分享

Cygwin上安装、启动ssh服务失败、ssh localhost失败经验总结

pig2 发表于 2013-12-17 16:42:11 [显示全部楼层] 只看大图 回帖奖励 阅读模式 关闭右栏 0 11469
本帖最后由 pig2 于 2013-12-17 16:43 编辑

安装Cygwin过程中,选择OpenSSH包。安装完成后,运行ssh -V,查看版本无误。运行

ssh localhost

发生错误:ssh: connect to host localhost port 22: Connection refused

因为Cygwin只是自动安装了客户端,服务端没有安装启动,ssh的服务端是作为windows的一个名为sshd的services存在的。

安装服务端,在Cygwin Shell下运行

ssh-host-config

这个发生的奇怪问题就更多了:

1、第一次提示要创建新账户,然后有提示没权限。退出,在win7下用【以管理员身份运行】cygwin。然后这个问题没有了(其实这时就应该仔细看cygwin的提示,就不会发生以下的曲折过程)。
2、在windows服务管理器中启动sshd服务失败。通过win7的服务管理器查看,cygwin sshd服务确实安装上了,但是没有启动。所以,点击启动,但是启动失败。查看var/log/sshd.log日志文件,发现提示启动错误原因是:
/var/empty must be owned by root and not group or world-writable.
于是按提示去修改/var/empty的所属用户。
chown root empty
3、发生错误,提示没有root用户。因为cygwin用的是当前windows登录的用户(Cygwin中能看到的用户都是windows中的用户,如果没有创建过root用户,当然就没有。)所以,到windows中创建root,然后继续执行chown root empty(注意执行这个命令要求cygwin是以管理者身份运行的,否者提示权限不足)。修改成功。
4、继续启动服务,仍然失败,log中还是一样的错误信息。于是google,终于找到一个解决方法。其实是提示信息有误导,因为在windows下,其实SYSTEM账号才是和linux下的root相似的,而不是我们自己创建的root。所以,重新修改权限
chown SYSTEM.None empty

再次启动服务:$ cygrunsrv -S sshd  (删除服务是 $ cygrunsrv -R sshd)  终于见到了可爱的河马画面(这个应该是河马吧#¥%&&……)(为了这个问题折腾了整整半天。。。)


后记

出了问题要学会看log,这比漫无目的的google好,因为把log里的错误在google上搜索要定位准确。

但是,log不是万能的,有些log内容不准确容易误导,就像这个错误,这时候,一定要google了

===================================================================

如果卸载过, 重新安装,会有以下提示( 我第一次想当然的选择  *** Query: Do you want to use a different name? (yes/no) no
*** Query: Create new privileged user account 'cyg_server'? (yes/no) no   
这两个回答no,其他yes即可----这就是杯具的伏笔。。。耐心往后看吧。。。)

操作也在以管理员身份运行的Cygwin中完成,否则服务会安装失败。

$ ssh-host-config
*** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes
*** Info: Creating default /etc/ssh_config file
*** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
*** Info: Creating default /etc/sshd_config file
*** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
*** Info: However, this requires a non-privileged account called 'sshd'.
*** Info: For more info on privilege separation read /usr/share/doc/openssh/READ
ME.privsep.
*** Query: Should privilege separation be used? (yes/no) yes
*** Info: Updating /etc/sshd_config file
*** Query: Overwrite existing /etc/inetd.d/sshd-inetd file? (yes/no) yes
*** Info: Creating default /etc/inetd.d/sshd-inetd file
*** Info: Updated /etc/inetd.d/sshd-inetd


*** Warning: The following functions require administrator privileges!

*** Query: Do you want to install sshd as a service?
*** Query: (Say "no" if it is already installed as a service) (yes/no) yes
*** Query: Enter the value of CYGWIN for the daemon: []
*** Info: On Windows Server 2003, Windows Vista, and above, the
*** Info: SYSTEM account cannot setuid to other users -- a capability
*** Info: sshd requires.  You need to have or to create a privileged
*** Info: account.  This script will help you do so.

*** Info: You appear to be running Windows 2003 Server or later.  On 2003
*** Info: and later systems, it's not possible to use the LocalSystem
*** Info: account for services that can change the user id without an
*** Info: explicit password (such as passwordless logins [e.g. public key
*** Info: authentication] via sshd).

*** Info: If you want to enable that functionality, it's required to create
*** Info: a new account with special privileges (unless a similar account
*** Info: already exists). This account is then used to run these special
*** Info: servers.

*** Info: Note that creating a new user requires that the current account
*** Info: have Administrator privileges itself.

*** Info: No privileged account could be found.

*** Info: This script plans to use 'cyg_server'.
*** Info: 'cyg_server' will only be used by registered services.
*** Query: Do you want to use a different name? (yes/no) no
*** Query: Create new privileged user account 'cyg_server'? (yes/no) no
*** ERROR: There was a serious problem creating a privileged user.
*** Query: Do you want to proceed anyway? (yes/no) yes
*** Warning: Expected privileged user 'cyg_server' does not exist.
*** Warning: Defaulting to 'SYSTEM'

*** Info: The sshd service has been installed under the LocalSystem
*** Info: account (also known as SYSTEM). To start the service now, call
*** Info: `net start sshd' or `cygrunsrv -S sshd'.  Otherwise, it
*** Info: will start automatically after the next reboot.

*** Info: Host configuration finished. Have fun!


pwzfb@pwzfb-PC ~
$ cygrunsrv -S sshd


===================================================================================

耐心的看到这了吗,更多的问题又来了。虽然sshd服务启动了,但随后在使用ssh-keygen搭建无密码登陆环境中出错了

% ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa
% cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

以上两个命令创建了无密码登陆的公钥(具体原理参看OpenSSH 密钥管理运行ssh localhost 或者 ssh 127.0.0.1 登陆本机,杯具又一次发生,总是发生:Connection closed by $hostname这样的错误。

首先确认在没有无密码登陆的情况下是否能够ssh登陆成功,先删除刚才在home用户目录下创建的.ssh文件夹及其下的文件,然后用ssh localhost登陆,没有问题。一旦使用key authentication无密码登陆时,就发生错误。

又犯了寻找问题根源的错误,用Connection closed by ,cygen,ssh localhost等作为关键字遍搜google,文章无数,解决方案繁多,但是没有一个有效,主要是说hosts.allow,hosts.deny,ssh_config等文件需要修改的问题,我是改了一遍又一遍没有效果。

。。。。

最后思考,使用sshd服务登陆失败,在windows的事件管理器中应该有log呀,清空原先的log,执行ssh localhost指令,果然发现一条错误log,大概是:seteuid *****: Permission denied 。应该是服务没有某项设置用户的权限,于是循着这个线索为关键字,继续找google。

先想到我用的家庭高级版win7没有启动administrator用户,于是F8到安全模式,运行net user administrator /active:yes 激活超户,然后用此用户登录执行cygwin重设无密码登陆环境,问题依旧。(其实想想根本不用这么费事,用以管理员身份运行cygwin不就等同于登录administrator运行cygwin吗,当时也是晕了。而且这也是想当然的错误,因为在服务管理器中可以看到,sshd服务运行在本地系统这个内置账号下,其实与我登陆的账户没有关系。。。权限不足也是指运行服务的这个本地系统账户(即SYSTEM)权限不足。)


4832643875145396755.jpg

后来在google上看到cygwin的一个官方mail问答。终于找到答案。参考Installing the Cygwin SSH daemon。问题关键就是一个特殊的权限问题,在SYSTEM账户下运行的sshd服务需要有改变user id的特权(关于权限的问题,在cygwin的/usr/share/doc/Cygwin/openssh.README 中已经说得很明确了:2003 Server has a funny new feature.  When starting services under SYSTEM  account, these services have nearly all user rights which SYSTEM holds...except for the "Create a token object" right, which is needed to allow public key authentication :-( )。所以事件日志会有seteuid的错误。

至于解决方案,就是让cygwin帮你创建两个特殊用户sshd和cyg_server,其中sshd服务在cyg_server用户下运行,cyg_server有相应的权限(在/usr/share/doc/Cygwin/openssh.README 中也有说明)。

。。。。。

后记的后记:

问题是解决了,但是当我按步骤重新操作时才发现,运行ssh-host-config时给的提示非常明确,但是自己犯经验主义错误(因为之前在Red hat Linux下安装不会存在这些提示和问题,因为linux的root用户有足够的权限),根本没有仔细看,遗漏了这么明确和重要的提示,走了很多弯路才成功,哎。。。教训啊。。

......
*** Info: Creating default /etc/inetd.d/sshd-inetd file
*** Info: Updated /etc/inetd.d/sshd-inetd


*** Warning: The following functions require administrator privileges!

*** Query: Do you want to install sshd as a service?
yes
*** Query: Enter the value of CYGWIN for the daemon: []
*** Info: On Windows Server 2003, Windows Vista, and above, the
*** Info: SYSTEM account cannot setuid to other users -- a capability
*** Info: sshd requires.  You need to have or to create a privileged
*** Info: account.  This script will help you do so.

*** Info: You appear to be running Windows 2003 Server or later.  On 2003
*** Info: and later systems, it's not possible to use the LocalSystem
*** Info: account for services that can change the user id without an
*** Info: explicit password (such as passwordless logins [e.g. public key
*** Info: authentication] via sshd).

*** Info: If you want to enable that functionality, it's required to create
*** Info: a new account with special privileges (unless a similar account
*** Info: already exists). This account is then used to run these special
*** Info: servers.

*** Info: Note that creating a new user requires that the current account
*** Info: have Administrator privileges itself.

*** Info: No privileged account could be found.

*** Info: This script plans to use 'cyg_server'.
*** Info: 'cyg_server' will only be used by registered services.
*** Query: Do you want to use a different name? (yes/no) no
*** Query: Create new privileged user account 'cyg_server'? (yes/no) yes
*** Info: Please enter a password for new user cyg_server.  Please be sure
*** Info: that this password matches the password rules given on your system.
*** Info: Entering no password will exit the configuration.
*** Query: Please enter the password:
*** Query: Reenter:

*** Info: User 'cyg_server' has been created with password '*****'.
*** Info: If you change the password, please remember also to change the
*** Info: password for the installed services which use (or will soon use)
*** Info: the 'cyg_server' account.

*** Info: Also keep in mind that the user 'cyg_server' needs read permissions
*** Info: on all users' relevant files for the services running as 'cyg_server'.

*** Info: In particular, for the sshd server all users' .ssh/authorized_keys
*** Info: files must have appropriate permissions to allow public key
*** Info: authentication. (Re-)running ssh-user-config for each user will set
*** Info: these permissions corrently. [Similary restrictions apply, for
*** Info: instance, for .rhosts files if the rshd server is running, etc].


*** Info: The sshd service has been installed under the 'cyg_server'
*** Info: account.  To start the service now, call `net start sshd' or
*** Info: `cygrunsrv -S sshd'.  Otherwise, it will start automatically
*** Info: after the next reboot.

*** Info: Host configuration finished. Have fun!


没找到任何评论,期待你打破沉寂

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

关闭

推荐上一条 /2 下一条