Não é possível configurar o OpenSSH via CYGWIN no Windows 2008

1

Preciso de ajuda para configurar o OpenSSH no Win2008 via CYGWIN!

OBRIGADO antecipadamente!

Estou tentando configurar um servidor OpenSSH no Windows Server 2008 Datacenter via CYGWIN. Eu instalei e configurei o CYGWIN com o OpenSSH e Basic LinuxUtils. Estou entrando no sistema em um domínio chamado CNO.LOCAL com o nome de usuário kgraves . O que eu fiz até agora:

1. Permissões Locais Criadas para o usuário CNO.LOCAL\kgraves usando secpol.msc

- Adjust memory quotas for a process.
- Create a token object.
- Log on as a service.
- Replace a process-level token.

2.Criado e editado o arquivo / etc / passwd

$ mkpasswd -l > /etc/passwd

$ mkpasswd -u kgraves -D CNO.LOCAL -S '_' >> /etc/passwd

/ etc / passwd tem esta aparência:

SYSTEM:*:18:544:,S-1-5-18::
LocalService:*:19:544:U-NT AUTHORITY\LocalService,S-1-5-19::
NetworkService:*:20:544:U-NT AUTHORITY\NetworkService,S-1-5-20::
Administrators:*:544:544:,S-1-5-32-544::
TrustedInstaller:*:4294967294:4294967294:U-NT SERVICE\TrustedInstaller,S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464::
Administrator:unused:500:513:U-DUCLAW\Administrator,S-1-5-21-1295458589-1267770145-4179728800-500:/home/Administrator:/bin/bash
Guest:unused:501:513:U-DUCLAW\Guest,S-1-5-21-1295458589-1267770145-4179728800-501:/home/Guest:/bin/bash
CNO_kgraves:unused:11276:10513:Kent Graves,U-CNO\kgraves,S-1-5-21-350539814-2465610117-2008212152-1276:/home/kgraves:/bin/bash

sshd:unused:1014:513:sshd privsep,U-DUCLAW\sshd,S-1-5-21-1295458589-1267770145-4179728800-1014:/var/empty:/bin/false

3.Criado e editado o arquivo / etc / group

$ mkgroup -l > /etc/group

$ mkgroup -D -S '_' >> /etc/group

O arquivo

/ etc / group é assim:

SYSTEM:S-1-5-18:18:
TrustedInstaller:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:4294967294:
Administrators:S-1-5-32-544:544:
Backup Operators:S-1-5-32-551:551:
Certificate Service DCOM Access:S-1-5-32-574:574:
Cryptographic Operators:S-1-5-32-569:569:
Distributed COM Users:S-1-5-32-562:562:
Event Log Readers:S-1-5-32-573:573:
Guests:S-1-5-32-546:546:
IIS_IUSRS:S-1-5-32-568:568:
Network Configuration Operators:S-1-5-32-556:556:
Performance Log Users:S-1-5-32-559:559:
Performance Monitor Users:S-1-5-32-558:558:
Power Users:S-1-5-32-547:547:
Print Operators:S-1-5-32-550:550:
Remote Desktop Users:S-1-5-32-555:555:
Replicator:S-1-5-32-552:552:
Users:S-1-5-32-545:545:
None:S-1-5-21-1295458589-1267770145-4179728800-513:513:
SYSTEM:S-1-5-18:18:
TrustedInstaller:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:4294967294:
Administrators:S-1-5-32-544:544:
Users:S-1-5-32-545:545:
Guests:S-1-5-32-546:546:
Print Operators:S-1-5-32-550:550:
Backup Operators:S-1-5-32-551:551:
Replicator:S-1-5-32-552:552:
Remote Desktop Users:S-1-5-32-555:555:
Network Configuration Operators:S-1-5-32-556:556:
Performance Monitor Users:S-1-5-32-558:558:
Performance Log Users:S-1-5-32-559:559:
Distributed COM Users:S-1-5-32-562:562:
IIS_IUSRS:S-1-5-32-568:568:
Cryptographic Operators:S-1-5-32-569:569:
Event Log Readers:S-1-5-32-573:573:
Certificate Service DCOM Access:S-1-5-32-574:574:
Server Operators:S-1-5-32-549:549:
Account Operators:S-1-5-32-548:548:
Pre-Windows 2000 Compatible Access:S-1-5-32-554:554:
Incoming Forest Trust Builders:S-1-5-32-557:557:
Windows Authorization Access Group:S-1-5-32-560:560:
Terminal Server License Servers:S-1-5-32-561:561:
CNO_Domain Admins:S-1-5-21-350539814-2465610117-2008212152-512:10512:
CNO_Domain Computers:S-1-5-21-350539814-2465610117-2008212152-515:10515:
CNO_Domain Controllers:S-1-5-21-350539814-2465610117-2008212152-516:10516:
CNO_Domain Guests:S-1-5-21-350539814-2465610117-2008212152-514:10514:
CNO_Domain Users:S-1-5-21-350539814-2465610117-2008212152-513:10513:

4.Configure o OpenSSH, mas obtenha erros após criar o usuário CNO_kgraves ...

    The ssh-host-config script prompts you for answers to certain questions, including the following primary questions:
    Should privilege separation be used? Answer Yes.
    New local account 'sshd'? Answer Yes.
    Do you want to install sshd as a service? Answer Yes.
    Enter the value of CYGWIN for the daemon: Specify ntsec tty
    Do you want to use a different user name? Answer Yes.
    Enter the new user name? CNO_kgraves
    Re-enter: CNO_kgraves

*** Warning: Privileged account 'CNO_kgraves' was specified,
*** Warning: but it does not have the necessary privileges.
*** Warning: Continuing, but will probably use a different account.
*** Warning: The specified account 'CNO_kgraves' does not have the
*** Warning: required permissions or group memberships. This may
*** Warning: cause problems if not corrected; continuing...

    Two prompts for that user's password.

Em seguida, ele me dá esse erro depois de terminar o ssh-host-config e não tenho certeza do que isso significa, embora eu ache que tenha algo a ver com contas / privleges etc:

Erro no getSID (LsaLookupNames retornou 0xc0000073 = STATUS_NONE_MAPPED)!

*** Info: The sshd service has been installed under the 'CNO_kgraves'
*** Info: account.  To start the service now, call 'net start sshd' or
*** Info: 'cygrunsrv -S sshd'.  Otherwise, it will start automatically
*** Info: after the next reboot.

*** Info: Host configuration finished. Have fun!

5.Eu mudei as permissões e propriedade para certos arquivos porque eu tinha lido em um guia que deveria fazer isso. O que eu fiz está abaixo:

$ cygrunsrv --stop sshd
$ chown CNO_kgraves /var/log/sshd.log
$ chown -R CNO_kgraves /var/empty
$ chown CNO_kgraves /etc/ssh*

6. Tentei executar net start sshd , mas recebo o seguinte erro TODA vez ...

$ net start sshd
The CYGWIN sshd service is starting.
The CYGWIN sshd service could not be started.

The service did not report an error.

More help is available by typing NET HELPMSG 3534

Apesar de não informar um erro, o log do sshd em /var/log diz:

/var/empty must be owned by root and not group or world-writable.

Eu tentei alterar o proprietário usando chown para root, mas o usuário root não existe. Eu até tentei mudá-lo para SYSTEM porque me disseram que no CYGWIN ele vê SYSTEM como root, mas eu ainda não sei para onde mudar o grupo.

O serviço SSH está escutando na porta 22 porque quando eu tento SSH nele de outra máquina, recebo um prompt de login e a mensagem de Aviso de Domínio. Mas isso me diz que o acesso é negado toda vez que tento efetuar login com meu nome de usuário e senha (o mesmo nome de usuário que eu configurei em ssh-user-config ).

E para alguns detalhes finais apenas no caso, aqui estão os meus arquivos ssh_config e sshd_config:

#   $OpenBSD: ssh_config,v 1.26 2010/01/11 01:39:46 dtucker Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com




#   $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/bin:/usr/sbin:/sbin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh_host_rsa_key
#HostKey /etc/ssh_host_dsa_key
#HostKey /etc/ssh_host_ecdsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
StrictModes no
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile  .ssh/authorized_keys

#AuthorizedPrincipalsFile none

# For this to work you will also need host keys in /etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox      # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem   sftp    /usr/sbin/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   ForceCommand cvs server
    
por Kentgrav 22.01.2013 / 20:24

1 resposta

2

Após 2 dias batendo minha cabeça contra a parede tentando descobrir isso e teimoso demais para tentar qualquer outro serviço. Eu finalmente descobri qual era o meu problema.

Antes de instalar os pacotes Cygwin e Openssh, estava procurando pelo OpenSSH para Windows e acabei instalando-o. É uma versão do OpenSSH que possui serviços Cygwin extremamente "mínimos" e requer muito menos interação do usuário.

Não sei ao certo como o OpenSSH para Windows funciona ou como configurá-lo, mas o que sei é que, quando você o instala, ele cria automaticamente um serviço chamado:

OpenSSHd

O executável para ele está localizado em:

C:\Program Files\OpenSSH for Windows\bin\cygrunsrv.exe

Enquanto navegava pelos meus serviços, vi e chamou minha atenção. Acontece que ele estava amarrando minhas portas e o CYGWINssh não conseguia acesso a ele. Mas no final aprendi muito sobre CYGWIN e OpenSSH! Então eu acho que não foi tudo uma perda de tempo! Espero que esta pergunta / resposta ajude alguém lá fora.

    
por 23.01.2013 / 21:01