Notes for using openssh/opensshd
If you encounter errors, looking in \Program
Files\OpenSSH\var\log\OpenSSHd.log is a good place to start.
OpenSSH Service appears to hang after a connect
This likely only affects openssh-8.1p1-1, but you need to download the
64-bit cygwin source
or
32-bit cygwin source
and locate cygwin-3.1.0-7.tar. Extract that tar, open it, and locate Cygwin-console-helper.exe.
Copy Cygwin-console-helper.exe to your \Program Files\OpenSSH\bin folder and that should solve
the problem.
OpenSSH Service failing to start or install correctly
The default password that is set during install must meet the complexity requirements of your system
(in particular for Windows Server 2008, 2012, 2016, etc.). People who are experiencing this problem
have typically NOT set the password to something that meets the server complexity requirements.
OpenSSH Service failing to start
People had asked that their settings persist during an upgrade so the installer tucks away a copy
of your /etc folder in %TEMP%/etc.bak. As the installer elevates, then this is the Administrator
%TEMP% (e.g. c:\users\Administrator\AppData\Local\Temp). However, for the latest version of OpenSSH
the service could fail to start because the keys are too open:
sh-4.4$ '/cygdrive/c/Program Files/OpenSSH/usr/sbin/sshd'
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
The fix is to use the chmod command to set the permissions to be 600 for the specific key file
(in this case, ssh_host_rsa_key) by using an elevated Windows command prompt:
sh.exe
sh-4.4$ cd '/cygdrive/c/Program Files/OpenSSH/etc'
sh-4.4$ chmod 600 ssh_host_rsa_key
sh-4.4$ exit
net stop opensshd
net start opensshd
OpenSSH Service using older/incorrect settings from /etc
If you encounter errors saying a deprecated option is being used,
the installer includes the correct version, but the backup in /etc
may contain an older version. If this is the case, please backup the changes you
want to keep and delete the backup folder. Then edit your current /etc
folder and update it accordingly.
sh-4.4$ '/cygdrive/c/Program Files/OpenSSH/usr/sbin/sshd'
/etc/sshd_config line 48: Deprecated option RSAAuthentication
/etc/sshd_config line 109: Deprecated option UsePrivilegeSeparation
For those using OpenSSH 5.9 or EARLIER and upgrading to OpenSSH 6.x or 7.x
There have been some weird errors uninstalling versions
of OpenSSH 5.9 and earlier - where the uninstaller essentially whacks the AppData
folder. I would recommend NOT uninstalling, and instead install the newer OpenSSH
over what is already there. The error seems to show up most often
on SP1 patched Win7 systems - however, there is no 'fix' for the error since
the uninstaller is already there and will be used. This error has been fixed on
all post OpenSSH 5.9 packages released by me. I had hoped this warning would no longer
be necessary, however, I notice that there are still 5-10 OpenSSH 5.9 downloads that
occur from my web site every week (as of Mar 2016). Why someone would download old/buggy software
that was outdated years ago is beyond me.
Debug Mode (Client)
To run the client in debug mode, do
ssh -vv localhost
Debug Mode (Server)
To run the server in debug mode, do
regedit
And navigate to
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\services\OpenSSHd\Parameters
where you can change
AppArgs "-D -r"
to
AppArgs "-D -r -dd -e"
Now, stop and restart the service and try the connection again.
net stop opensshd
net start opensshd
After the fail, you can look at the log in
\Program Files\OpenSSH\var\log\OpenSSHd.log
You will typically have to restart the service
after each attempt - net start opensshd. The
debugging steps cause the daemon to stop after a single connect.
Issue with running as SSHD_SERVER and
privilege seperation - opensshd fails to start
The error that is being encountered manifests itself after trying to
start opensshd using
net start opensshd
You receive the following message:
opendsshd server service is starting.
opensshd server service cound not be started.
The service did not report an error.
The log file shows:
/var/empty must be owned by root and not group or world-writable.
To fix this issue (Vista+):
1: Navigate to the openssh folder \Program Files\OpenSSH\var\empty
2: Right click on this folder, and select
Properties->Security->Advanced->Owner->Other
Users or Groups
3: Enter 'sshd_server', then select 'Check Names', then 'OK'
4: With 'sshd_server' selected, check the box 'Replace owner on
subcontainer and objects'
5: Select 'OK'
6: Restart opensshd, using 'net start opensshd'
If the above does not work, then you might have to do the following:
1. icacls "C:\Program Files\OpenSSH\var\empty" /reset /c /T
2. icacls "C:\Program Files\OpenSSH\var\empty" /inheritance:r /c /T
3. icacls "C:\Program Files\OpenSSH\var\empty" /inheritance:d /remove:g
Administrator /grant:r sshd_server:(OI)(CI)F /c /T
4. icacls "C:\Program Files\OpenSSH\var\empty" /setowner sshd_server /c
/t
5. chown.exe sshd_server /var/empty
6. chmod.exe 600 /var/empty
The goal is to have /var/empty look like the following:
C:\Program Files\OpenSSH\var>icacls empty
empty win7\sshd_server:(R,W,D,WDAC,WO)
win7\None:(Rc,S,RA)
Everyone:(Rc,S,RA)
win7\sshd_server:(OI)(CI)(IO)(F)
C:\Program Files\OpenSSH\var>ls -l
drwx------ 1 sshd_server None empty
To fix this issue (XP):
1: cacls "C:\Program Files\OpenSSH\var\empty" /E /R "Everyone"
2: cacls "C:\Program Files\OpenSSH\var\empty" /E /R "Power Users"
3: cacls "C:\Program Files\OpenSSH\var\empty" /E /R "NT
AUTHORITY\SYSTEM"
4: cacls "C:\Program Files\OpenSSH\var\empty" /E /R "CREATOR OWNER"
5: cacls "C:\Program Files\OpenSSH\var\empty" /E /R
"BUILTIN\Administrators"
The goal is to have /var/empty look like the following:
C:\Program Files\OpenSSH\var\empty %COMPUTERNAME%\sshd_server:(special access:)
STANDARD_RIGHTS_ALL
DELETE
...snip...
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
%COMPUTERNAME%\None:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_READ_ATTRIBUTES
Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_READ_ATTRIBUTES
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE
C:\Program Files\OpenSSH\var>ls -l
drw-r-x---+ 1 sshd_server None 0 Feb 22 08:26 empty
Issue with long paths and OpenSSH
installers < 6.6.1p1-3
The NSIS builder I used prior to this release supported string lenghts
of 1024 characters or less. Of course,
someone had a path that was greater than 1024, causing the installer to
erase the whole path. I have since upgrade to the NSIS installer that
supports 8192 character string lengths. If you find
that has happened to you, the path can be recovered with a little
registry foo, and then you can upgrade
to the 6.6.1p1-3 installer or manually edit the path yourself.
http://stackoverflow.com/questions/7956365/need-to-recover-older-path-setting
To fix issues related to the 'home'
directory if your link isn't working
The install script has been fixed, however if your older version did
not contain the links for the users home directory (ssh attempts to
write to known_hosts), you will want to do the following fix action.
In order to fix this, do the following from an administrator cmd prompt
(in your OpenSSH install folder):
mklink /d home \Users\
OR
mklink /d "c:\Program Files\OpenSSH\home" \Users\
If you are still rolling with Windows XP, then you can use the Junction
utility from Sysinternals to make the above link (Junction also works
with all versions of Windows). Junction is included in the OpenSSH bin
folder.
In order to fix this, do the following from an administrator cmd prompt
(in your OpenSSH install folder):
junction /d home "\Documents and Settings\"
OR
junction /d "c:\Program Files\OpenSSH\home" "\Documents and Settings\"
Where are events logged by the server?
OpenSSH logs events to the Windows event viewer. You can start Event
Viewer via
the control panel, or directly as eventvwr.exe. The logs are stored in
the Application
Logs and can be filtered by "sshd". An example of the logs available is
as follows:
sshd: PID 224420: Failed password for xxxxx from ::1 port 61729 ssh2
sshd: PID 224420: Connection closed by ::1
sshd: PID 224948: Accepted password for xxxxx from ::1 port 62293 ssh2
sshd: PID 224948: syslogin_perform_logout: logout() returned an error
sshd: PID 224948: Received disconnect from ::1: 11: disconnected by user
sshd: PID 224948: Disconnected from ::1
The opensshd user (sshd_server) is not
always deleted when openssh is uninstalled
During the server uninstall it is possible that the sshd_server account
is
not deleted. This is easily fixed by uninstalling the openssh
application and verifying via net user. After
uninstallation, there should no longer be an sshd_server
username present. If one (or more) happen to be there, you can manually
clean up
the entries via net user sshd_server /delete.
child_info_fork::abort: C:\Program Files\OpenSSH\bin\cygiconv-2.dll: Loaded to different address: parent(0x4D0000) != child(0x8D0000)
The ssh client responds with:
shell request failed on channel 0
ssh_exchange_identification: read: Connection reset by peer
The ssh or scp connection fails on 32-bit OpenSSH server attempts with the following error on the server:
0 [main] sshd 5588 child_info_fork::abort: C:\Program Files\OpenSSH\bin\cygiconv-2.dll: Loaded to different address: parent(0x4D0000) != child(0x8D0000)
This error shows up in \var\log\opensshd.log. Some googling showed that updating Windows Defender helped (https://github.com/babun/babun/issues/477) - which it did in that at least the client was able to connect to the server. However, the error was still present. More googling uncovered (https://www.itefix.net/content/solved-copssh-146-windows-vista-64-bit-only-errors-sshexchangeidentification-fork-unprivileg) which recommended
changing 'StrictMode no'. After changing StrictMode in \etc\sshd_config, I was able to connect to the Windows 10 x86 system successfully. I don't actually know what
causes this error yet, and that might not be the best solution, but it is at least a solution.
The Windows event log showed the following errors while I was trying to figure out what was wrong
sshd: PID 5456: Received signal 15; terminating.
sshd: PID 5456: error: fork: Resource temporarily unavailable
sshd: PID 5552: error: do_exec_pty: fork: Resource temporarily unavailable