Cygwin 1.7.1版本ssh问题
解决办法一
| 在安装好Cygwin 1.7.1后,进入Cygwin会遇到mkpasswd和mkgroup提示,强行做ssh配置,执行sshlocalhost会报connection closed by 127.0.0.1。运行下面两行命令: mkpasswd -l -c > /etc/passwd mkgroup -l -d > /etc/group 再重新进入Cygwin,mkpasswd和mkgroup提示消失,再次配置ssh,并执行ssh localhost,又遇到如下错误:
通过以下方法可以ssh localhost成功:
|
解决办法二
cygwin-1.7 sshd/ssh-host-config install issues on Vista  by Herb Maeder Oct 18, 2008; 03:50am :: Rate this Message: Reply |Reply to Author | Print | View Threaded | Show Only this Message On a fresh install of the cygwin-1.7 base package + openssh, I believe we should expect the following to work for installing and testing sshd: ssh-host-config -y cygrunsrv --start sshd ssh localhost pwd If sshd had been previously installed on the system, the following cleanup should be performed before invoking ssh-host-config: # Remove sshd service cygrunsrv --stop sshd cygrunsrv --remove sshd # Delete any sshd or related users (such as cyg_server) from /etc/passwd # (use your favorite editor) # Delete any sshd or relaged users (such as cyg_server) from the system net user sshd /delete net user cyg_server /delete But in trying to run the test case, I ran into a number of issues when running on Vista (and some on XP). I've been able to workaround all but the last one. 1. (Vista) ssh-host-config needs to run with elevated permissions This is not really a problem since we expected elevated permissions to be required, but there are some issues surrounding it. I believe the current recommendation is to run ssh-host-config in a bash shell started with "RightClick->Run As Administrator". But given that this requirement is specific to Vista, it might be worth a check at the start of the script to make sure that run permissions are good enough avoid the more obscure errors later on. An error statement indicating the preferred way to invoke ssh-host-config will hopefully cut down on noise to the list from people switching to Vista. BTW, is there a simple command to unobtrusively detect if the runtime permissions are correct?. Also, running a bash shell as administrator is less than ideal. It may encourage always run as administrators even when not necessary, plus administrator shells are not easily distinguishable from normal shells. I'm curious... is there a way to elevate permissions from a bash command line (kind of like a poor man's sudo)? The point would not be to avoid the UAC prompt, but be able to invoke it when needed from the command line rather than just getting permission denied errors. I have come up with a couple of solutions to do this, but they have too many drawbacks to be really useful (e.g. output ends up in a new cmd window, UAC prompt lists wrong program,...) 2. (Vista/XP) The tcp_wrappers dependency is missing in openssh/setup.hint Sincd sshd.exe depends on cygwrap-0.dll, the tcp_wrappers package must be installed in order to avoid this error when starting up the sshd service: $ cygrunsrv --start sshd cygrunsrv: Error starting a service: QueryServiceStatus: Win32 error 1062: The service has not been started. But the tcp_wrappers package is not listed as a dependency in the openssh setup.hint file. It seems others have hit this problem already, but it hasn't been fixed at the root of the problem yet: http://www.cygwin.com/ml/cygwin/2008-08/msg00746.html 3. (Vista) "ssh-host-config -y" still prompts for user input The -y option to ssh-host-config should set up sshd with a usable default configuration without any further user input. But since the default for the "Do you want to use a different name?" question is "yes", the user will be queried for the privileged user name (and may not end up with the defauilt configuration): $ ssh-host-config -y <snip> *** Info: Note that creating a new user requires that the current account have *** Info: Administrator privileges itself. *** Info: No privileged account could be found. *** Info: This script plans to use 'cyg_server'. *** Info: 'cyg_server' will only be used by registered services. *** Query: Do you want to use a different name? (yes/no) yes *** Query: Enter the new user name: The question should probably rephrased so that yes will keep the stock name by default, for example, "Do you want to use this name? (yes/no)". Or perhaps the "different name" question should come after the "Create new privileged user account 'cyg_server'?" question (if it is answered 'no'). This seems to be in the csih package, in the csih_select_privileged_username() function. 4. (Vista) Missing warning if cyg_server exists in /etc/passwd but not in SAM If the cyg_server account is deleted from the local machine, but its entry is still left in /etc/passwd, the next run of ssh-host-config will not issue a warning. Instead it will just result in a "Win32 error 1057": *** Info: The following privileged accounts were found: 'cyg_server' . *** Info: This script plans to use 'cyg_server'. *** Info: 'cyg_server' will only be used by registered services. *** Query: Do you want to use a different name? (yes/no) no *** Query: Please enter the password for user 'cyg_server': *** Query: Reenter: cygrunsrv: Error installing a service: CreateService: Win32 error 1057: The account name is invalid or does not exist, or the password is invalid for the account name specified. *** Warning: Something went wrong installing the sshd service. Unfortunately, this does not indicate the real root of the problem, so it makes it a bit difficult for users to debug. Perhaps a similar warning for the sshd case should be issued: *** Warning: sshd is in /etc/passwd, but the *** Warning: local machine's SAM does not know about sshd. *** Warning: Perhaps sshd is a pre-existing domain account. *** Warning: Continuing, but check if this is ok. 5. (Vista) "ssh localhost pwd" gives 'ssh_exchange_identification' error After running ssh-host-config and starting the server on Vista, thessh test gives the following error: $ ssh localhost pwd ssh_exchange_identification: Connection closed by remote host This error is specific to using 'localhost' or a loopback ip address. Using a real hostname does not generate this error. I have the firewall turned off. Curious that it does not show up on an equivalent XP setup. On the server side, "sshd -d" shows that the 'Connection refused by tcp wrapper'. My /etc/hosts.allow looks like this, which appears to be the default configuration: ALL : PARANOID : deny sshd: ALL I can work around the problem by putting a "sshd: ALL" or "sshd: PARANOID" line first, but I don't think those are the right solution. There's something else going on in tcp_wrapper with the address/name matching for localhost, but I can't quite figure out what. I couldn't get it to work by putting other lines first, like "ALL: localhost", "sshd: KNOWN", "sshd: UNKNOWN" or any other variant I could think of. Can others reproduce this problem? 6. (Vista) error in setting cyg_server passwd expiry When ssh-host-config tries to set the expiry on the cyg_server group, I get the following error: passwd: unknown user herb *** Warning: Setting password expiry for user 'cyg_server' failed! *** Warning: Please check that password never expires or set it to your needs. The command that generates the unknown user error is "passwd -e cyg_server" from the csih script. Note that it complains about the login user, not the cyg_server user. From my read of passwd.c, I'm not sure that 'passwd -e' can really be used to set the expiry on a local user if the login user is a domain user. 7. (Vista) sshd responds to connection with "initgroups: Permission denied" This one is the showstopper. It is preventing me from being able to ssh into a Vista machine at all. I haven't found a workaround it or determine the root of problem. Any attempt to ssh results in this error: % ssh localhost pwd herb@localhost's password: initgroups: Permission denied I think that this should be easily reproducible on a fresh install of cygwin-1.7 base + openssh. But if not, I can provide more information about my specific situation. As near as I can tell (using "strace /usr/sbin/sshd -dd") the problem appears to come from the call to NetUserGetGroups() in sec_auth.cc:get_user_groups(), which returns an error. But I have not been able to determine the root of the problem yet. Herb. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/ |
解决办法三
安装 cygwin
首先安装 cygwin。安装时间为 2006-10-8,Cygwin DLL版本为 1.5.21-1。 除了默认的软件包之外,又增加了以下软件包。
- Admin
- cron-3.0.1-19
- cygrunsrv-1.17-1
- shutdown-1.7-1
- syslog-ng-1.6.11-1
- Archive
- unzip-5.50-5
- zip-2.3-6
- Devel
- subversion-1.3.2-1
- Editors:
- vim-7.0.076-1
- Interpreters
- gawk-3.1.5-4
- perl-5.8.7-5
- expat-1.95.8-1
- Libs
- Net
- lftp-3.5.1-1
- openssh-4.4p1-1
- openssl-0.98d-1
- openssl097-0.9.7l-1
- ping-1.0-1
- netcat-1.10-2
- Shells
- ash-20040127-3
- bsah-3.1-9
- bash-completion-20060301-1
- mc-4.6.1-2
- Utils
- patch-2.5.8-8
- time-1.7-1
- Web
- wget-1.10.2-1
安装
用管理员用户登录,启动 cygwin 命令行,执行以下命令。
$ ssh-host-config
Generating /etc/ssh_host_key
Generating /etc/ssh_host_rsa_key
Generating /etc/ssh_host_dsa_key
Generating /etc/ssh_config file
Privilege separation is set to yes by default since OpenSSH 3.3.
However, this requires a non-privileged account called 'sshd'.
For more info on privilege separation read /usr/doc/openssh/README.privsep.
Shall privilege separation be used? (yes/no) yes
Warning: The following function requires administrator privileges!
Shall this script. create a local user 'sshd' on this machine? (yes/no) yes
Generating /etc/sshd_config file
Added ssh to /cygdrive/c/WINDOWS/system32/drivers/etc/services
Do you want to install sshd as service?
(Say "no" if it's already installed as service) (yes/no) yes
Which value should the environment variable CYGWIN have when
sshd starts? It's recommended to set at least "ntsec" to be
able to change user context without password.
Default is "ntsec". CYGWIN=binmode ntsec tty
The service has been installed under LocalSystem account.
To start the service, call `net start sshd' or `cygrunsrc -S ssdh'.
Host configuration finished. Have fun!配置 sshd
在 cygwin 的命令行中输入以下命令:
$ cd /etc
$ chmod 666 sshd_config
$ vi sshd_config
修改 sshd_config 的以下配置。
PermitRootLogin no # 禁止root登录
StrictModes yes # CYGWIN=ntsec时的安全配置
RhostsRSAAuthentication no # 禁止 rhosts 认证
IgnoreRhosts yes # 禁止 rhosts 认证
PasswordAuthentication no # 禁止密码认证
ChallengeResponseAuthentication no # 禁止密码认证
PermitEmptyPasswords no # 禁止空密码用户登录
最后将 sshd_config 的权限修改回 644。
$ chmod 644 sshd_config
启动 sshd 服务器。
$ cygrunsrv -S sshd生成公钥和密钥
由于我们上面的设置仅允许密钥方式认证,所以要为我们的用户生成一对公钥和密钥。
在 cygwin 的控制台中执行以下命令,生成 ssh1 的公钥和密钥。
$ ssh-keygen -t rsa1
Generating public/private rsa1 key pair.
Enter file in which to save the key (/home/charlee/.ssh/identity):
Enterpassphrase (empty for no passphrase): 输入密码
Enter same passphrase again: 再次输入密码
Your identification has been sabed in /home/charlee/.ssh/identity
Your public key has been saved in /home/charlee/.ssh/identity.pub
类似的方法,使用下面的命令生成 ssh2 的公钥和密钥。
$ ssh-keygen -t rsa
$ ssh-keygen -t dsa
将公钥导入到认证公钥中:
$ cd .ssh
$ cat identity.pub >> authorized_keys
$ cat id_rsa.pub >> authorized_keys
$ cat id_dsa.pub >> authorized_keys
因为我们在 /etc/sshd_config 的配置中使用了 StrictModes yes 的设置, 所以要修改目录权限,命令如下。
$ chmod 755 /home/charlee
然后将密钥 identity、id_rsa、id_dsa文件用某种方式复制到客户端。 我使用的客户端是 Linux,因此只要将这三个文件复制到客户端的 $HOME/.ssh 目录下即可。
登录服务器。在客户端上输入以下命令,即可登录服务器。
$ ssh 192.168.0.2常见问题
2008-12-11更新
Q: cygrunsrv -S sshd不能启动,报告
cygrunsrv: Error starting a service: QueryServiceStatus: Win32 error 1062:
The service has not been started.
A: 很可能是/var/log的权限设置不正确。首先执行 mkpasswd 和 mkgroup 重新生成权限信息,再删除sshd服务,重新配置:
$ mkpasswd -l > /etc/passwd
$ mkgroup -l > /etc/group
$ cygrunsrv -R sshd
$ ssh-host-config -y
$ cygrunsrv -S sshd
Q: 用公钥登录时老是说Permission denied (publickey).,怎么办?
A: 可以在Windows的事件日志(我的电脑->右键->管理->事件查看器)中看到sshd产生的错误信息。 常见的问题是 .ssh/authorized_keys权限设置不正确,该文件必须设置为 0644 才能正常登录。
转自:http://hi.chinaunix.net/?uid-20795077-action-viewspace-itemid-42134
注:在安装 CYGWIN sshd服务的时候,一定要加上别名ntsec(登录的别名,默认是windows 登录用户);以避免这样的错误发生;
扫一扫
8017
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
