Cygwin, sshd and Windows 7
It seems like installing OpenSSH (sshd) on Windows 7 is a bit of a hassle. When I first upgraded to 7 from WinXP, I simply copied across my Cygwin directory and it just worked. However, it was later I realised that it would not let me log in if using public key authentication. So I decided to install it from scratch. I’ve always used Nicholas Fong’s article when installing openssh as the procedure is quick and painless. But this is when I realised Windows 7 requires the sshd user to have extra privileges to get it work properly. The steps in the aforementioned site gets around this creating a new user called cyg_server. Personally, I don’t like having extra users, so I tried to find out how to give myself the same permissions without the need to create a new user.
With these instructions, you can fix the public key authentication problem and run sshd as Administrator or an existing user (even your own user account):
- You should have already installed cygwin and openssh by now. If not, what are you waiting for? Christmas?
- Undo any previous attempts to install the sshd service:
$ net stop sshd $ cygrunsrv -R sshd $ net user sshd /DELETE # See note below $ rm -R /etc/ssh* $ mkpasswd -cl > /etc/passwd $ mkgroup --local > /etc/group
# Run `net user` to find out if there’s any other such users that could have run sshd – example “sshd” or “cyg_server”. Delete these as well. Don’t delete any default Windows ones!
- Decide on a user account that you want to run the sshd process. This can Administrator as well except its disabled on Windows 7 by default (it can be enabled by running lusrmgr.msc). For these instructions, lets say you want a user called MyUser to run sshd.
- Check existing permissions for MyUser (in case you need to roll back, keep a note of its output):
$ editrights -l -u MyUser
- Add additional privileges to allow sshd to run as a service:
$ editrights.exe -a SeAssignPrimaryTokenPrivilege -u MyUser $ editrights.exe -a SeCreateTokenPrivilege -u MyUser $ editrights.exe -a SeTcbPrivilege -u MyUser $ editrights.exe -a SeServiceLogonRight -u MyUser
- Run ssh-host-config (don’t force the -y option):
$ ssh-host-config
- Answer yes to all questions making sure when it asks “Do you want to use a different name?”, say “yes” (this question is different with the -y option)
- Enter your desired username and password when you are prompted. You should *not* see any warnings. If you do, you might not have set all privileges correctly
- If all goes well, start sshd:
$ net start sshd
Disclaimer: Do this at your risk. Since your user gets these additional permissions, it may cause a few security issues (I can’t see any major issues though). You can find more information on user privileges at Microsoft Technet. Tested only on Cygwin 1.7.1 and Windows 7 Professional (64 bit).
PS: For those that are curious, the cygwin scripts that automatically made the new users were /usr/share/csih/cygwin-service-installation-helper.sh and /usr/bin/ssh-host-config. Looking through those scripts made it obvious what the problem was (Function: csih_account_has_necessary_privileges()).
I do this and only the user (MyUser in your example) can ssh into the system. Any ideas?
I take it back you are a genius. This was the only thing that worked. I was adding the rights with editrights that made everything work… Thank You
its impressive the amount of quality work that comes out of NZ. Cheers.
@Tapu: I completely agree
This is excellent! The exact solution to the problem that I have not managed to resolve since I got Windows 7 on my work notebook.
Thank you very much!
any suggestions on windows 7 home premium sence the lusrmgr is disabled
Only thing I can suggest in that case is to use your own user account to run sshd. I haven’t tried it but it should work if you give it the extra privileges I mentioned.
in Cygwin bashshell,first i try to undo attempt to install sshd service
net stop sshd –> it said the service name is invalid
then i skip this step, decide to choos MyUser ( which has Administor privilige) to check existing permissions
$ editrights -l -u MyUser
it turn out the message
Error in openPolicy
my computer have windows 7 home premium
pls help me
@tam
I’m not too sure. Try running it in verbose mode (by adding ‘-v’):
Post the output here or email me if you need more help.
Hello,
first of all thanks for the good tutorial.
Unfortunatelly I still have a problem. It seemd that sshd is running fine, but when I try to connect from a second machine, I’m unable to start any command (hostname, bash…).
Her some debug output from my client
…
debug1: Trying private key: /home/xxx/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
sshd@yyyy’s password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG =
debug1: Sending env LC_CTYPE =
debug1: Sending command: c:\\cygwin\\bin\\bash.exe
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2160, received 2168 bytes, in 0.1 seconds
Bytes per second: sent 16966.9, received 17029.7
debug1: Exit status 1
Can you help me here?
Thanks,
Joe
@Joe
Interesting. I’ve never seen that before. What sort of ssh client are you using? Putty, openssh (command line)? Also, from the machine where you have cygwin installed, are you able to ssh into localhost? Try temporarily disabling your antivirus, see if that helps.
not sure about “quick and painless”
OpenSSH says it has a “minimal set of cygwin”, so I try it ..
I get a bunch of .nsi files ????? … I dont need the aggrevation.
So I try for full cygwin .. I get “download.exe” which flashes a dos window briefly, thats all.
This is not my idea of painless.
I note that http://erdelynet.com/ssh-l/ hasnt used cygwin since 1997,
am I chasing a zombie ??
Windows 7: right click setup.exe, run as admin …
Same result! a brief flash of a dos window…
@cts
This is something frustrating about Windows, it’s hard get an application to run in verbose mode or run any sort of logs. Sorry, I can’t really help on this issue. I’d try the official mailing list or stackoverflow perhaps?
I am particularly exercised at the idea that to install cygwin which requires Admin, we are told to run ‘editrights’ which is not a windows command …
@cts
editrights is only to get sshd to work properly. Cygwin should be (in theory) a straight forward gui installation.
I got the service running on my win7 box, but now every time I try to connect from a remote computer I get a “Connection Refused” error. I am using Putty as my client and trying to connect to my external IP and port 22. How can I find out why the connection is refused?
@fratts
Again, it could be a firewall issue. Try this, from your local machine do `telnet localhost 22` (you may need a colon between localhost and 22 depending on which OS you use).If that works, try from another machine on the LAN (`telnet myserver 22`). If they both work, it could either be a software or hardware firewall stopping it from outside. Also check the port forwarding on the router as well.
When I try to telnet from Cygwin, I get “Command not found”.
@fratts
Sorry for that complete noob response…LOL, but I realized that I didn’t have telnet installed on either of my Win7 machines (server or client). Now that I have that protocol installed, and I run telnet localhost 22 from the local machine, it connects for about 30sec, the bounces back saying “Protocol mismatch” and then disconnects. Now I’m assuming that since I am trying to connect to port 22 (which is normally reserved for ssh) with telnet, this makes sense….right?
When I try to telnet from the remote machine, telnet 192.168.2.101 22, it does the exact same thing.
Now, I do not have my router firewall turned on, so that cannot be the problem, I have definitely allowed the ports through the windows firewall, not sure where to go next. Help please!!
@kgx
I got the same problem as @tam. The verbose output is not that helpful:
$ editrights -vl -u cyg_server
editrights version 1.01: a cygwin application to edit user rights
on a Windows NT system.
Copyright Chris Rodgers , Sep, 2003.
All rights reserved. See LICENCE for further details.
Error in openPolicy (LsaOpenPolicy returned 0xc0000022=STATUS_ACCESS_DENIED)!
Any suggestion?
Thank you!
All,
I ran these commands exactly and had zero issues!!! Windows7 is now
accepting ssh connections!
I did of course have to setup the dsa and or rsa keys but hey that id part of ssh.
@Mauro
I got the same error:
Error in openPolicy (LsaOpenPolicy returned 0xc0000022=STATUS_ACCESS_DENIED)!
And then I realized that I did not open it up as adminstrator. Make sure you right click on the shell Icon and select “run as administrator” when you open it.
@g3
Thank you. It seems to work better (at least the configuration ends with no error) then I think I messed up other stuff in the meantime…
Can anyone guide me thru how to set up ssh with pka on this setup. I am finding it difficult.
Thank you for the instructions. It finally works on Windows 7.
I have created following script to make it easier for me to repeat the process on other Win7 machines. Hopefully others may find it useful.
NOTE: Change value of “SSH_USER” to whatever user-=id you wish to use.
— start of script ——————————–
#!/bin/sh
###################################################################
#– Setup sshd service on Windows 7 #
#– #
#– code from: http://www.kgx.net.nz/2010/03/cygwin-sshd-and-windows-7/
#– #
#– Ramesh Parmar – Dec 29, 2010 #
###################################################################
SSH_USER=”Administrator”
printf “Clear previous ssh settings\n\n”
rm -rf /etc/ssh*
printf “Removing ‘sshd’ user-id \n\n”
#—————————————————————#
#– Do not change ‘sshd’ to $SSH_USER from the following line –#
#—————————————————————#
net user sshd /delete
printf “Updating /etc/passwd and /etc/group\n\n”
mkpasswd -cl > /etc/passwd
mkgroup –local > /etc/group
PRIV_FILE=/privilege-values-$SSH_USER-`date ‘+%Y%m%d_%H%M’`.txt
printf “Saving current privilege values to $PRIV_FILE\n\n”
editrights -l -u $SSH_USER > $PRIV_FILE
printf “Adding privileges to $SSH_USER\n\n”
editrights -a SeAssignPrimaryTokenPrivilege -u $SSH_USER
editrights -a SeCreateTokenPrivilege -u $SSH_USER
editrights -a SeTcbPrivilege -u $SSH_USER
editrights -a SeServiceLogonRight -u $SSH_USER
printf “Starting ssh-host-config \n\n”
printf “NOTE: Make sure to answer ‘no’ to \”create local user ‘sshd’\”\n\n”
ssh-host-config -u $SSH_USER
printf “Starting ‘sshd’ service\n\n”
net start sshd
# end of file #
— end of script ———————————-
@Ramesh
Fantastic..thank you.
What a great tutorial. Thank you for putting this out!
Hello Kevin,
I have the some problem when I tried “editrights -l -u MyUser”,
I got the error message:
Error in openPolicy (LsaOpenPolicy returned ……..=STATUS_ACCESS_DENIED),
I was using my account which is the administrator of this computer.
Do you have any suggestions?
Great thanks in advance!
Gang
I’ve spent several days trying to get a ssh server running on my Windows 7 64-bit box, but the connection always hangs. I’ve uninstalled/deleted the users/software many times, tried many different webpage’s solutions, but still … hang.
$ uname -a
CYGWIN_NT-6.1-WOW64 MyShard 1.7.7(0.230/5/3) 2010-08-31 09:58 i686 Cygwin
$ editrights -l -u Administrator
SeAssignPrimaryTokenPrivilege
SeCreateTokenPrivilege
SeTcbPrivilege
SeServiceLogonRight
-rw-r–r– 1 Administrator None 1555 Feb 23 15:49 /etc/ssh_config
-rw——- 1 Administrator None 668 Feb 23 15:49 /etc/ssh_host_dsa_key
-rw-r–r– 1 Administrator None 607 Feb 23 15:49 /etc/ssh_host_dsa_key.pub
-rw——- 1 Administrator None 227 Feb 23 15:49 /etc/ssh_host_ecdsa_key
-rw-r–r– 1 Administrator None 179 Feb 23 15:49 /etc/ssh_host_ecdsa_key.pub
-rw——- 1 Administrator None 982 Feb 23 15:49 /etc/ssh_host_key
-rw-r–r– 1 Administrator None 647 Feb 23 15:49 /etc/ssh_host_key.pub
-rw——- 1 Administrator None 1679 Feb 23 15:49 /etc/ssh_host_rsa_key
-rw-r–r– 1 Administrator None 399 Feb 23 15:49 /etc/ssh_host_rsa_key.pub
-rw-r–r– 1 Administrator None 3184 Feb 23 15:51 /etc/sshd_config
$ ssh -vvv localhost
OpenSSH_5.8p1, OpenSSL 0.9.8r 8 Feb 2011
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [::1] port 22.
debug1: Connection established.
debug1: identity file /home/john/.ssh/id_rsa type -1
debug1: identity file /home/john/.ssh/id_rsa-cert type -1
debug1: identity file /home/john/.ssh/id_dsa type -1
debug1: identity file /home/john/.ssh/id_dsa-cert type -1
debug1: identity file /home/john/.ssh/id_ecdsa type -1
debug1: identity file /home/john/.ssh/id_ecdsa-cert type -1
(…. continues to hang indefinitely)
Obviously the sshd service is running (otherwise I wouldn’t be getting “Connection established” and I doubt it’s a firewall issue (since I have the same problem even when shutting off virus software and shutting off windows firewall).
Any ideas?
Thanks,
John
.To successfully run OpenSSH on a Windows 2003 Server you must create a new user account for it. Luckily the ssh-host-config command will create a user for you if you wish.
thanks, it had been a while since i did an install on a WinXX machine and this helped me with some issues i had with the Win7 install. did some minor tweaking to allow for domain users to be able to ssh to the machine(s), but aside from that, this tutorial filled in all the other blanks.
many thanks!
@John
I had the same issue on Windows 7 then I came across this blog.
I have used the script posted here and it works.
During the script run, it is important to say “no” to create user id.
Give it a try, it might work.
I setup the cygwin ssh server as described here and am able to connect to locally (from the same machine) but not from another machine on the same network.
After disabling the win7 firewall, I am able to connect from another machine on the same network. I tried to instead add an exception to allow inbound connections on port 22 tcp to c:\cygwin\bin\cygrunsvc.exe, but that does not appear to be working…
I would much rather configure the firewall to be open just for incoming ssh connections. Did anyone have success adding an exception to the win7 firewall? Any ideas what I am doing wrong?
I am using win7 home premium
@Tom
I figured it out, my problem was that I need to allow inbound connections on port 22 to c:\cygwin\usr\sbin\sshd.exe
This worked perfectly for me on windows 7 enterprise.
Thanks for your help.
@Tom
Tom, I think you’ve answered most people’s problem here with Windows firewall issues. Thanks.
THANK YOU.
I had used the same instructions from Fong on a different machine (also Win7 64-bit) and it worked fine. Then on my laptop everything seemed to do ok during the instructions (ssh running and everything) but kept getting “not responding” when trying to putty to localhost.
I followed you instructions above and it worked like a charm.
I’m very thankful for the writeup.
PS: the only reason I use putty to ssh to localhost on my Win7 box is so I can resize the window. The cmd.exe and Cygwin Bash Window seem to be locked to a specific width. Anyone else use it for just that?
@whall
I recommend installing Console2: http://sourceforge.net/projects/console/
You can run cygwin inside Console2 and it gives you additional functionality such as tabbed consoles and resizing.
Life with Win7 no longer looks so bleak. Thanks!
This did the trick on my new Windows 7 x64 box. I’m trying to figure out how I did without it on my Windows 7 x64 laptop from work. Somehow, I didn’t have to do these steps but the sshd account has all of the necessary rights. Thanks for the great advice. You should have Nicholas Fong link this page to his. (He’s good about that kind of thing.)
This also works a charm on Windows 2008 Server! Thanks!
Hi I am not able to run ssh-host-config as their is no such file in my setup pleas help.
Try reinstalling openssh and tcp_wrappers packages. Also make sure that C:\cygwin\bin is in your path.
Thanks so much — I use putty to ssh into localhost on my windows machine all the time since putty has much better scrollback, cut&paste, etc than cmd.exe. One day they changed something on our domain server at work and sshd service wouldn’t start any more. Your instructions above fixed the issue, with one footnote. When I tried it with “privilege separation” in ssh-host-config it still failed. But saying ‘no’ to privilege separation made it all work. Thanks again!
Cygwin 1.7.9
Win2008R2 server and it’s also domain controller.
First I tried using other user as Administrator:
Error in openPolicy (LsaOpenPolicy returned 0xc0000022=STATUS_ACCESS_DENIED)!
If you get
0xc0000022=STATUS_ACCESS_DENIED)!
then use user administartor to install.
I have win2008r2, it’s also domain controller.
cygwin 1.7.9, passwd file is done by setup = domain users.
I have done (needed or not ?)
$ cyglsa-config
using administator cygwin session.
Install
$ cron-config
and
Do you want the cron daemon to run as yourself? (yes/no) no
$ ssh-host-config
using user administrator.
cron and ssh works fine for every domain users.
Hi Guys, I just want to share my experience. I answer to all the questions yes, but when I being asked for “Do you want to use a different name?”, I said yes and use an existing administrator windows account.
In that way it works for me with my windows 7 Professional 64-bit.
Many thanks to Karuna for helping out with this issue. The only other thing I needed to do was to open the Windows firewall (Thanks, Tom!)
Great!!!
Worked like a charm!
THANK YOU!