-1-5-32-559:559:
Distributed COM Users:S-1-5-32-562:562:
IIS_IUSRS:S-1-5-32-568:568:
Cryptographic Operators:S-1-5-32-569:569:
Event Log Readers:S-1-5-32-573:573:
Certificate Service DCOM Access:S-1-5-32-574:574:
Server Operators:S-1-5-32-549:549:
Account Operators:S-1-5-32-548:548:
Pre-Windows 2000 Compatible Access:S-1-5-32-554:554:
Incoming Forest Trust Builders:S-1-5-32-557:557:
Windows Authorization Access Group:S-1-5-32-560:560:
Terminal Server License Servers:S-1-5-32-561:561:
CNO_Domain Admins:S-1-5-21-350539814-2465610117-2008212152-512:10512:
CNO_Domain Computers:S-1-5-21-350539814-2465610117-2008212152-515:10515:
CNO_Domain Controllers:S-1-5-21-350539814-2465610117-2008212152-516:10516:
CNO_Domain Guests:S-1-5-21-350539814-2465610117-2008212152-514:10514:
CNO_Domain Users:S-1-5-21-350539814-2465610117-2008212152-513:10513:
4.Configured OpenSSH but get errors after creating user CNO_kgraves…
The ssh-host-config script prompts you for answers to certain questions, including the following primary questions:
Should privilege separation be used? Answer Yes.
New local account 'sshd'? Answer Yes.
Do you want to install sshd as a service? Answer Yes.
Enter the value of CYGWIN for the daemon: Specify ntsec tty
Do you want to use a different user name? Answer Yes.
Enter the new user name? CNO_kgraves
Re-enter: CNO_kgraves
*** Warning: Privileged account 'CNO_kgraves' was specified,
*** Warning: but it does not have the necessary privileges.
*** Warning: Continuing, but will probably use a different account.
*** Warning: The specified account 'CNO_kgraves' does not have the
*** Warning: required permissions or group memberships. This may
*** Warning: cause problems if not corrected; continuing...
Two prompts for that user's password.
It then gives me this error after finishing the ssh-host-config and I'm not sure what it means though I think it has something to do with acounts/privleges etc:
Error in getSID (LsaLookupNames returned 0xc0000073=STATUS_NONE_MAPPED)!
*** Info: The sshd service has been installed under the 'CNO_kgraves'
*** Info: account. To start the service now, call `net start sshd' or
*** Info: `cygrunsrv -S sshd'. Otherwise, it will start automatically
*** Info: after the next reboot.
*** Info: Host configuration finished. Have fun!
5.I then changed the permissions and ownership for certain files because I had read on a guide that I should do that. What I did is below:
$ cygrunsrv --stop sshd
$ chown CNO_kgraves /var/log/sshd.log
$ chown -R CNO_kgraves /var/empty
$ chown CNO_kgraves /etc/ssh*
6.Tried to run net start sshd but I get the following error EVERY time…
$ net start sshd
The CYGWIN sshd service is starting.
The CYGWIN sshd service could not be started.
The service did not report an error.
More help is available by typing NET HELPMSG 3534
Although it says it did not report an error the sshd log in /var/log says:
/var/empty must be owned by root and not group or world-writable.
I've tried changing the owner using chown to root but the user root does not exist.
I even tried changing it to SYSTEM because I was told that in CYGWIN it sees SYSTEM as root, but then I still don't know what to change the group to.
The SSH service is listening on port 22 because when I try to SSH into it from another machine I get a login prompt and the Domain Warning message. But it tells me that access is denied every time I try to log in with my username and password (the same username I set up in ssh-user-config).
And for some final details just in case here are my ssh_config and sshd_config files:
# $OpenBSD: ssh_config,v 1.26 2010/01/11 01:39:46 dtucker Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/bin:/usr/sbin:/sbin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
#Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh_host_rsa_key
#HostKey /etc/ssh_host_dsa_key
#HostKey /etc/ssh_host_ecdsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
StrictModes no
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
# For this to work you will also need host keys in /etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/sbin/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
Best Answer
After 2 days of pounding my head against the wall trying to figure this thing out and too stubborn to try any other service. I finally figured out what my problem was.
Prior to installing Cygwin and Openssh packages I was looking around for OpenSSH for windows and ended up installing it. It is a version of OpenSSH that has extremely "minimal" Cygwin services with it and requires much less user interaction.
I'm not entirely sure how OpenSSH for Windows works or how to configure it but what I do know is that when you install it it automatically creates a service called:
The executable for it is located at:
While browsing through my Services I saw it and it caught my attention. Turns out it was tying up my ports and CYGWINssh couldn't get access to it. But in the end I learned a lot about CYGWIN and OpenSSH! So I guess it wasn't all a waste of time! Hopefully this Question/Answer will help someone else out there.