[wpkg-users] configure Cygwin sshd with wpkg

Paul Griffith paulg at cse.yorku.ca
Fri Feb 21 21:48:01 CET 2014


Hi,

I am using WPKG to silently deploy Cygwin and then configure SSHD. The Cygwin installation works like a charm. Configuring sshd is another story. If I run my script from the admin command prompt, I am able to configure sshd. If I run that same script from WPKG, it fails. The only difference is that the WPKG agent runs as the SYSTEM user. I assume SCCM (Microsoft System Center Configuration Manager) users would have the same issue since their agent also run as SYSTEM.

Any ideas other than pulling apart the /usr/bin/ssh-host-config script and trying to do this manually myself ?? Also posted on the Cygwin mailing list.

I call my script like the following:
start /wait %CYGWIN_ROOT%\bin\bash.exe --login -i /cygdrive/c/windows/temp/config-sshd-win7.sh "%cyg_server_passwd%"

Here is some of the debugging I captured. Notice how the permissions at [0] and [1] don't match, I can;t explain that one.

Windows 7 Enterprise x64 SP 1
2GB RAM
VirtualBox 4.3.6

======
before running ssh-host-config (wpkg)
touch /var/log/sshd.log
chmod 700 /var/empty
chown SYSTEM /var/empty
ls -lad /var/empty
[0] drwx------+ 1 SYSTEM Administrators 0 Feb 21 13:07 /var/empty

/usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd blah

*** Info: Generating /etc/ssh_host_key
*** Info: Generating /etc/ssh_host_rsa_key
*** Info: Generating /etc/ssh_host_dsa_key
*** Info: Generating /etc/ssh_host_ecdsa_key
*** Info: Creating default /etc/ssh_config file
*** Info: Creating default /etc/sshd_config file
*** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
*** Info: However, this requires a non-privileged account called 'sshd'.
*** Info: For more info on privilege separation read /usr/share/doc/openssh/README.privsep.
*** Query: Should privilege separation be used? (yes/no) yes
*** Warning: The owner and the Administrators need
*** Warning: to have r.x permission to /var/empty.
*** Warning: Here are the current permissions and ACLS:
[1] *** Warning:     drwxr-xr-x+ 1 SYSTEM Administrators 0 Feb 21 13:07 /var/empty
*** Warning:     # file: /var/empty
*** Warning:     # owner: SYSTEM
*** Warning:     # group: Administrators
*** Warning:     user::rwx
*** Warning:     group::r-x
*** Warning:     mask:rwx
*** Warning:     other:r-x
*** Warning:     default:user::rwx
*** Warning:     default:group::r-x
*** Warning:     default:other:r-x
*** Warning:     *** Warning: Please change the user and/or group ownership, *** Warning: permissions, or ACLs of /var/empty.

*** ERROR: Problem with /var/empty directory. Exiting.
----

config-sshd-win7.sh script:
------snip------
#/bin/sh

echo running ssh-host-config

if [ -f /cygdrive/c/netinst/logs/ssh-host-config.log ]; then
	rm -f /cygdrive/c/netinst/logs/ssh-host-config.log
fi


echo before ssh-host-config > /cygdrive/c/netinst/logs/ssh-host-config.log

#setup permissions and owership of files
echo setting up permissions

echo touch /var/log/sshd.log >> /cygdrive/c/netinst/logs/ssh-host-config.log
touch /var/log/sshd.log >> /cygdrive/c/netinst/logs/ssh-host-config.log

if [ ! -d /var/empty ]; then
   mkdir /var/empty
fi

#echo chown system /var/log/sshd.log /var/empty /etc/ssh_h* >> /cygdrive/c/netinst/logs/ssh-host-config.log
chown system /var/log/sshd.log /var/empty /etc/ssh_h* >> /cygdrive/c/netinst/logs/ssh-host-config.log

#echo chmod 700 /var/empty >> /cygdrive/c/netinst/logs/ssh-host-config.log
chmod 700 /var/empty >> /cygdrive/c/netinst/logs/ssh-host-config.log

echo /usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd   >> /cygdrive/c/netinst/logs/ssh-host-config.log
/usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd "$1" >> /cygdrive/c/netinst/logs/ssh-host-config.log

echo after ssh-host-config >> /cygdrive/c/netinst/logs/ssh-host-config.log
echo ls -lad /var/empty >> /cygdrive/c/netinst/logs/ssh-host-config.log
ls -lad /var/empty >> /cygdrive/c/netinst/logs/ssh-host-config.log

#Prohibits a user or group from logging on locally at the keyboard.
editrights -a SeDenyRemoteInteractiveLogonRight -u cyg_server

echo listing services: cygrunsrv -L >> /cygdrive/c/netinst/logs/ssh-host-config.log
cygrunsrv -L >> /cygdrive/c/netinst/logs/ssh-host-config.log

echo starting sshd: cygrunsrv -S sshd >> /cygdrive/c/netinst/logs/ssh-host-config.log
cygrunsrv -S sshd


echo cd "/home/Administrator" >> /cygdrive/c/netinst/logs/ssh-host-config.log
chmod 750 /home/Administrator
cd /home/Administrator

echo mkdir .ssh >> /cygdrive/c/netinst/logs/ssh-host-config.log
mkdir .ssh

echo chmod 700 .ssh >> /cygdrive/c/netinst/logs/ssh-host-config.log
chmod 700 .ssh
ls -lad .ssh >> /cygdrive/c/netinst/logs/ssh-host-config.log

echo cp //xxxxx/xxx/site/ssh/authorized_keys .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log
cp //xxxx/xxxx/site/ssh/authorized_keys .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log

echo ls -l .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log
ls -l .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log

echo chmod 644 .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log
chmod 644 .ssh/authorized_keys
ls -l .ssh/authorized_keys >> /cygdrive/c/netinst/logs/ssh-host-config.log

mkpasswd -l >> /etc/passwd
mkgroup -l >> /etc/group
-------snip------

Thank You
Paul



More information about the wpkg-users mailing list