Cygwin - SSHD Configuration
Written: 08/19/12
Last Updated: 01/08/15
NOTE 1 – With the environment variables “ntsec” and “tty” no longer being supported, this article has been completely updated to show how to create the server using the new settings. If you wish to see the legacy version, it can be found here.
NOTE 2 – This article was originally written with the intent of using a single user. This procedure has been tested and verified to work. It is still secure; however, it is more secure if you use two users, as it allows you to perform proper privilege separation. At the time, I do not have detailed directions on how to do that; however, I provided a high-level description as a response to Roc White’s comment (thanks again for catching this). Please read through this tutorial and that comment before continuing.
This guide is the second part of my Cygwin SSH server series and assumes that Cygwin was installed according to the first guide. If you did not read the first part it can be found here. This article will focus on how to configure sshd, the ssh daemon, in Cygwin. My knowledge on this subject was obtained through painful experimentation and time spent searching online. Over two years have passed since that initial installation and I have still found Cygwin to be the best solution to my needs. I have also found some tweaks that I find make the setup easier and more secure. Those techniques will be shown in these guides as well as any known limitations.
Now that Cygwin has been installed, we need to make a Windows environment variable, create a new administrator account, install the daemon, and start the server. First, click on your start menu and type “advanced system settings”. Then click on the item in the Control Panel titled “View advanced system settings”.
The sshd service that we will be creating must be run under a user. Do NOT use your current user. This is very important, because if you ever wish to delete the server you will need to delete the user. This username will also become the name of a service, so choose your name wisely. I like to use the name “sshd” as it explains exactly what the user is for. You can name it whatever you wish, just make sure to keep all of your names straight. Since I will be using sshd, you will need to exchange that name for whatever you pick throughout the rest of these guides.
To make a new user, click on the start menu and type “user accounts” in the search field. Click on “Add or remove user accounts”.
chmod +r /etc/passwd chmod u+w /etc/passwd chmod +r /etc/group chmod u+w /etc/group chmod 755 /var touch /var/log/sshd.log chmod 664 /var/log/sshd.log editrights -l -u sshd editrights -a SeAssignPrimaryTokenPrivilege -u sshd editrights -a SeCreateTokenPrivilege -u sshd editrights -a SeTcbPrivilege -u sshd editrights -a SeServiceLogonRight -u sshd editrights -l -u sshd
The “chmod” command stands for change file mode bits. It is used to change the permissions on files and directories. The first four lines change the permissions on the files “passwd” and “group” to give us write access to them. The “passwd” file will contain all of the Windows users’ security information set by Windows; likewise, the “group” file will contain all of the Windows groups’ security information. The files do not contain any password information, as that portion is managed by Windows. These two files are critical as they will contain all of the user info needed for the ssh server.
The next three lines change the permissions for the log file so that logging may occur correctly. The “touch” command is used to change the timestamps on files. In this case we are updating the modification time to be the current time. To use the log file, the permissions on the “var” directory must be changed. The log file that we are changing permissions to is designed to log the actions of the ssh server. There are much better logging tools available and in a later tutorial I will go over how to use them, but for the meantime it’s important to set this up.
The last six commands are used to change Windows user rights and privileges. It is important that when issuing these commands you use the username you picked for the server in the place of “sshd”. The command in lines eight and 13 are used to display the permissions given to the user. There should not be any permissions set the first time the command is given, and afterwards the user should have all of the permissions assigned in lines nine through 12. These advanced privileges are necessary for the service to run correctly. More details can be found as to what each privilege is by doing a search at Microsoft’s TechNet Library.
Now that we have a user and that the permissions are all configured correctly, it is time to install the service. Start the script by typing the command “ssh-host-config”. The answer to give to all of the questions is shown below. Once again where I use “sshd” make sure you use the correct name given earlier. The last two lines will be the password that you assigned the user earlier.
ssh-host-config yes yes yes sshd sshd PASSWORD PASSWORD
To setup Local Security Authority (LSA) authentication, run the script by issuing the command “cyglsa-config”. LSA authentication will allow for the sshd service to run under the SYSTEM account, among other things. Here is a good explanation as to everything that it entails. Answer “yes” to all of the questions. This will automatically reboot your system so make sure you are ready to reboot before running the script. You have the option to delay the reboot, but it is a good idea to go ahead and reboot right after this command is issued.
Cygwin should now be correctly configured with sshd. When you reboot your computer you should see the service sshd (or whatever you called it) running. At this point, only the most basic setup has been completed. Security and firewall settings, among other things, still need to be configured. Click here to go to the next topic in the series.
SshDemon responded:
Excellent instructions, but a few comments:
(1) You may need to revise these instructions to reflect installing latest Cygwin/SSH on Windows 8.1. Things seem quite different now. Also, the default ssh-host-config is generating TWO new user accounts. One called “cyg_server” and the other “sshd” (defaults). This is very confusing since it seem that you should not use either one for SSH login purposes. In your instructions it seem that you replace the former with the latter.
(2) I’m not sure you need the “cyglsa-config” anymore. In fact it is very unclear why you need it. Please explain better or check up on it.
Thanks for your effort.
(3) You instructions for creating Windows User Groups doesn’t work for non-professional editions of Windows 8/8.1 and others. This is very disappointing and confusing. It may still be possible by command line.
James responded:
Thank you for your input. To address your points:
(1) I assumed things would be different on Windows 8.1; however, I haven’t had the time to look into it. It sounds like they have updated the script; back when I wrote this tutorial it did not create a cyg_server user. I used the sshd account to keep things separate. The account technically has SSH permissions; however, I view it as more of a “root” account and simply keep it locked down. It should be possible to link sshd to any other account, but I have not personally tested this.
(2) Please refer to the link for more information about that particular script. The script was needed back when I wrote this tutorial (things may have changed…). It gave the SSH server LSA authentication, which is needed in Windows to allow users to log onto the system. You can read more about LSA authentication, here.
(3) That is quite upsetting, thanks for pointing that out. It appears that the “Local Users and Groups Manager” (lusrmgr.msc) is not included in the home editions. A workaround would be to use the “net localgroup” command, which should work fine for Windows 7/8 non-pro editions. You can use it via the following syntax “net localgroup [groupname] [username] /add”
SPalato responded:
I had problems getting “ssh-host-config” to work without warning using cygwin64 on Window 8. /etc/passwd/ wasn’t getting updated by windows, and chown couldn’t find the user. That can be fixed using “mkpasswd -cl > /etc/passwd”.
Thanks for the good tutorial!
James responded:
Thanks for the feedback! I’m sure that information will help others.
anil responded:
Thank you very much for details instructions. I have tried this on Windows-2012 R2 x64 with latest Cygwin. Worked perfectly.
Roc White responded:
Regarding ssh-host-config script creating two user accounts: If you look at your second to last screenshot, to the question “Do you want to use a different name” you answered yes, and chose “sshd” (instead of the default “cyg_server”) as the name for the privileged user. Note that the first non-privileged user is also called “sshd” (two lines above the question “Should privilege separation be used”). My guess is that by using the same account for both there would be no separation of privileges.
James responded:
Good catch. I should have made a separate privileged user. With Cygwin, only the pre-authentication phase is supported. My guess is that by setting the user to be the same it will still do the separation; however, it would effectively be the same thing as using the same user with some added overheads.
To properly fix this, two users would need to be created, one with the root privileges as previously shown and one without those privileges. Both users should be configured in Windows to make it such that they are not allowed to login, especially with regards to remote connections from the privileged user.
In Cygwin, both users should contain a “nologin” or invalid shell. As a preparation step, the following should be done:
Additionally, when I show the editrights steps, all of those should be done for your new privileged user not sshd.
I’ll make sure to point this information out in my article. Thanks again for your comment. I apologize for glancing over these steps; hopefully, these new steps will fix things.
Yick Lam responded:
Thanks so much for the instruction.
I was asked to automatically backup the photo of my grandpa’s phone to a PC.
I installed “rsync backup for android”.
One big hurdle to use it is the requirement of installing rsync over ssh (with automatic login feature) in my PC.
I followed cygwin ssh sever setup instructions for a number of websites. I could login to the ssh server with the keyboard interactive password, but when come to automatic login (using rsa key pair), the ssh program closed itself:
Offering public key: /root/.ssh/id_rsa
Connection closed by SERVER
I figured a way to check what’s wrong on the server side, using “event log viewer” in windows. The error I saw was like:
sshd: PID 7840: fatal: seteuid 1002: Operation not permitted
Then I got stuck on this for almost 2 weeks……
I am not an expert in Linux environment!
Finally I came your instruction. I think the key difference of your instruction is the creation of the login “ssh”. After setting it, the automatic login works like a charm!
mstaffa81 responded:
Hi there, So I’m having a wee bit of trouble with the chmod commands that edit /etc/passwd and /etc/group. It’s insisting that the file/directory doesn’t exist, which I figured might have been from the PATH variable being wrong, but when I checked it it was assigned correctly. I can’t seem to proceed without this issue being resolved.
James responded:
mstaffa81 and I have been talking offline. His problems should now be resolved. For those of you with the above problem:
This error occurs when those two files are missing. This shouldn’t happen, but if for some reason they don’t get created, then you can create them manually by doing the following:
Also, when using “editrights” if you get this error “Error in openPolicy (LsaOpenPolicy returned 0xc0000022=unknown status code)!” try again using an elevated Cygwin session, i.e. right click on your Cygwin shortcut and then click on “Run as administrator”.
sigfrido responded:
Hi, I have the same problem. After the installation of cygwin passwd and group are missing. In the section “create-and-add-users” is explained the security problem with those command
mkpasswd –local > /etc/passwd
mkgroup –local > /etc/group
I changed them in:
mkpasswd –current > /etc/passwd
mkgroup –current > /etc/group
this add only my current user to passwd and group, of course I have to add every account I want to give access to ssh server,
but is it ok to not add sshd in these files?
thank you
James responded:
If you do not add the sshd user then that user will not be able to SSH in. I believe that should be OK, but I have not tested this to verify. The sshd user is the user used for the service. If you do try this, please let us know how it plays out. Thanks!
clanmills responded:
I’m offering the following comment, although it might be off the mark. I got it to work with the account ‘sshd’ by following Jame’s instructions. I subsequently used the Services Panel to Access ‘CYGWIN/ssh Properties’ and changed the ‘This account’ to my own account. This caused sshd to run with my credentials and permissions. For sure you need a little determination to get sshd working.
Senthil Kumar responded:
i followed all your setps but still getting permission denied error. could you please help, king of struck for a week now 🙁
$ ssh -v localhost
OpenSSH_7.1p1, OpenSSL 1.0.2d 9 Jul 2015
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/sshdadmin/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sshdadmin/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sshdadmin/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sshdadmin/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sshdadmin/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sshdadmin/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sshdadmin/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sshdadmin/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.1
debug1: Remote protocol version 2.0, remote software version WeOnlyDo 2.4.3
debug1: no match: WeOnlyDo 2.4.3
debug1: Authenticating to localhost:22 as ‘WNT2012TEMP+sshdadmin’
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha2-256 none
debug1: kex: client->server aes128-ctr hmac-sha2-256 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:gVnFKz/ebnNhr/7EzxRzZRjRPfwNTW8roLqfD7aOI0U
The authenticity of host ‘localhost (127.0.0.1)’ can’t be established.
RSA key fingerprint is SHA256:gVnFKz/ebnNhr/7EzxRzZRjRPfwNTW8roLqfD7aOI0U.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘localhost’ (RSA) to the list of known hosts.
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password,gssapi-with-mic,publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/sshdadmin/.ssh/id_rsa
debug1: Trying private key: /home/sshdadmin/.ssh/id_dsa
debug1: Trying private key: /home/sshdadmin/.ssh/id_ecdsa
debug1: Trying private key: /home/sshdadmin/.ssh/id_ed25519
debug1: Next authentication method: password
[email protected]’s password:
debug1: Authentications that can continue: password,gssapi-with-mic,publickey
Permission denied, please try again.
[email protected]’s password:
debug1: Authentications that can continue: password,gssapi-with-mic,publickey
Permission denied, please try again.
[email protected]’s password:
Received disconnect from .127..0.1: 2: Too many attempts.
Disconnected from 127.0.0.1
[email protected] ~
$
James responded:
Based off your output you are able to connect to the server, so that’s good at least. It also tells me that you have it up and running, but that you are having credential issues. I’m assuming that when you tried your password, you typed it in correctly. With that assumption it sounds like you have an issue with adding the credentials to the server. I would try redoing the mkpasswd and mkgroup commands. Then reboot and try again. If that doesn’t work, make sure you can actually log into your Windows box with the user that you are trying to connect to. All Cygwin users will also be valid Windows users. Once you are set in Windows, issuing those above two commands (as outlined in the article), should update the credentials for the server.
If that fails, check your config. You might have accidentally set some security setting that is giving you a hard time. If it doubt, you can just use the default settings, initially.
Senthil Kumar responded:
I am only having issues connecting to windows while Linux connections are working fine!. Any help would be deeply appreciated!.
Senthil Kumar responded:
Let me try that.
thank you very much.
clanmills responded:
This article is a life-saver. Thank you very much. Everytime I have to get sshd to run on cygwin, my heart sinks. I endure this misery about once a year. However, thanks to you, I think I have a one stop shop for help.
Senthil kumar responded:
I checked many websites before seeing this one which explained very clearly and finally able to make a successful sftp connection. Step by step explanation was great!!!
Thank you so much James !!!
sigfrido responded:
Hi! Thank you for the reply. In the end I added just my account and it works great. I’d like just to add this: creating an account for sshd manually, it will appear at logon screen; I remember from my last installation, that leaving cygwin create it, it won’t appear (but then I don’t know if all the command about permission will work the same). So I just used a little regestry trick to hide sshd from logon.
Bye
Mike Potter responded:
My use case is strictly localhost for a work Java project. Unfortunately I work for a Fortune 100 company with no auth to create admin accounts on my work PC. These instructions warned do want a separate account. So don’t see that can adapt instructions given my login account type.
Is so cool though almost tempted to do on my home PC. However I have a Linux based home NAS for my AV system that can provide SFTP server functionality among many others. Thus would be an academic exercise to do this although interesting.
James responded:
If you were to do something like this at work, I would recommend talking to your IT department first. If your account has the proper privileges you could register the service under that account, but you should probably still consult IT.
clanmills responded:
Mike: I am very happy to be retired and away from the Corporate World in which many people are employed to throttle your productivity and (even worse) your enthusiasm. I’d like to share with you however the getting this stuff to work is painfully interesting! Having a Windows/Cygwin PC running on the same network as Linux enables you to play with SSH in a more meaningful way than only localhost. Incidentally, there are other free ssh servers for Windows which you may wish to try. Have fun with this stuff.
ajinkya sagane responded:
$ chmod +r /etc/passwd
chmod: changing permissions of ‘/etc/passwd’: Permission denied
what can i do now plzz explain
James responded:
Make sure you are executing these from a prompt that has been launched with administrative privileges.
Robert responded:
ebug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: [email protected] (0x7f36f4c4ed80)
debug2: key: [email protected] (0x7f36f4c4ecc0)
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa (0x7f36f4c4bae0)
debug2: key: /root/.ssh/id_dsa ((nil))
debug2: key: /root/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: [email protected]
debug2: we sent a publickey packet, wait for reply
Connection closed by *.*.*.*
Connection not possible when using ssh key and it’s closed immediately.
The log shows:
sshd: PID 7676: fatal: seteuid 197611: Operation not permitted
Does anyone know what is the problem ?
Thank you!
James responded:
It looks like your SSH keys may not be setup properly. Please ensure that you have setup your keys properly. It may be best to first try with a password, to make sure the basic setup works.
yarecki responded:
I’m having a problem where I can connect to my server via WinSCP yet when I try ssh from a Linux host with the same account the server closes the connection and I looking in the event log I see chown(dev/pty1, some numbers ) failed: Permission denied. What could be causing the problem?
James responded:
Try SSHing as root. This shouldn’t be necessary, but it may be an easy fix.
Mark responded:
Hi, Thank you for your post. I would like to add a couple of additional things to your post. In my setup i’m using Windows 10, Public Key Authentication and needing to access network shares.
cyg_server and sshd both exist on the machine running the ssh server.
I found I had to apply the rights mentioned above to both users (not 100% certain if this was necessary)
I then had to configure cyglsa-config
Finally I had to store the password using cyglsa for the users in question. This requires administrative privileges since my ssh server is running using cyg_server instead of SYSTEM account. I found an admin could set the password using the command passwd -R USERNAME then enter passwords.
After doing this the user could access the network shares whilst logging in using Public Key Authentication.
I found the information contained here extremely useful.:
https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
Thanks for your help!
Johnny Halfmoon responded:
THANK YOU SO VERY MUCH! I don’t CAPSHOUT very often, but when I do, it is with good reason. Your post helped me fix the bloody annoying sshd “Operation not permitted” error, that appeared today, out of thin air, after weeks of trouble-free usage.The ‘editrights’ lines were what fixes this issue. I’m guessing my company laptop underwent something like a background GPO update, destroying my working config. Actually, like so many people that have the same problem, I don’t have a clue what caused this. But thank you again. I owe you a beer, or maybe two.