Archive for the ‘ Programming ’ Category

Cygwin, sshd and Windows 7

It seems like installing OpenSSH (sshd) on Windows 7 is a bit of a hassle. When I first upgraded to 7 from WinXP, I simply copied across my Cygwin directory and it just worked. However, it was later I realised that it would not let me log in if using public key authentication. So I decided to install it from scratch. I’ve always used Nicholas Fong’s article when installing openssh as the procedure¬† is quick and painless. But this is when I realised Windows 7 requires the sshd user to have extra privileges to get it work properly. The steps in the aforementioned site gets around this creating a new user called cyg_server. Personally, I don’t like having extra users, so I tried to find out how to give myself the same permissions without the need to create a new user.

With these instructions, you can fix the public key authentication problem and run sshd as Administrator or an existing user (even your own user account):

  1. You should have already installed cygwin and openssh by now. If not, what are you waiting for? Christmas? :P
  2. Undo any previous attempts to install the sshd service:
    $ net stop sshd
    $ cygrunsrv -R sshd
    $ net user sshd /DELETE  # See note below
    $ rm -R /etc/ssh*
    $ mkpasswd -cl > /etc/passwd
    $ mkgroup --local > /etc/group

    # Run `net user` to find out if there’s any other such users that could have run sshd – example “sshd” or “cyg_server”. Delete these as well. Don’t delete any default Windows ones!

  3. Decide on a user account that you want to run the sshd process. This can Administrator as well except its disabled on Windows 7 by default (it can be enabled by running lusrmgr.msc). For these instructions, lets say you want a user called MyUser to run sshd.
  4. Check existing permissions for MyUser (in case you need to roll back, keep a note of its output):
    $ editrights -l -u MyUser
  5. Add additional privileges to allow sshd to run as a service:
    $ editrights.exe -a SeAssignPrimaryTokenPrivilege -u MyUser
    $ editrights.exe -a SeCreateTokenPrivilege -u MyUser
    $ editrights.exe -a SeTcbPrivilege -u MyUser
    $ editrights.exe -a SeServiceLogonRight -u MyUser
  6. Run ssh-host-config (don’t force the -y option):
    $ ssh-host-config
  7. Answer yes to all questions making sure when it asks “Do you want to use a different name?”, say “yes” (this question is different with the -y option)
  8. Enter your desired username and password when you are prompted. You should *not* see any warnings. If you do, you might not have set all privileges correctly
  9. If all goes well, start sshd:
    $ net start sshd

Disclaimer: Do this at your risk. Since your user gets these additional permissions, it may cause a few security issues (I can’t see any major issues though). You can find more information on user privileges at Microsoft Technet. Tested only on Cygwin 1.7.1 and Windows 7 Professional (64 bit).

PS: For those that are curious, the cygwin scripts that automatically made the new users were /usr/share/csih/ and /usr/bin/ssh-host-config. Looking through those scripts made it obvious what the problem was (Function: csih_account_has_necessary_privileges()).