Cygwin, sshd and Windows 7

It seems like installing OpenSSH (sshd) on Windows 7 is a bit of a hassle. When I first upgraded to 7 from WinXP, I simply copied across my Cygwin directory and it just worked. However, it was later I realised that it would not let me log in if using public key authentication. So I decided to install it from scratch. I’ve always used Nicholas Fong’s article when installing openssh as the procedure  is quick and painless. But this is when I realised Windows 7 requires the sshd user to have extra privileges to get it work properly. The steps in the aforementioned site gets around this creating a new user called cyg_server. Personally, I don’t like having extra users, so I tried to find out how to give myself the same permissions without the need to create a new user.

With these instructions, you can fix the public key authentication problem and run sshd as Administrator or an existing user (even your own user account):

  1. You should have already installed cygwin and openssh by now. If not, what are you waiting for? Christmas? :P
  2. Undo any previous attempts to install the sshd service:
    $ net stop sshd
    $ cygrunsrv -R sshd
    $ net user sshd /DELETE  # See note below
    $ rm -R /etc/ssh*
    $ mkpasswd -cl > /etc/passwd
    $ mkgroup --local > /etc/group
    

    # Run `net user` to find out if there’s any other such users that could have run sshd – example “sshd” or “cyg_server”. Delete these as well. Don’t delete any default Windows ones!

  3. Decide on a user account that you want to run the sshd process. This can Administrator as well except its disabled on Windows 7 by default (it can be enabled by running lusrmgr.msc). For these instructions, lets say you want a user called MyUser to run sshd.
  4. Check existing permissions for MyUser (in case you need to roll back, keep a note of its output):
    $ editrights -l -u MyUser
  5. Add additional privileges to allow sshd to run as a service:
    $ editrights.exe -a SeAssignPrimaryTokenPrivilege -u MyUser
    $ editrights.exe -a SeCreateTokenPrivilege -u MyUser
    $ editrights.exe -a SeTcbPrivilege -u MyUser
    $ editrights.exe -a SeServiceLogonRight -u MyUser
    
  6. Run ssh-host-config (don’t force the -y option):
    $ ssh-host-config
  7. Answer yes to all questions making sure when it asks “Do you want to use a different name?”, say “yes” (this question is different with the -y option)
  8. Enter your desired username and password when you are prompted. You should *not* see any warnings. If you do, you might not have set all privileges correctly
  9. If all goes well, start sshd:
    $ net start sshd

Disclaimer: Do this at your risk. Since your user gets these additional permissions, it may cause a few security issues (I can’t see any major issues though). You can find more information on user privileges at Microsoft Technet. Tested only on Cygwin 1.7.1 and Windows 7 Professional (64 bit).

PS: For those that are curious, the cygwin scripts that automatically made the new users were /usr/share/csih/cygwin-service-installation-helper.sh and /usr/bin/ssh-host-config. Looking through those scripts made it obvious what the problem was (Function: csih_account_has_necessary_privileges()).

  • Trackback are closed
  • Comments (15)
    • Raj
    • January 27th, 2012 5:57pm

    hi,

    I m new for ssh.
    Can you please share me the steps from start.

    Regards

    • kgx
    • January 29th, 2012 11:18pm

    @Raj, please follow instructions at http://pigtail.net/LRP/printsrv/cygwin-sshd.html and then the instructions here. That should get you on the way as it’s pretty detailed (on Fong’s site).

    • padraic
    • June 11th, 2012 11:35am

    Hi
    I have followed these directions and can now ssh to localhost from my laptop. Thanks for the instructions.

    However I now want to ssh into my laptop from my android. I succuessfully use Connectbot to access my Ec2 server, other computers etc but cannot connect to the laptop. I presume that I need to use one of the keys created during the tutorial process outlined above.

    I’m stuck there though. Any advice?

    • kgx
    • June 12th, 2012 12:04am

    @padraic
    It’s probably the firewall on your laptop/network. The fact that you can ssh to localhost shows it works correctly. Check your router’s manual or google for “port forwarding” :)

    • mukesh
    • June 22nd, 2012 12:42pm

    $ net start sshd
    System error 1069 has occurred.

    The service did not start due to a logon failure.

    • prince
    • October 17th, 2012 7:47am

    @kgx
    I am getting the following error in windows 7:
    $ editrights -l -u MyUser
    Error in openPolicy (LsaOpenPolicy returned 0xc0000022=STATUS_ACCESS_DENIED)!

    Could you please help me to sort out this issue?

    • Xicheng wang
    • December 2nd, 2012 4:28am

    you are awesome! Problem solved!

    • Aditya
    • January 9th, 2013 12:22pm

    Wanted to extend my gratitude.. you don’t know how much time of mine this post saved. I was stuck with his problem while installing hadoop on windows… thanks a ton indeed

    • Elvis
    • April 21st, 2013 9:34am

    @tam
    需要管理员用户登陆,在运行
    $ editrights.exe -a SeAssignPrimaryTokenPrivilege -u MyUser
    $ editrights.exe -a SeCreateTokenPrivilege -u MyUser
    $ editrights.exe -a SeTcbPrivilege -u MyUser
    $ editrights.exe -a SeServiceLogonRight -u MyUser
    Myuser是你想指定的用户
    然后在切换回Myuser用户,然后剩下的就都一样了

    • naxa
    • May 22nd, 2013 5:25am

    problem 1
    should this work with domain users too? I have only a domain user on my computer and editrights didn’t gave an error if I used myusername@mydomain

    sshd service, however, did not start (1062)
    $ cygrunsrv -S sshd
    cygrunsrv: Error starting a service: QueryServiceStatus: Win32 error 1062:
    The service has not been started.
    if I try to run manually, it says:
    $ /usr/sbin/sshd
    /var/empty must be owned by root and not group or world-writable.
    I did
    $ chown SYSTEM /var/empty
    $ chmod 700 /var/empty
    but it still gives the same message.

    problem 2
    this may be too localized, but fyi:
    $ mkgroup –local /etc/group
    mkgroup (344): [1722] The RPC server is unavailable.

    problem 3
    you say in your instructions to ~’say yes to everything’ and that you don’t like separate users. But how these claims relate to the following:
    *** Query: new local account ‘sshd’? (yes/no)
    If I say no I run into problems. So I say yes. That’s what you told me anyway! I just don’t understand, now sshd actually wants to have *two* extra accounts?

    nevertheless these instructions were quite fun, thanks for looking into it and posting!

    • naxa
    • May 22nd, 2013 5:28am

    ps. with the domain user, it also starts to get confusing when ssh-host-config starts to ask me if

    *** Query: Create new privileged user account ‘myusername@mydomain’? (yes/no)

    if I say yes, it keeps re-asking the password.
    if I say no, it goes

    *** ERROR: There was a serious problem creating a privileged user.

    • eltopo
    • September 4th, 2013 8:50am

    @prince
    Make sure you run your cygwin terminal as administrator.
    It solved the problem for me.

    • Soumya Mukhopadhyay
    • January 30th, 2014 4:53pm

    Hi I am also getting the following error

    System error 1069 has occurred.

    The service did not start due to a logon failure.

    • SshDemon
    • March 4th, 2014 6:10pm

    Be careful following the above instructions, they’re probably invalid on the latest Cygwin on Windows 8.1. Two problems (at least):
    1. You’re bypassing the Cygwin installation scripts changes to SHELL in /etc/passwd, enabling bash shells for ALL users.
    2. There’s now an additional security permission needed. (in total 5) for the “cyg_server” (or equivalent) account.

    • kgx
    • June 17th, 2014 11:32am

    Thank you to everyone who have provided feedback.

    I’ve now disabled comments as the article may no longer be valid and because of spam which keeps bypassing Akismet.