How to set up Ssh/Sshd for key-based login under Cygwin (Vista) with StrictModes yes

21
2014-04
  • Brent.Longborough

    I have successfully set up ssh and sshd under cygwin to allow myself to login from A to B and B to A (both A and B are Vista machines).

    To do this, I have had to set StrictModes no in my /etc/sshd_config.

    If I set StrictModes to yes, key-based login is bypassed, and ssh(d) prompts for a password (which then works). In the event log, I get this message:

    sshd: PID 3684: Authentication refused: bad ownership or modes for file /home/brent/.ssh/authorized_keys

    I have two sub-questions:

    1. Is there any point in using StrictModes yes under cygwin/Vista? (I imagine that under a true Unix this will provide additional security.)
    2. Assuming yes, precisely what ownership and mode should I be using? The current listing for the authorized_keys is:

      -rwxrwxrwx 1 Administrators None 847 Sep 5 14:38 .ssh/authorized_keys

    After a little more research:

    It looks like /home/brent/, /home/brent/.ssh/, and /home/brent/.ssh/authorized_keys all need to meet the following criteria:

    • Not group- or world-writable (minimum chmod 755)
    • Owner: brent (in this case) -- I don't know whether this means "this user" or "any user with certain status or privileges" or "the user who installed cygwin" or "the user who ran sshd-host-config".

    So it works, but I'd still appreciate precise comments on why, and on whether it's correct.

  • Answers
  • mattikus

    In my experience on normal unix systems, your authorized_keys file needs to be octal permissions 600 so that only the user who created it (and root) could be able to read it to prevent other users from seeing the file. I assume it's the same in cygwin. Strict mode is just telling you to change the permissions as you found out.

    So from previous experience, I'd say you were correct. As for owner, it should be the person who owns the files, probably meaning 'this user' in your context.


  • Related Question

    openssh - How to uninstall/reinstall cygwin to use the sshd?
  • prosseek

    I installed cygwin/sshd without good results. I removed the c:\cygwin directory to reinstall. I removed the sshd Administrator user by hand.

    I reinstalled the cygwin again, then run the 'ssh-host-config -y', strangely, it doesn't ask anything about making a new user. And the procedure is really short.

    $ ssh-host-config -y
    * Query: Overwrite existing /etc/ssh_config file? (yes/no) yes
    * Info: Creating default /etc/ssh_config file
    * Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
    * Info: Creating default /etc/sshd_config file
    * Info: Privilege separation is set to yes by default since OpenSSH 3.3.
     Info: However, this requires a non-privileged account called 'sshd'.
     Info: For more info on privilege separation read /usr/share/doc/openssh
    ME.privsep.
     Query: Should privilege separation be used? (yes/no) yes
    ** Info: Updating /etc/sshd_config file

    * Info: Host configuration finished. Have fun!

    When I ran 'cygrunsrv -S shhd', I get an error. "Win 32 error 1069: The service did not start due to logon failure". It's reasonable message, as I deleted the sshd as a user, and the reinstall procedure did nothing for that again.

    I see I got something wrong with the uninstallation.

    Q: How can I uninstall the sshd related thing perfectly so that I can reinstall it again?


  • Related Answers
  • Kentgrav

    If sshd had been previously installed on the system, the following cleanup should be performed before invoking ssh-host-config:

    # Remove sshd service
    cygrunsrv --stop sshd
    cygrunsrv --remove sshd
    # Delete any sshd or related users (such as cyg_server) from /etc/passwd
    #   (use your favorite editor)
    # Delete any sshd or relaged users (such as cyg_server) from the system
    net user sshd /delete
    net user cyg_server /delete
    
  • prosseek

    I had to do three steps to make it reinstalled.

    • delete LOCAL_MACHINE\SYSTEM\ControlSet001\services\sshd
    • run 'sc delete sshd'
    • reboot

    The problem is that I can't login the cygwin from the Mac, which is the exact reason I tried to reinstall the cygwin.

    I made another thread about this problem. -> http://superuser.com/questions/110735/i-cant-login-cygwin-ssh-from-mac