Revised Used this one: OpenSSH-3.9p1-1, mysterious -r option, and documented steps to resolve "Connection to host closed." message was sshd privilege

Greg Morgan drkludge@cox.net
Mon Aug 30 06:48:00 GMT 2004 

Introduction

There is another message with this message, "OpenSSH-3.9p1-1, mysterious 
-r option, and documented steps to resolve "Connection to host closed." 
message was sshd privilege"  DO NOT USE IT.  This email has been revised 
from that original message.

This document is a temporary workaround.  Do not use it in the future 
once the corrected Cygwin DLL has been published.  Do not link to this 
message because it will be wrong in the future once the corrected Cygwin 
DLL has been published.

I decided on the -r option verses installing a new Cygwin DLL.  It 
sounded like the more conservative repair approach.  It also sounded 
like it my take more time than I had.  If you use the Cygwin DLL repair 
approach, then you do not need the reset of this email message.

If you are looking for the undocumented -r option a brief note can be 
found here http://www.mail-archive.com/cygwin@cygwin.com/msg43331.html. 
  There's nothing that I found in the man page nor on 
http://www.openssh.org about the sshd -r option.  Again you do not have 
to use this -r option in the future with Cygwin.  It is a temporary 
workaround for a Cygwin DLL issue that occurs with the OpenSSH-3.9p1-1 
Cygwin package.

Google Terms

If the subject title of "OpenSSH-3.9p1-1, mysterious -r option, and 
documented steps to resolve "Connection to host closed." message was 
sshd privilege separation problem" did not provide you enough search 
terms here are some more cygwin-1.5.10-3 package
upgrading openssh 3.8.1p1-1 -> 3.9p1-1 breaks privilege separation.

Background

I spent several hours trying to find the correct workaround.  Part of 
the problem was this -r that does not _appear_ to be documented 
anywhere.  I offer my notes to hopefully save you some time if you 
should run in to the privilege separation problem.  This problem appears 
to occur with openssh 3.0p1-1 and cygwin-1.5.10-3.

Moreover, the Cygwin approved install script needed an edit because two 
options were supplied to it for the cygrunsrv command. I have tested and 
documented two ways to solve this problem.  If editing files and regular 
expressions bother you then try the first option.  A third option was 
proposed on this list, but it does not look like it was tested.  I will 
offer only what I know and appears to work for me to solve the 
"Connection to host closed" message.  Moreover, you will still need to 
test what I offer here and see if it works for you.  Finally, my 
solution was tested behind a firewall so if there are any security risks 
they are limited.  The -r option is solves a DLL bug.  I don't know if 
it reduces security with the OpenSSH Cygwin package.

The Solutions

OPTION 1.)
I ran
ssh-host-config y
at the command prompt just to make sure I had the rest of ssh setup 
correctly.  I performed this step because of all the fooling around I 
tried to resolve the "Connection to host closed." messages without 
knowing what the problem was.  You may not need to perform this step 
depending on what happened to you.

Then I removed the services entry by entering
cygrunsrv -R sshd
at the command prompt.  A harmless error message will be displayed if 
you do not have the service running.  But you will know that the sshd 
service has been removed and that you can proceed.

I looked at Cygwin /usr/bin/ssh-host-config configuration script and 
found the command line that I would use:
cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
-a -D -e "CYGWIN=ntsec"
Please note there is another version of this command in the shell 
script.  That may be the correct version for you.  Option 2 may be a 
better solution if you are not sure.

I modified this command string to
cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
-a "-D -r" -e "CYGWIN=ntsec"
This was the command line I ran at the command prompt to supply the -r 
option that Corinna said was required _for_the_temporary_workaround_. 
Please enter the command all on one line without the \, or make sure the 
\, the continuation character, is the last character on the line before 
starting the -a on the second line.

Finally, I started the service by issuing this command at the Cygwin 
command prompt.
cygrunsrv -S sshd

OPTION 2.)
An alternate method is to enter
vim /usr/bin/ssh-host-config
on the command line.  Then use vim's search and replace functions to 
change all the sshd -a -D occurrences to sshd -a "-D -r" like so
:%s/sshd -a -D/sshd -a "-D -r"/g

Finally, issue the following commands at the command prompt.
cygrunsrv -R sshd
ssh-host-config -y -c "ntsec"
cygrunsrv -S sshd

The Good Luck Disclaimer

Please note there are many links out on the Internet that still show 
ntsec and tty.  It sounds like these are wrong for some combinations of 
Cygwin and MS Windows platforms.  I don't know what they are so I cannot 
offer you a solution.  The ntsec is redundant.  Again it may be required 
for some earlier versions of MS Windows but that I cannot tell you if 
that is correct.  The solutions were tested on an MS Windows 2000 box. 
ntsec sounds correct for this box but redundant.  The reason I bothered 
typing it in is that if you run ssh-host-config -y or ssh-host-config -y 
-c, the shell script prompts you for something to put in the CYGWIN 
environment variable. ntsec appears to be redundant but seems harmless 
in this context of MS Windows 2000. The ntsec is supposed to be 
redundant because sshd uses it by default as I recall.

I successfully sshed into my Cygwin PC with the new ssh package 
OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004 using both resolution 
procedures above. Note that scp operations were not affected by the 
Cygwin DLL issue.  If you have read this far, then you would know that 
this is just a temporary solution.  LOL I am not affiliated with Cygwin. 
  I am just a user on the Cygwin mailing list.  "But,...I mean where 
else would you expect to find cygwin ssh help than on a..." Cygwin 
mailing list.  But would trust a user providing help with a user id 
called "drkludge"?   LOL

Greg


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

More information about the Cygwin mailing list