Мне нужна помощь в настройке OpenSSH на Win2008 через CYGWIN!
Заранее спасибо!
Я пытаюсь настроить сервер OpenSSH в Windows Server 2008 Datacenter через CYGWIN. Я установил и настроил CYGWIN с OpenSSH и Basic LinuxUtils. Я вхожу в систему в домене с именем CNO.LOCAL с именем пользователя kgraves . Что я сделал до сих пор:
1.Предоставленные локальные разрешения пользователю CNO.LOCAL\kgraves с использованием secpol.msc
- Adjust memory quotas for a process.
- Create a token object.
- Log on as a service.
- Replace a process-level token.
2.Создал и отредактировал файл /etc /passwd
$ mkpasswd -l> /etc /passwd
$ mkpasswd -u kgraves -D CNO.LOCAL -S '_' >> /etc /passwd
/etc/passwd выглядит так:
SYSTEM:*:18:544:,S-1-5-18::
LocalService:*:19:544:U-NT AUTHORITY\LocalService,S-1-5-19::
NetworkService:*:20:544:U-NT AUTHORITY\NetworkService,S-1-5-20::
Administrators:*:544:544:,S-1-5-32-544::
TrustedInstaller:*:4294967294:4294967294:U-NT SERVICE\TrustedInstaller,S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464::
Administrator:unused:500:513:U-DUCLAW\Administrator,S-1-5-21-1295458589-1267770145-4179728800-500:/home/Administrator:/bin/bash
Guest:unused:501:513:U-DUCLAW\Guest,S-1-5-21-1295458589-1267770145-4179728800-501:/home/Guest:/bin/bash
CNO_kgraves:unused:11276:10513:Kent Graves,U-CNO\kgraves,S-1-5-21-350539814-2465610117-2008212152-1276:/home/kgraves:/bin/bash
sshd:unused:1014:513:sshd privsep,U-DUCLAW\sshd,S-1-5-21-1295458589-1267770145-4179728800-1014:/var/empty:/bin/false
3.Создал и отредактировал файл /etc /group
$ mkgroup -l> /etc /group
$ mkgroup -D -S '_' >> /etc /group
Файл /etc /group выглядит следующим образом:
SYSTEM:S-1-5-18:18:
TrustedInstaller:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:4294967294:
Administrators:S-1-5-32-544:544:
Backup Operators:S-1-5-32-551:551:
Certificate Service DCOM Access:S-1-5-32-574:574:
Cryptographic Operators:S-1-5-32-569:569:
Distributed COM Users:S-1-5-32-562:562:
Event Log Readers:S-1-5-32-573:573:
Guests:S-1-5-32-546:546:
IIS_IUSRS:S-1-5-32-568:568:
Network Configuration Operators:S-1-5-32-556:556:
Performance Log Users:S-1-5-32-559:559:
Performance Monitor Users:S-1-5-32-558:558:
Power Users:S-1-5-32-547:547:
Print Operators:S-1-5-32-550:550:
Remote Desktop Users:S-1-5-32-555:555:
Replicator:S-1-5-32-552:552:
Users:S-1-5-32-545:545:
None:S-1-5-21-1295458589-1267770145-4179728800-513:513:
SYSTEM:S-1-5-18:18:
TrustedInstaller:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:4294967294:
Administrators:S-1-5-32-544:544:
Users:S-1-5-32-545:545:
Guests:S-1-5-32-546:546:
Print Operators:S-1-5-32-550:550:
Backup Operators:S-1-5-32-551:551:
Replicator:S-1-5-32-552:552:
Remote Desktop Users:S-1-5-32-555:555:
Network Configuration Operators:S-1-5-32-556:556:
Performance Monitor Users:S-1-5-32-558:558:
Performance Log Users:S-1-5-32-559:559:
Distributed COM Users:S-1-5-32-562:562:
IIS_IUSRS:S-1-5-32-568:568:
Cryptographic Operators:S-1-5-32-569:569:
Event Log Readers:S-1-5-32-573:573:
Certificate Service DCOM Access:S-1-5-32-574:574:
Server Operators:S-1-5-32-549:549:
Account Operators:S-1-5-32-548:548:
Pre-Windows 2000 Compatible Access:S-1-5-32-554:554:
Incoming Forest Trust Builders:S-1-5-32-557:557:
Windows Authorization Access Group:S-1-5-32-560:560:
Terminal Server License Servers:S-1-5-32-561:561:
CNO_Domain Admins:S-1-5-21-350539814-2465610117-2008212152-512:10512:
CNO_Domain Computers:S-1-5-21-350539814-2465610117-2008212152-515:10515:
CNO_Domain Controllers:S-1-5-21-350539814-2465610117-2008212152-516:10516:
CNO_Domain Guests:S-1-5-21-350539814-2465610117-2008212152-514:10514:
CNO_Domain Users:S-1-5-21-350539814-2465610117-2008212152-513:10513:
4.Настроил OpenSSH, но получаю ошибки после создания пользователя CNO_kgraves ...
The ssh-host-config script prompts you for answers to certain questions, including the following primary questions:
Should privilege separation be used? Answer Yes.
New local account 'sshd'? Answer Yes.
Do you want to install sshd as a service? Answer Yes.
Enter the value of CYGWIN for the daemon: Specify ntsec tty
Do you want to use a different user name? Answer Yes.
Enter the new user name? CNO_kgraves
Re-enter: CNO_kgraves
*** Warning: Privileged account 'CNO_kgraves' was specified,
*** Warning: but it does not have the necessary privileges.
*** Warning: Continuing, but will probably use a different account.
*** Warning: The specified account 'CNO_kgraves' does not have the
*** Warning: required permissions or group memberships. This may
*** Warning: cause problems if not corrected; continuing...
Two prompts for that user's password.
Затем он дает мне эту ошибку после завершения ssh-host-config, и я не уверен, что это значит, хотя я думаю, что это как-то связано с acounts/privleges и т. Д .:
Ошибка в getSID (LsaLookupNames возвратило 0xc0000073 = STATUS_NONE_MAPPED)!
*** Info: The sshd service has been installed under the 'CNO_kgraves'
*** Info: account. To start the service now, call `net start sshd' or
*** Info: `cygrunsrv -S sshd'. Otherwise, it will start automatically
*** Info: after the next reboot.
*** Info: Host configuration finished. Have fun!
5.Затем я изменил разрешения и владельца для определенных файлов, потому что я прочитал в руководстве, что я должен сделать это. Что я сделал ниже:
$ cygrunsrv --stop sshd
$ chown CNO_kgraves /var/log/sshd.log
$ chown -R CNO_kgraves /var/empty
$ chown CNO_kgraves /etc/ssh*
6.Пытался запустить net start sshd но я получаю следующую ошибку КАЖДЫЙ раз ...
$ net start sshd
The CYGWIN sshd service is starting.
The CYGWIN sshd service could not be started.
The service did not report an error.
More help is available by typing NET HELPMSG 3534
Хотя он говорит, что не сообщил об ошибке, журнал sshd в /var/log говорит:
/var/empty must be owned by root and not group or world-writable.
Я пытался сменить владельца с помощью chown на root, но пользователь root не существует. Я даже попытался изменить его на SYSTEM, потому что мне сказали, что в CYGWIN он видит SYSTEM как root, но тогда я все еще не знаю, на что изменить группу.
Служба SSH прослушивает порт 22, потому что, когда я пытаюсь подключиться к нему по SSH с другого компьютера, я получаю приглашение для входа в систему и сообщение с предупреждением о домене. Но он говорит мне, что доступ запрещен каждый раз, когда я пытаюсь войти в систему с моим именем пользователя и паролем (то же имя пользователя, которое я установил в ssh-user-config).
И для некоторых заключительных деталей на всякий случай вот мои файлы ssh_config и sshd_config:
# $OpenBSD: ssh_config,v 1.26 2010/01/11 01:39:46 dtucker Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/bin:/usr/sbin:/sbin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
#Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh_host_rsa_key
#HostKey /etc/ssh_host_dsa_key
#HostKey /etc/ssh_host_ecdsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
StrictModes no
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
# For this to work you will also need host keys in /etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/sbin/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server