[wpkg-users] configure Cygwin sshd with wpkg
Paul Griffith
paulg at cse.yorku.ca
Fri Feb 21 21:48:01 CET 2014
Hi,
I am using WPKG to silently deploy Cygwin and then configure SSHD. The Cygwin installation works like a charm. Configuring sshd is another story. If I run my script from the admin command prompt, I am able to configure sshd. If I run that same script from WPKG, it fails. The only difference is that the WPKG agent runs as the SYSTEM user. I assume SCCM (Microsoft System Center Configuration Manager) users would have the same issue since their agent also run as SYSTEM.
Any ideas other than pulling apart the /usr/bin/ssh-host-config script and trying to do this manually myself ?? Also posted on the Cygwin mailing list.
I call my script like the following:
start /wait %CYGWIN_ROOT%\bin\bash.exe --login -i /cygdrive/c/windows/temp/config-sshd-win7.sh "%cyg_server_passwd%"
Here is some of the debugging I captured. Notice how the permissions at [0] and [1] don't match, I can;t explain that one.
Windows 7 Enterprise x64 SP 1
2GB RAM
VirtualBox 4.3.6
======
before running ssh-host-config (wpkg)
touch /var/log/sshd.log
chmod 700 /var/empty
chown SYSTEM /var/empty
ls -lad /var/empty
[0] drwx------+ 1 SYSTEM Administrators 0 Feb 21 13:07 /var/empty
/usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd blah
�[1;32m*** Info:�[0;0m Generating /etc/ssh_host_key
�[1;32m*** Info:�[0;0m Generating /etc/ssh_host_rsa_key
�[1;32m*** Info:�[0;0m Generating /etc/ssh_host_dsa_key
�[1;32m*** Info:�[0;0m Generating /etc/ssh_host_ecdsa_key
�[1;32m*** Info:�[0;0m Creating default /etc/ssh_config file
�[1;32m*** Info:�[0;0m Creating default /etc/sshd_config file
�[1;32m*** Info:�[0;0m Privilege separation is set to yes by default since OpenSSH 3.3.
�[1;32m*** Info:�[0;0m However, this requires a non-privileged account called 'sshd'.
�[1;32m*** Info:�[0;0m For more info on privilege separation read /usr/share/doc/openssh/README.privsep.
�[1;35m*** Query:�[0;0m Should privilege separation be used? (yes/no) yes
�[1;33m*** Warning:�[0;0m The owner and the Administrators need
�[1;33m*** Warning:�[0;0m to have r.x permission to /var/empty.
�[1;33m*** Warning:�[0;0m Here are the current permissions and ACLS:
[1] �[1;33m*** Warning:�[0;0m drwxr-xr-x+ 1 SYSTEM Administrators 0 Feb 21 13:07 /var/empty
�[1;33m*** Warning:�[0;0m # file: /var/empty
�[1;33m*** Warning:�[0;0m # owner: SYSTEM
�[1;33m*** Warning:�[0;0m # group: Administrators
�[1;33m*** Warning:�[0;0m user::rwx
�[1;33m*** Warning:�[0;0m group::r-x
�[1;33m*** Warning:�[0;0m mask:rwx
�[1;33m*** Warning:�[0;0m other:r-x
�[1;33m*** Warning:�[0;0m default:user::rwx
�[1;33m*** Warning:�[0;0m default:group::r-x
�[1;33m*** Warning:�[0;0m default:other:r-x
�[1;33m*** Warning:�[0;0m �[1;33m*** Warning:�[0;0m Please change the user and/or group ownership, �[1;33m*** Warning:�[0;0m permissions, or ACLs of /var/empty.
�[1;31m*** ERROR:�[0;0m Problem with /var/empty directory. Exiting.
----
config-sshd-win7.sh script:
------snip------
#/bin/sh
echo running ssh-host-config
if [ -f /cygdrive/c/netinst/logs/ssh-host-config.log ]; then
rm -f /cygdrive/c/netinst/logs/ssh-host-config.log
fi
echo before ssh-host-config > /cygdrive/c/netinst/logs/ssh-host-config.log
#setup permissions and owership of files
echo setting up permissions
echo touch /var/log/sshd.log >> /cygdrive/c/netinst/logs/ssh-host-config.log
touch /var/log/sshd.log >> /cygdrive/c/netinst/logs/ssh-host-config.log
if [ ! -d /var/empty ]; then
mkdir /var/empty
fi
#echo chown system /var/log/sshd.log /var/empty /etc/ssh_h* >> /cygdrive/c/netinst/logs/ssh-host-config.log
chown system /var/log/sshd.log /var/empty /etc/ssh_h* >> /cygdrive/c/netinst/logs/ssh-host-config.log
#echo chmod 700 /var/empty >> /cygdrive/c/netinst/logs/ssh-host-config.log
chmod 700 /var/empty >> /cygdrive/c/netinst/logs/ssh-host-config.log
echo /usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd >> /cygdrive/c/netinst/logs/ssh-host-config.log
/usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd "$1" >> /cygdrive/c/netinst/logs/ssh-host-config.log
echo after ssh-host-config >> /cygdrive/c/netinst/logs/ssh-host-config.log
echo ls -lad /var/empty >> /cygdrive/c/netinst/logs/ssh-host-config.log
ls -lad /var/empty >> /cygdrive/c/netinst/logs/ssh-host-config.log
#Prohibits a user or group from logging on locally at the keyboard.
editrights -a SeDenyRemoteInteractiveLogonRight -u cyg_server
echo listing services: cygrunsrv -L >> /cygdrive/c/netinst/logs/ssh-host-config.log
cygrunsrv -L >> /cygdrive/c/netinst/logs/ssh-host-config.log
echo starting sshd: cygrunsrv -S sshd >> /cygdrive/c/netinst/logs/ssh-host-config.log
cygrunsrv -S sshd
echo cd "/home/Administrator" >> /cygdrive/c/netinst/logs/ssh-host-config.log
chmod 750 /home/Administrator
cd /home/Administrator
echo mkdir .ssh >> /cygdrive/c/netinst/logs/ssh-host-config.log
mkdir .ssh
echo chmod 700 .ssh >> /cygdrive/c/netinst/logs/ssh-host-config.log
chmod 700 .ssh
ls -lad .ssh >> /cygdrive/c/netinst/logs/ssh-host-config.log
echo cp //xxxxx/xxx/site/ssh/authorized_keys .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log
cp //xxxx/xxxx/site/ssh/authorized_keys .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log
echo ls -l .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log
ls -l .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log
echo chmod 644 .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log
chmod 644 .ssh/authorized_keys
ls -l .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log
mkpasswd -l >> /etc/passwd
mkgroup -l >> /etc/group
-------snip------
Thank You
Paul
More information about the wpkg-users
mailing list