Sunday, September 6, 2009

Install Cygwin SSH on Win2K3

There has been an excellent post on how to install Cygwin SSH on Win2K3 . However, there are still some tricks to get that working properly. Luckily, we could alwasy refer to Window's EventViewer to get the details of what happened.
  • mkpasswd does not generate correct group number for domain users
mkpasswd -d <domain-name> -p /home -u <username> >> /etc/passwd
This will add one line of the domain user in /etc/passwd. But be careful the group number may not be correspondent with /etc/group. So the following error will likely be seen when ssh -v localhost:
sshd: PID 2584: fatal: initgroups: <username> : Invalid argument.
After manually correcting the group number in /etc/passwd, we should be able to use ssh locally.
  • hosts.allow - enable remote users
The default hosts.allow after ssh-host-config looks like:
ALL : localhost 127.0.0.1/32 : allow
ALL : PARANOID : deny
sshd: ALL
However, this won't get us through if we connect from another machine.
sshd: PID 3904: refused connect from 10.8.8.8.
We could modify hosts.allow and make it look like:
sshd: ALL : spawn (echo "Attempt from %h %a to %d at `date` by %u" | tee -a /var/log/sshd.log)
This will allow connections and add 1 line in sshd.log for each connection.
or simply:
sshd: ALL : allow
or more restrictive:
sshd: 10.8.0.0/255.255.0.0 : allow
  • /etc/hosts - if sshd cannot verify hostname
We still may see a warning "sshd: PID 3904: warning: /etc/hosts.allow, line 11: can't verify hostname: gethostbyname(<hostname>) failed."
This slows SSH client's connection. One work around is to add the host in /etc/hosts file which speeds connection up:
10.8.8.8     <hostname>

No comments: