Cygwin, sshd and Windows 7
It seems like installing OpenSSH (sshd) on Windows 7 is a bit of a hassle. When I first upgraded to 7 from WinXP, I simply copied across my Cygwin directory and it just worked. However, it was later I realised that it would not let me log in if using public key authentication. So I decided to install it from scratch. I’ve always used Nicholas Fong’s article when installing openssh as the procedure is quick and painless. But this is when I realised Windows 7 requires the sshd user to have extra privileges to get it work properly. The steps in the aforementioned site gets around this creating a new user called cyg_server. Personally, I don’t like having extra users, so I tried to find out how to give myself the same permissions without the need to create a new user.
With these instructions, you can fix the public key authentication problem and run sshd as Administrator or an existing user (even your own user account):
- You should have already installed cygwin and openssh by now. If not, what are you waiting for? Christmas?
- Undo any previous attempts to install the sshd service:
$ net stop sshd $ cygrunsrv -R sshd $ net user sshd /DELETE # See note below $ rm -R /etc/ssh* $ mkpasswd -cl > /etc/passwd $ mkgroup --local > /etc/group
# Run `net user` to find out if there’s any other such users that could have run sshd – example “sshd” or “cyg_server”. Delete these as well. Don’t delete any default Windows ones!
- Decide on a user account that you want to run the sshd process. This can Administrator as well except its disabled on Windows 7 by default (it can be enabled by running lusrmgr.msc). For these instructions, lets say you want a user called MyUser to run sshd.
- Check existing permissions for MyUser (in case you need to roll back, keep a note of its output):
$ editrights -l -u MyUser
- Add additional privileges to allow sshd to run as a service:
$ editrights.exe -a SeAssignPrimaryTokenPrivilege -u MyUser $ editrights.exe -a SeCreateTokenPrivilege -u MyUser $ editrights.exe -a SeTcbPrivilege -u MyUser $ editrights.exe -a SeServiceLogonRight -u MyUser
- Run ssh-host-config (don’t force the -y option):
- Answer yes to all questions making sure when it asks “Do you want to use a different name?”, say “yes” (this question is different with the -y option)
- Enter your desired username and password when you are prompted. You should *not* see any warnings. If you do, you might not have set all privileges correctly
- If all goes well, start sshd:
$ net start sshd
Disclaimer: Do this at your risk. Since your user gets these additional permissions, it may cause a few security issues (I can’t see any major issues though). You can find more information on user privileges at Microsoft Technet. Tested only on Cygwin 1.7.1 and Windows 7 Professional (64 bit).
PS: For those that are curious, the cygwin scripts that automatically made the new users were /usr/share/csih/cygwin-service-installation-helper.sh and /usr/bin/ssh-host-config. Looking through those scripts made it obvious what the problem was (Function: csih_account_has_necessary_privileges()).