viecode09 · November 26, 2019 17:51 · Jun 28, 2019 · Jun 28, 2019 · Jun 28, 2019 · Jun 28, 2019
diff --git a/gistfile1.sh b/gistfile1.sh
@@ -11,6 +11,11 @@
 #  This script is a cleaned up and improved version of the procedure initially
 #  found at https://ghc.haskell.org/trac/ghc/wiki/Building/Windows/SSHD
 #
+#  Gotchas:
+#    — the log file will be /var/log/msys2_sshd.log
+#    — if you get error “sshd: fatal: seteuid XXX : No such device or address”
+#      in the logs, try “passwd -R” (with admin privileges)
+#
 #  Changelog:
 #   27 Jun 2019 — rename service to msys2_sshd to avoid conflicts with Windows OpenSSH
 #               — use mkgroup.exe as suggested in the comments

diff --git a/gistfile1.sh b/gistfile1.sh
@@ -13,7 +13,8 @@
 #
 #  Changelog:
 #   27 Jun 2019 — rename service to msys2_sshd to avoid conflicts with Windows OpenSSH
-#               — Use mkgroup.exe as suggested in the comments
+#               — use mkgroup.exe as suggested in the comments
+#               — fix a problem with CRLF and grep
 #   24 Aug 2015 — run server with -e to redirect logs to /var/log/sshd.log
 #
 
@@ -69,7 +70,7 @@ fi
 
 # Add user to the Administrators group if necessary
 admingroup="$(mkgroup -l | awk -F: '{if ($2 == "S-1-5-32-544") print $1;}')"
-if ! (net localgroup "${admingroup}" | grep -q '^'"${PRIV_USER}"'$'); then
+if ! (net localgroup "${admingroup}" | grep -q '^'"${PRIV_USER}"'\>'); then
     if ! net localgroup "${admingroup}" "${PRIV_USER}" //add; then
         echo "ERROR: Unable to add user ${PRIV_USER} to group ${admingroup}"
         exit 1

diff --git a/gistfile1.sh b/gistfile1.sh
@@ -12,6 +12,8 @@
 #  found at https://ghc.haskell.org/trac/ghc/wiki/Building/Windows/SSHD
 #
 #  Changelog:
+#   27 Jun 2019 — rename service to msys2_sshd to avoid conflicts with Windows OpenSSH
+#               — Use mkgroup.exe as suggested in the comments
 #   24 Aug 2015 — run server with -e to redirect logs to /var/log/sshd.log
 #
 
@@ -110,6 +112,7 @@ for u in "${PRIV_USER}" "${UNPRIV_USER}"; do
     mkpasswd -l -u "${u}" | sed -e 's/^[^:]*+//' | sed -ne "${SED}" \
              >> /etc/passwd
 done
+mkgroup.exe -l > /etc/group
 
 
 #

diff --git a/gistfile1.sh b/gistfile1.sh
@@ -116,13 +116,13 @@ done
 # Finally, register service with cygrunsrv and start it
 #
 
-cygrunsrv -R sshd || true
-cygrunsrv -I sshd -d "MSYS2 sshd" -p \
+cygrunsrv -R msys2_sshd || true
+cygrunsrv -I msys2_sshd -d "MSYS2 sshd" -p \
           /usr/bin/sshd.exe -a "-D -e" -y tcpip -u "${PRIV_USER}" -w "${tmp_pass}"
 
 # The SSH service should start automatically when Windows is rebooted. You can
-# manually restart the service by running `net stop sshd` + `net start sshd`
-if ! net start sshd; then
-    echo "ERROR: Unable to start sshd service"
+# manually restart the service by running `net stop msys2_sshd` + `net start msys2_sshd`
+if ! net start msys2_sshd; then
+    echo "ERROR: Unable to start msys2_sshd service"
     exit 1
 fi
diff --git a/gistfile1.sh b/gistfile1.sh
@@ -11,6 +11,9 @@
 #  This script is a cleaned up and improved version of the procedure initially
 #  found at https://ghc.haskell.org/trac/ghc/wiki/Building/Windows/SSHD
 #
+#  Changelog:
+#   24 Aug 2015 — run server with -e to redirect logs to /var/log/sshd.log
+#
 
 set -e
 
@@ -115,7 +118,7 @@ done
 
 cygrunsrv -R sshd || true
 cygrunsrv -I sshd -d "MSYS2 sshd" -p \
-          /usr/bin/sshd.exe -a -D -y tcpip -u "${PRIV_USER}" -w "${tmp_pass}"
+          /usr/bin/sshd.exe -a "-D -e" -y tcpip -u "${PRIV_USER}" -w "${tmp_pass}"
 
 # The SSH service should start automatically when Windows is rebooted. You can
 # manually restart the service by running `net stop sshd` + `net start sshd`

diff --git a/gistfile1.sh b/gistfile1.sh
@@ -8,11 +8,8 @@
 #    — MSYS2 itself: http://sourceforge.net/projects/msys2/
 #    — admin tools: pacman -S openssh cygrunsrv mingw-w64-x86_64-editrights
 #
-#  This script is free software. It comes without any warranty, to
-#  the extent permitted by applicable law. You can redistribute it
-#  and/or modify it under the terms of the Do What the Fuck You Want
-#  to Public License, Version 2, as published by the WTFPL Task Force.
-#  See http://www.wtfpl.net/ for more details.
+#  This script is a cleaned up and improved version of the procedure initially
+#  found at https://ghc.haskell.org/trac/ghc/wiki/Building/Windows/SSHD
 #
 
 set -e

diff --git a/gistfile1.sh b/gistfile1.sh
@@ -1,4 +1,19 @@
 #!/bin/sh
+#
+#  msys2-sshd-setup.sh — configure sshd on MSYS2 and run it as a Windows service
+#
+#  Please report issues and/or improvements to Sam Hocevar <[email protected]>
+#
+#  Prerequisites:
+#    — MSYS2 itself: http://sourceforge.net/projects/msys2/
+#    — admin tools: pacman -S openssh cygrunsrv mingw-w64-x86_64-editrights
+#
+#  This script is free software. It comes without any warranty, to
+#  the extent permitted by applicable law. You can redistribute it
+#  and/or modify it under the terms of the Do What the Fuck You Want
+#  to Public License, Version 2, as published by the WTFPL Task Force.
+#  See http://www.wtfpl.net/ for more details.
+#
 
 set -e
 
@@ -7,8 +22,8 @@ set -e
 #
 
 PRIV_USER=sshd_server
-PRIV_NAME="Privileged server"
-UNPRIV_USER=sshd # Do not change this; it is hardcoded inside sshd
+PRIV_NAME="Privileged user for sshd"
+UNPRIV_USER=sshd # DO NOT CHANGE; this username is hardcoded in the openssh code
 UNPRIV_NAME="Privilege separation user for sshd"
 
 EMPTY_DIR=/var/empty

diff --git a/gistfile1.sh b/gistfile1.sh
@@ -8,6 +8,8 @@ set -e
 
 PRIV_USER=sshd_server
 PRIV_NAME="Privileged server"
+UNPRIV_USER=sshd # Do not change this; it is hardcoded inside sshd
+UNPRIV_NAME="Privilege separation user for sshd"
 
 EMPTY_DIR=/var/empty
 
@@ -74,8 +76,6 @@ done
 # The unprivileged sshd user (for privilege separation)
 #
 
-UNPRIV_USER=sshd # This username is hardcoded inside sshd
-UNPRIV_NAME="Privilege separation user for sshd"
 add="$(if ! net user "${UNPRIV_USER}" >/dev/null; then echo "//add"; fi)"
 if ! net user "${UNPRIV_USER}" ${add} //fullname:"${UNPRIV_NAME}" \
               //homedir:"$(cygpath -w ${EMPTY_DIR})" //active:no; then

diff --git a/gistfile1.sh b/gistfile1.sh
@@ -6,10 +6,8 @@ set -e
 # Configuration
 #
 
-PRIV_USER=cyg_server
+PRIV_USER=sshd_server
 PRIV_NAME="Privileged server"
-UNPRIV_USER=sshd
-UNPRIV_NAME="User for sshd privsep"
 
 EMPTY_DIR=/var/empty
 
@@ -19,17 +17,17 @@ EMPTY_DIR=/var/empty
 #
 
 if ! /mingw64/bin/editrights -h >/dev/null; then
-    echo "Missing 'editrights'. Try: pacman -S mingw-w64-x86_64-editrights."
+    echo "ERROR: Missing 'editrights'. Try: pacman -S mingw-w64-x86_64-editrights."
     exit 1
 fi
 
 if ! cygrunsrv -v >/dev/null; then
-    echo "Missing 'cygrunsrv'. Try: pacman -S cygrunsrv."
+    echo "ERROR: Missing 'cygrunsrv'. Try: pacman -S cygrunsrv."
     exit 1
 fi
 
 if ! ssh-keygen -A; then
-    echo "Missing 'ssh-keygen'. Try: pacman -S openssh."
+    echo "ERROR: Missing 'ssh-keygen'. Try: pacman -S openssh."
     exit 1
 fi
 
@@ -44,39 +42,53 @@ tmp_pass="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | dd count=14 bs=1 2>/dev/null)"
 
 # Create user
 add="$(if ! net user "${PRIV_USER}" >/dev/null; then echo "//add"; fi)"
-net user "${PRIV_USER}" "${tmp_pass}" ${add} //fullname:"${PRIV_NAME}" \
-         //homedir:"$(cygpath -w ${EMPTY_DIR})" //yes
+if ! net user "${PRIV_USER}" "${tmp_pass}" ${add} //fullname:"${PRIV_NAME}" \
+              //homedir:"$(cygpath -w ${EMPTY_DIR})" //yes; then
+    echo "ERROR: Unable to create Windows user ${PRIV_USER}"
+    exit 1
+fi
 
 # Add user to the Administrators group if necessary
 admingroup="$(mkgroup -l | awk -F: '{if ($2 == "S-1-5-32-544") print $1;}')"
 if ! (net localgroup "${admingroup}" | grep -q '^'"${PRIV_USER}"'$'); then
-    net localgroup "${admingroup}" "${PRIV_USER}" //add
+    if ! net localgroup "${admingroup}" "${PRIV_USER}" //add; then
+        echo "ERROR: Unable to add user ${PRIV_USER} to group ${admingroup}"
+        exit 1
+    fi
 fi
 
 # Infinite passwd expiry
 passwd -e "${PRIV_USER}"
 
 # set required privileges
-/mingw64/bin/editrights -a SeAssignPrimaryTokenPrivilege -u "${PRIV_USER}"
-/mingw64/bin/editrights -a SeCreateTokenPrivilege -u "${PRIV_USER}"
-/mingw64/bin/editrights -a SeTcbPrivilege -u "${PRIV_USER}"
-/mingw64/bin/editrights -a SeDenyRemoteInteractiveLogonRight -u "${PRIV_USER}"
-/mingw64/bin/editrights -a SeServiceLogonRight -u "${PRIV_USER}"
+for flag in SeAssignPrimaryTokenPrivilege SeCreateTokenPrivilege \
+  SeTcbPrivilege SeDenyRemoteInteractiveLogonRight SeServiceLogonRight; do
+    if ! /mingw64/bin/editrights -a "${flag}" -u "${PRIV_USER}"; then
+        echo "ERROR: Unable to give ${flag} rights to user ${PRIV_USER}"
+        exit 1
+    fi
+done
 
 
 #
 # The unprivileged sshd user (for privilege separation)
 #
 
+UNPRIV_USER=sshd # This username is hardcoded inside sshd
+UNPRIV_NAME="Privilege separation user for sshd"
 add="$(if ! net user "${UNPRIV_USER}" >/dev/null; then echo "//add"; fi)"
-net user "${UNPRIV_USER}" ${add} //fullname:"${UNPRIV_NAME}" \
-         //homedir:"$(cygpath -w ${EMPTY_DIR})" //active:no
+if ! net user "${UNPRIV_USER}" ${add} //fullname:"${UNPRIV_NAME}" \
+              //homedir:"$(cygpath -w ${EMPTY_DIR})" //active:no; then
+    echo "ERROR: Unable to create Windows user ${PRIV_USER}"
+    exit 1
+fi
 
 
 #
 # Add or update /etc/passwd entries
 #
 
+touch /etc/passwd
 for u in "${PRIV_USER}" "${UNPRIV_USER}"; do
     sed -i -e '/^'"${u}"':/d' /etc/passwd
     SED='/^'"${u}"':/s?^\(\([^:]*:\)\{5\}\).*?\1'"${EMPTY_DIR}"':/bin/false?p'
@@ -91,8 +103,11 @@ done
 
 cygrunsrv -R sshd || true
 cygrunsrv -I sshd -d "MSYS2 sshd" -p \
-          /usr/bin/sshd -a -D -y tcpip -u "${PRIV_USER}" -w "${tmp_pass}"
+          /usr/bin/sshd.exe -a -D -y tcpip -u "${PRIV_USER}" -w "${tmp_pass}"
 
 # The SSH service should start automatically when Windows is rebooted. You can
 # manually restart the service by running `net stop sshd` + `net start sshd`
-net start sshd
+if ! net start sshd; then
+    echo "ERROR: Unable to start sshd service"
+    exit 1
+fi
diff --git a/gistfile1.sh b/gistfile1.sh
@@ -39,7 +39,7 @@ fi
 #
 
 # Some random password; this is only needed internally by cygrunsrv and
-# is limited to 14 characters (lol)
+# is limited to 14 characters by Windows (lol)
 tmp_pass="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | dd count=14 bs=1 2>/dev/null)"
 
 # Create user

diff --git a/gistfile1.sh b/gistfile1.sh
@@ -43,14 +43,14 @@ fi
 tmp_pass="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | dd count=14 bs=1 2>/dev/null)"
 
 # Create user
-add=""; if ! net user "${PRIV_USER}" >/dev/null; then add="//add"; fi
+add="$(if ! net user "${PRIV_USER}" >/dev/null; then echo "//add"; fi)"
 net user "${PRIV_USER}" "${tmp_pass}" ${add} //fullname:"${PRIV_NAME}" \
          //homedir:"$(cygpath -w ${EMPTY_DIR})" //yes
 
 # Add user to the Administrators group if necessary
 admingroup="$(mkgroup -l | awk -F: '{if ($2 == "S-1-5-32-544") print $1;}')"
 if ! (net localgroup "${admingroup}" | grep -q '^'"${PRIV_USER}"'$'); then
-    net localgroup "${admingroup}" "${PRIV_USER}" ${add}
+    net localgroup "${admingroup}" "${PRIV_USER}" //add
 fi
 
 # Infinite passwd expiry
@@ -68,7 +68,7 @@ passwd -e "${PRIV_USER}"
 # The unprivileged sshd user (for privilege separation)
 #
 
-add=""; if ! net user "${UNPRIV_USER}" >/dev/null; then add="//add"; fi
+add="$(if ! net user "${UNPRIV_USER}" >/dev/null; then echo "//add"; fi)"
 net user "${UNPRIV_USER}" ${add} //fullname:"${UNPRIV_NAME}" \
          //homedir:"$(cygpath -w ${EMPTY_DIR})" //active:no
 

diff --git a/gistfile1.sh b/gistfile1.sh
@@ -0,0 +1,98 @@
+#!/bin/sh
+
+set -e
+
+#
+# Configuration
+#
+
+PRIV_USER=cyg_server
+PRIV_NAME="Privileged server"
+UNPRIV_USER=sshd
+UNPRIV_NAME="User for sshd privsep"
+
+EMPTY_DIR=/var/empty
+
+
+#
+# Check installation sanity
+#
+
+if ! /mingw64/bin/editrights -h >/dev/null; then
+    echo "Missing 'editrights'. Try: pacman -S mingw-w64-x86_64-editrights."
+    exit 1
+fi
+
+if ! cygrunsrv -v >/dev/null; then
+    echo "Missing 'cygrunsrv'. Try: pacman -S cygrunsrv."
+    exit 1
+fi
+
+if ! ssh-keygen -A; then
+    echo "Missing 'ssh-keygen'. Try: pacman -S openssh."
+    exit 1
+fi
+
+
+#
+# The privileged cyg_server user
+#
+
+# Some random password; this is only needed internally by cygrunsrv and
+# is limited to 14 characters (lol)
+tmp_pass="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | dd count=14 bs=1 2>/dev/null)"
+
+# Create user
+add=""; if ! net user "${PRIV_USER}" >/dev/null; then add="//add"; fi
+net user "${PRIV_USER}" "${tmp_pass}" ${add} //fullname:"${PRIV_NAME}" \
+         //homedir:"$(cygpath -w ${EMPTY_DIR})" //yes
+
+# Add user to the Administrators group if necessary
+admingroup="$(mkgroup -l | awk -F: '{if ($2 == "S-1-5-32-544") print $1;}')"
+if ! (net localgroup "${admingroup}" | grep -q '^'"${PRIV_USER}"'$'); then
+    net localgroup "${admingroup}" "${PRIV_USER}" ${add}
+fi
+
+# Infinite passwd expiry
+passwd -e "${PRIV_USER}"
+
+# set required privileges
+/mingw64/bin/editrights -a SeAssignPrimaryTokenPrivilege -u "${PRIV_USER}"
+/mingw64/bin/editrights -a SeCreateTokenPrivilege -u "${PRIV_USER}"
+/mingw64/bin/editrights -a SeTcbPrivilege -u "${PRIV_USER}"
+/mingw64/bin/editrights -a SeDenyRemoteInteractiveLogonRight -u "${PRIV_USER}"
+/mingw64/bin/editrights -a SeServiceLogonRight -u "${PRIV_USER}"
+
+
+#
+# The unprivileged sshd user (for privilege separation)
+#
+
+add=""; if ! net user "${UNPRIV_USER}" >/dev/null; then add="//add"; fi
+net user "${UNPRIV_USER}" ${add} //fullname:"${UNPRIV_NAME}" \
+         //homedir:"$(cygpath -w ${EMPTY_DIR})" //active:no
+
+
+#
+# Add or update /etc/passwd entries
+#
+
+for u in "${PRIV_USER}" "${UNPRIV_USER}"; do
+    sed -i -e '/^'"${u}"':/d' /etc/passwd
+    SED='/^'"${u}"':/s?^\(\([^:]*:\)\{5\}\).*?\1'"${EMPTY_DIR}"':/bin/false?p'
+    mkpasswd -l -u "${u}" | sed -e 's/^[^:]*+//' | sed -ne "${SED}" \
+             >> /etc/passwd
+done
+
+
+#
+# Finally, register service with cygrunsrv and start it
+#
+
+cygrunsrv -R sshd || true
+cygrunsrv -I sshd -d "MSYS2 sshd" -p \
+          /usr/bin/sshd -a -D -y tcpip -u "${PRIV_USER}" -w "${tmp_pass}"
+
+# The SSH service should start automatically when Windows is rebooted. You can
+# manually restart the service by running `net stop sshd` + `net start sshd`
+net start sshd