Cygwin, sshd and Windows 7

It seems like installing OpenSSH (sshd) on Windows 7 is a bit of a hassle. When I first upgraded to 7 from WinXP, I simply copied across my Cygwin directory and it just worked. However, it was later I realised that it would not let me log in if using public key authentication. So I decided to install it from scratch. I’ve always used Nicholas Fong’s article when installing openssh as the procedure  is quick and painless. But this is when I realised Windows 7 requires the sshd user to have extra privileges to get it work properly. The steps in the aforementioned site gets around this creating a new user called cyg_server. Personally, I don’t like having extra users, so I tried to find out how to give myself the same permissions without the need to create a new user.

With these instructions, you can fix the public key authentication problem and run sshd as Administrator or an existing user (even your own user account):

  1. You should have already installed cygwin and openssh by now. If not, what are you waiting for? Christmas? :P
  2. Undo any previous attempts to install the sshd service:
    $ net stop sshd
    $ cygrunsrv -R sshd
    $ net user sshd /DELETE  # See note below
    $ rm -R /etc/ssh*
    $ mkpasswd -cl > /etc/passwd
    $ mkgroup --local > /etc/group
    

    # Run `net user` to find out if there’s any other such users that could have run sshd – example “sshd” or “cyg_server”. Delete these as well. Don’t delete any default Windows ones!

  3. Decide on a user account that you want to run the sshd process. This can Administrator as well except its disabled on Windows 7 by default (it can be enabled by running lusrmgr.msc). For these instructions, lets say you want a user called MyUser to run sshd.
  4. Check existing permissions for MyUser (in case you need to roll back, keep a note of its output):
    $ editrights -l -u MyUser
  5. Add additional privileges to allow sshd to run as a service:
    $ editrights.exe -a SeAssignPrimaryTokenPrivilege -u MyUser
    $ editrights.exe -a SeCreateTokenPrivilege -u MyUser
    $ editrights.exe -a SeTcbPrivilege -u MyUser
    $ editrights.exe -a SeServiceLogonRight -u MyUser
    
  6. Run ssh-host-config (don’t force the -y option):
    $ ssh-host-config
  7. Answer yes to all questions making sure when it asks “Do you want to use a different name?”, say “yes” (this question is different with the -y option)
  8. Enter your desired username and password when you are prompted. You should *not* see any warnings. If you do, you might not have set all privileges correctly
  9. If all goes well, start sshd:
    $ net start sshd

Disclaimer: Do this at your risk. Since your user gets these additional permissions, it may cause a few security issues (I can’t see any major issues though). You can find more information on user privileges at Microsoft Technet. Tested only on Cygwin 1.7.1 and Windows 7 Professional (64 bit).

PS: For those that are curious, the cygwin scripts that automatically made the new users were /usr/share/csih/cygwin-service-installation-helper.sh and /usr/bin/ssh-host-config. Looking through those scripts made it obvious what the problem was (Function: csih_account_has_necessary_privileges()).

  • Trackback are closed
  • Comments (64)
    • kgx
    • January 29th, 2012 11:18pm

    @Raj, please follow instructions at http://pigtail.net/LRP/printsrv/cygwin-sshd.html and then the instructions here. That should get you on the way as it’s pretty detailed (on Fong’s site).

    • padraic
    • June 11th, 2012 11:35am

    Hi
    I have followed these directions and can now ssh to localhost from my laptop. Thanks for the instructions.

    However I now want to ssh into my laptop from my android. I succuessfully use Connectbot to access my Ec2 server, other computers etc but cannot connect to the laptop. I presume that I need to use one of the keys created during the tutorial process outlined above.

    I’m stuck there though. Any advice?

    • kgx
    • June 12th, 2012 12:04am

    @padraic
    It’s probably the firewall on your laptop/network. The fact that you can ssh to localhost shows it works correctly. Check your router’s manual or google for “port forwarding” :)

    • mukesh
    • June 22nd, 2012 12:42pm

    $ net start sshd
    System error 1069 has occurred.

    The service did not start due to a logon failure.

    • prince
    • October 17th, 2012 7:47am

    @kgx
    I am getting the following error in windows 7:
    $ editrights -l -u MyUser
    Error in openPolicy (LsaOpenPolicy returned 0xc0000022=STATUS_ACCESS_DENIED)!

    Could you please help me to sort out this issue?

    • Xicheng wang
    • December 2nd, 2012 4:28am

    you are awesome! Problem solved!

    • Aditya
    • January 9th, 2013 12:22pm

    Wanted to extend my gratitude.. you don’t know how much time of mine this post saved. I was stuck with his problem while installing hadoop on windows… thanks a ton indeed

    • Elvis
    • April 21st, 2013 9:34am

    @tam
    需要管理员用户登陆,在运行
    $ editrights.exe -a SeAssignPrimaryTokenPrivilege -u MyUser
    $ editrights.exe -a SeCreateTokenPrivilege -u MyUser
    $ editrights.exe -a SeTcbPrivilege -u MyUser
    $ editrights.exe -a SeServiceLogonRight -u MyUser
    Myuser是你想指定的用户
    然后在切换回Myuser用户,然后剩下的就都一样了

    • naxa
    • May 22nd, 2013 5:25am

    problem 1
    should this work with domain users too? I have only a domain user on my computer and editrights didn’t gave an error if I used myusername@mydomain

    sshd service, however, did not start (1062)
    $ cygrunsrv -S sshd
    cygrunsrv: Error starting a service: QueryServiceStatus: Win32 error 1062:
    The service has not been started.
    if I try to run manually, it says:
    $ /usr/sbin/sshd
    /var/empty must be owned by root and not group or world-writable.
    I did
    $ chown SYSTEM /var/empty
    $ chmod 700 /var/empty
    but it still gives the same message.

    problem 2
    this may be too localized, but fyi:
    $ mkgroup –local /etc/group
    mkgroup (344): [1722] The RPC server is unavailable.

    problem 3
    you say in your instructions to ~’say yes to everything’ and that you don’t like separate users. But how these claims relate to the following:
    *** Query: new local account ‘sshd’? (yes/no)
    If I say no I run into problems. So I say yes. That’s what you told me anyway! I just don’t understand, now sshd actually wants to have *two* extra accounts?

    nevertheless these instructions were quite fun, thanks for looking into it and posting!

    • naxa
    • May 22nd, 2013 5:28am

    ps. with the domain user, it also starts to get confusing when ssh-host-config starts to ask me if

    *** Query: Create new privileged user account ‘myusername@mydomain’? (yes/no)

    if I say yes, it keeps re-asking the password.
    if I say no, it goes

    *** ERROR: There was a serious problem creating a privileged user.

    • eltopo
    • September 4th, 2013 8:50am

    @prince
    Make sure you run your cygwin terminal as administrator.
    It solved the problem for me.

    • Soumya Mukhopadhyay
    • January 30th, 2014 4:53pm

    Hi I am also getting the following error

    System error 1069 has occurred.

    The service did not start due to a logon failure.

    • SshDemon
    • March 4th, 2014 6:10pm

    Be careful following the above instructions, they’re probably invalid on the latest Cygwin on Windows 8.1. Two problems (at least):
    1. You’re bypassing the Cygwin installation scripts changes to SHELL in /etc/passwd, enabling bash shells for ALL users.
    2. There’s now an additional security permission needed. (in total 5) for the “cyg_server” (or equivalent) account.

    • kgx
    • June 17th, 2014 11:32am

    Thank you to everyone who have provided feedback.

    I’ve now disabled comments as the article may no longer be valid and because of spam which keeps bypassing Akismet.

Comment are closed.