OpenSSH Server on SBS 2003 Problem

I've installed OpenSSH for Windows on a Windows Small Business Server (SBS) 2003 server before to provide an SSH server serivce without a problem. But after using the binary installer I used previously on another server, I found that the service wasn't available after the installation routine completed on this particular SBS 2003 server.

The program files were in the directory I selected for the installation and when I typed echo %CYGWIN% at a command prompt, I saw tty returned as the value of the environment variable CYGWIN, so at least part of the installation was successful, but I couldn't start the service and when I looked at the services installed on the system, the "OpenSSH Server" service I would normally see wasn't present.

I downloaded the installer source code and looked at it. I used the same cygrunsrv command it used to install the service, which is shown below:

cygrunsrv --install OpenSSHd --path /usr/sbin/sshd --args "-D" --dep "Tcpip" --stderr "/var/log/opensshd.log" --env "CYGWIN=binmode ntsec tty" --disp "OpenSSH Server"

I then tried to start the service with net start opensshd, but saw the following:

C:\>net start opensshd
The OpenSSH Server service is starting.
The OpenSSH Server service could not be started.

A system error has occurred.

System error 1067 has occurred.

The process terminated unexpectedly.

Looking in the opensshd.log file, which is in \var\log underneath the directory where I installed OpenSSH, I saw the following error:

Could not load host key: /etc/ssh_host_rsa_key
Could not load host key: /etc/ssh_host_dsa_key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.

When I looked in the etc directory underneath the OpenSSH directory, I saw only the following files:

banner.txt
group
moduli
passwd
sshd_config
ssh_config

I had created the group and passwd files, but I realized the public key files weren't there, so I used the following that are present in the installer file to create them (enter these at a command prompt):

ssh-keygen.exe -t dsa -f /etc/ssh_host_dsa_key -N ""
ssh-keygen.exe -t rsa1 -f /etc/ssh_host_key -N ""
ssh-keygen.exe -t rsa -f /etc/ssh_host_rsa_key -N ""

The first command creates an SSH2 DSA key, the second one creates an SSH1 RSA key, and the third one creates an SSH2 RSA key.

I now see the following files have been added to the etc directory:

ssh_host_dsa_key
ssh_host_dsa_key.pub
ssh_host_key
ssh_host_key.pub
ssh_host_rsa_key
ssh_host_rsa_key.pub

But I still get the "System error 1067 has occurred" when ever I use the command net start opensshd. And I see the same "Could not load host key" errors listed in the OpenSSHd.log file. Looking at the installer code again, I see that the permissions need to be changed on the installation directory using the Windows cacls command.

The installation routine checks the environment variables USERDOMAIN and USERNAME and uses those values in setting the permissions on the directory where OpenSSH is installed. You can get those environment variables by using the echo command at a command prompt.

echo %USERDOMAIN%
echo %USERNAME%

Or you can just type set to see all environment variables, which will include those two.

The installation routine use the following cacls commands to set the persmissions:

cacls "$INSTDIR" /E /T /G $2\$3:F
cacls "$INSTDIR" /E /T /G SYSTEM:F

You would replace $INSTDIR" with the directory where OpenSSH is installed, $2 with the domain name and $3 with the username. E.g. in my case, I used the following:

cacls "c:\program files\network\ssh\openssh" /E /T /G lab\administrator:F
cacls "c:\program files\network\ssh\openssh" /E /T /G SYSTEM:F

The first parameter to cacls is the file name(s) or directory name(s) you wish to modify. The "/E" option indicates cacls should edit the current Access Control List (ACL) instead of replacing it. The "/T" option directs cacls to change the ACLs of the specified files in the current directory and all subdirectories and the "/G" option is used to specify the user or account for which permissions are being modified. In this case "lab\administrator" indicates the domain controller administrator account in the "lab" domain. The account name is followed by a colon and then a letter indicating the permissions to be granted, which can be as follows:

N None
R Read
W Write
C Change (write)
F Full control

In this case, I'm granting full control. If you wish to see all of the options you can use with cacls, just enter cacls at a command prompt.

I got one "Access is denied" message at the end of each of the two cacls commands above, which was preceded by a lot of "processed dir" and "processed file" entries, but I was then able to start the service.

Acronis 125x125

C:\>net start opensshd
The OpenSSH Server service is starting.
The OpenSSH Server service was started successfully.

And checking to see if the system was listening on the SSH port, I saw that it was listening.

C:\>netstat -a | find "22"
  TCP    crystal:22     crystal.Lab.lan:0  LISTENING

However, when I tried connecting to the loopback address on the system, which is 127.0.0.1 by SSH using the PuTTY SSH client, the connection failed. The error message flashed by so quickly I couldn't read it, so I tried the SSH client that comes with OpenSSH for Windows. I then saw the following after the login banner appeared:

Administrator@127.0.0.1's password:
Last login: Wed Mar 16 23:51:31 2005 from 127.0.0.1
setgid: Invalid argument

I uninstalled the service with cygrunsrv -R opensshd and reinstalled it with the cygrunsrv command listed above. That didn't help either. I overwrote the group and passwd files in the etc directories by creating new files with the following commands:

mkgroup -d > ..\etc\group
mkpasswd -d -u administrator > ..\etc\passwd

When you use a ">" rather than a ">>" a new file is created. The ">>", which is suggested in the OpenSSH for Windows Quick Start Guide, will append to a file if one already exists or create a new file if none exists.If you want to give other accounts access by adding them to the passwd file then you must use the ">>".

I was then able to connect to the system with an SSH client and all seemed well.

 

TechRabbit ad 300x250 newegg.com

Justdeals Daily Electronics Deals1x1 px

Valid HTML 4.01 Transitional

Created: March 16, 2005