我需要帮助通过 CYGWIN 在 Win2008 上配置 OpenSSH!
提前致谢!
CNO.LOCAL我正在尝试通过 CYGWIN 在 Windows Server 2008 Datacenter 上配置 OpenSSH 服务器。我已经使用 OpenSSH 和 Basic LinuxUtils 安装并配置了 CYGWIN。我正在使用用户名登录到名为 的域上的系统kgraves。到目前为止,我已完成以下操作:
CNO.LOCAL\kgraves1.使用以下方式向用户授予本地权限安全警察管理系统
- Adjust memory quotas for a process.
- Create a token object.
- Log on as a service.
- Replace a process-level token.
2.创建并编辑/etc/passwd 文件
$ mkpasswd -l > /etc/passwd
$ mkpasswd -u kgraves -D CNO.LOCAL -S '_' >> /etc/passwd
/etc/passwd 如下所示:
SYSTEM:*:18:544:,S-1-5-18::
LocalService:*:19:544:U-NT AUTHORITY\LocalService,S-1-5-19::
NetworkService:*:20:544:U-NT AUTHORITY\NetworkService,S-1-5-20::
Administrators:*:544:544:,S-1-5-32-544::
TrustedInstaller:*:4294967294:4294967294:U-NT SERVICE\TrustedInstaller,S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464::
Administrator:unused:500:513:U-DUCLAW\Administrator,S-1-5-21-1295458589-1267770145-4179728800-500:/home/Administrator:/bin/bash
Guest:unused:501:513:U-DUCLAW\Guest,S-1-5-21-1295458589-1267770145-4179728800-501:/home/Guest:/bin/bash
CNO_kgraves:unused:11276:10513:Kent Graves,U-CNO\kgraves,S-1-5-21-350539814-2465610117-2008212152-1276:/home/kgraves:/bin/bash
sshd:unused:1014:513:sshd privsep,U-DUCLAW\sshd,S-1-5-21-1295458589-1267770145-4179728800-1014:/var/empty:/bin/false
3.创建并编辑 /etc/group 文件
$ mkgroup -l > /etc/group
$ mkgroup -D -S '_' >> /etc/group
/etc/group 文件如下所示:
SYSTEM:S-1-5-18:18:
TrustedInstaller:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:4294967294:
Administrators:S-1-5-32-544:544:
Backup Operators:S-1-5-32-551:551:
Certificate Service DCOM Access:S-1-5-32-574:574:
Cryptographic Operators:S-1-5-32-569:569:
Distributed COM Users:S-1-5-32-562:562:
Event Log Readers:S-1-5-32-573:573:
Guests:S-1-5-32-546:546:
IIS_IUSRS:S-1-5-32-568:568:
Network Configuration Operators:S-1-5-32-556:556:
Performance Log Users:S-1-5-32-559:559:
Performance Monitor Users:S-1-5-32-558:558:
Power Users:S-1-5-32-547:547:
Print Operators:S-1-5-32-550:550:
Remote Desktop Users:S-1-5-32-555:555:
Replicator:S-1-5-32-552:552:
Users:S-1-5-32-545:545:
None:S-1-5-21-1295458589-1267770145-4179728800-513:513:
SYSTEM:S-1-5-18:18:
TrustedInstaller:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:4294967294:
Administrators:S-1-5-32-544:544:
Users:S-1-5-32-545:545:
Guests:S-1-5-32-546:546:
Print Operators:S-1-5-32-550:550:
Backup Operators:S-1-5-32-551:551:
Replicator:S-1-5-32-552:552:
Remote Desktop Users:S-1-5-32-555:555:
Network Configuration Operators:S-1-5-32-556:556:
Performance Monitor Users:S-1-5-32-558:558:
Performance Log Users:S-1-5-32-559:559:
Distributed COM Users:S-1-5-32-562:562:
IIS_IUSRS:S-1-5-32-568:568:
Cryptographic Operators:S-1-5-32-569:569:
Event Log Readers:S-1-5-32-573:573:
Certificate Service DCOM Access:S-1-5-32-574:574:
Server Operators:S-1-5-32-549:549:
Account Operators:S-1-5-32-548:548:
Pre-Windows 2000 Compatible Access:S-1-5-32-554:554:
Incoming Forest Trust Builders:S-1-5-32-557:557:
Windows Authorization Access Group:S-1-5-32-560:560:
Terminal Server License Servers:S-1-5-32-561:561:
CNO_Domain Admins:S-1-5-21-350539814-2465610117-2008212152-512:10512:
CNO_Domain Computers:S-1-5-21-350539814-2465610117-2008212152-515:10515:
CNO_Domain Controllers:S-1-5-21-350539814-2465610117-2008212152-516:10516:
CNO_Domain Guests:S-1-5-21-350539814-2465610117-2008212152-514:10514:
CNO_Domain Users:S-1-5-21-350539814-2465610117-2008212152-513:10513:
4.配置了OpenSSH,但在创建用户CNO_kgraves后出现错误……
The ssh-host-config script prompts you for answers to certain questions, including the following primary questions:
Should privilege separation be used? Answer Yes.
New local account 'sshd'? Answer Yes.
Do you want to install sshd as a service? Answer Yes.
Enter the value of CYGWIN for the daemon: Specify ntsec tty
Do you want to use a different user name? Answer Yes.
Enter the new user name? CNO_kgraves
Re-enter: CNO_kgraves
*** Warning: Privileged account 'CNO_kgraves' was specified,
*** Warning: but it does not have the necessary privileges.
*** Warning: Continuing, but will probably use a different account.
*** Warning: The specified account 'CNO_kgraves' does not have the
*** Warning: required permissions or group memberships. This may
*** Warning: cause problems if not corrected; continuing...
Two prompts for that user's password.
完成 ssh-host-config 后,它给了我这个错误,我不确定这意味着什么,但我认为它与帐户/特权等有关:
getSID 错误(LsaLookupNames 返回 0xc0000073=STATUS_NONE_MAPPED)!
*** Info: The sshd service has been installed under the 'CNO_kgraves'
*** Info: account. To start the service now, call `net start sshd' or
*** Info: `cygrunsrv -S sshd'. Otherwise, it will start automatically
*** Info: after the next reboot.
*** Info: Host configuration finished. Have fun!
5.然后我更改了某些文件的权限和所有权,因为我在指南中读到我应该这样做。我所做的如下:
$ cygrunsrv --stop sshd
$ chown CNO_kgraves /var/log/sshd.log
$ chown -R CNO_kgraves /var/empty
$ chown CNO_kgraves /etc/ssh*
6.尝试运行net start sshd但每次都出现以下错误...
$ net start sshd
The CYGWIN sshd service is starting.
The CYGWIN sshd service could not be started.
The service did not report an error.
More help is available by typing NET HELPMSG 3534
尽管它说没有报告错误,但 sshd 登录/var/log显示:
/var/empty must be owned by root and not group or world-writable.
我尝试使用 chown 将所有者更改为 root,但用户 root 不存在。我甚至尝试将其更改为 SYSTEM,因为我被告知在 CYGWIN 中它将 SYSTEM 视为 root,但我仍然不知道将组更改为哪个。
SSH 服务正在监听端口 22,因为当我尝试从另一台机器通过 SSH 进入它时,我收到登录提示和域警告消息。但它告诉我,每次我尝试使用我的用户名和密码(与我在 中设置的用户名相同ssh-user-config)登录时,访问都会被拒绝。
为了以防万一,这里还有一些最后的细节,这是我的 ssh_config 和 sshd_config 文件:
# $OpenBSD: ssh_config,v 1.26 2010/01/11 01:39:46 dtucker Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/bin:/usr/sbin:/sbin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
#Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh_host_rsa_key
#HostKey /etc/ssh_host_dsa_key
#HostKey /etc/ssh_host_ecdsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
StrictModes no
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
# For this to work you will also need host keys in /etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/sbin/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
答案1
经过两天的苦思冥想,我终于弄清楚了这个问题,并且我太固执了,不愿意尝试任何其他服务。我终于弄清楚了我的问题所在。
在安装 Cygwin 和 Openssh 软件包之前,我一直在寻找适用于 Windows 的 OpenSSH,最后我安装了它。它是 OpenSSH 的一个版本,它带有极其“精简”的 Cygwin 服务,需要的用户交互也少得多。
我不完全确定 Windows 版 OpenSSH 如何工作或如何配置它,但我知道的是,当你安装它时它会自动创建一个名为的服务:
OpenSSHd
它的可执行文件位于:
C:\Program Files\OpenSSH for Windows\bin\cygrunsrv.exe
在浏览我的服务时,我看到了它并引起了我的注意。原来它占用了我的端口,CYGWINssh 无法访问它。但最后我学到了很多关于 CYGWIN 和 OpenSSH 的知识!所以我想这不是浪费时间!希望这个问题/答案能帮助其他人。