impossible to start sshd service , error 1297

aragon5956 commented 1 month ago

Prerequisites

[X] Write a descriptive title.
[X] Make sure you are able to repro it on the latest version
[X] Search the existing issues.

Steps to reproduce

**hello , i've problem with access rights :

i've the same error even i execute .\FixHostFilePermissions.ps1 and.\FixUserFilePermissions.ps1 , and i don't have : "NT Service\sshd" :**

PS C:\Program Files\OpenSSH> Restart-Service sshd
Restart-Service : Le service «sshd (sshd)» ne peut pas démarrer en raison de l'erreur suivante: Impossible de démarrer
le service sshd sur l'ordinateur '.'.
Au caractère Ligne:1 : 1
+ Restart-Service sshd
+ ~~~~~~~~~~~~~~~~~~~~
   + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Restart-Service]
  , ServiceCommandException
   + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.RestartServiceCommand

PS C:\Program Files\OpenSSH> .\FixHostFilePermissions.ps1
 [*] C:\ProgramData\ssh\sshd_config
     looks good

 [*] C:\ProgramData\ssh\ssh_host_ecdsa_key
     looks good

 [*] C:\ProgramData\ssh\ssh_host_ecdsa_key.pub
     looks good

 [*] C:\ProgramData\ssh\ssh_host_ed25519_key
     looks good

 [*] C:\ProgramData\ssh\ssh_host_ed25519_key.pub
     looks good

 [*] C:\ProgramData\ssh\ssh_host_rsa_key
     looks good

 [*] C:\ProgramData\ssh\ssh_host_rsa_key.pub
     looks good

  Done.

PS C:\Program Files\OpenSSH> .\FixUserFilePermissions.ps1
 [*] ~\.ssh\config
     looks good

 [*] C:\Users\alexa\.ssh\id_rsa
     looks good

 [*] C:\Users\alexa\.ssh\id_rsa.pub
     looks good

  Done.

PS C:\Program Files\OpenSSH> .\FixHostFilePermissions.ps1
 [*] C:\ProgramData\ssh\sshd_config

Current owner: 'ALEXANDREM\alexa'. 'AUTORITE NT\Système' should own 'C:\ProgramData\ssh\sshd_config'.
Shall I set the file owner?
[O] Oui  [T] Oui pour tout  [N] Non  [U] Non pour tout  [S] Suspendre  [?] Aide (la valeur par défaut est « O ») : T

Need to remove the inheritance before repair the rules.
Shall I remove the inheritance?
[O] Oui  [T] Oui pour tout  [N] Non  [U] Non pour tout  [S] Suspendre  [?] Aide (la valeur par défaut est « O ») : T
Inheritance is removed from 'C:\ProgramData\ssh\sshd_config'.

'BUILTIN\Utilisateurs' should not have access to 'C:\ProgramData\ssh\sshd_config'..
Shall I remove this access?
[O] Oui  [T] Oui pour tout  [N] Non  [U] Non pour tout  [S] Suspendre  [?] Aide (la valeur par défaut est « O ») : T
'BUILTIN\Utilisateurs' has no more access to 'C:\ProgramData\ssh\sshd_config'.
'NT SERVICE\sshd' has no more access to 'C:\ProgramData\ssh\sshd_config'.
     Repaired permissions

 [*] C:\ProgramData\ssh\ssh_host_ecdsa_key
     looks good

 [*] C:\ProgramData\ssh\ssh_host_ecdsa_key.pub
     looks good

 [*] C:\ProgramData\ssh\ssh_host_ed25519_key
     looks good

 [*] C:\ProgramData\ssh\ssh_host_ed25519_key.pub
     looks good

 [*] C:\ProgramData\ssh\ssh_host_rsa_key
     looks good

 [*] C:\ProgramData\ssh\ssh_host_rsa_key.pub
     looks good

  Done.

PS C:\Program Files\OpenSSH> ^C
PS C:\Program Files\OpenSSH> Restart-Service sshd
Restart-Service : Le service «sshd (sshd)» ne peut pas démarrer en raison de l'erreur suivante: Impossible de démarrer
le service sshd sur l'ordinateur '.'.
Au caractère Ligne:1 : 1
+ Restart-Service sshd
+ ~~~~~~~~~~~~~~~~~~~~
   + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Restart-Service]
  , ServiceCommandException
   + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.RestartServiceCommand

could you help me ? my sshd version is :

PS C:\Program Files\OpenSSH> .\sshd.exe -d
debug1: sshd version OpenSSH_for_Windows_9.5, LibreSSL 3.8.2
debug1: private host key #0: ssh-rsa SHA256:ClEXD2C/iaTwtFDxUOPwcIrK8+CqXHlutDxXSgzIPTM
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:7qwfTYBphjkTNFm+wSF+LX9P9JKPMgu++qLcOKjd/FQ
debug1: private host key #2: ssh-ed25519 SHA256:T3TryzsUax+Lm1/tPpZtoH12STRWvMY/teFwy4HPa6o
debug1: rexec_argv[0]='C:\\Program Files\\OpenSSH\\sshd.exe'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.

i can't assign user policies such as: "Log in as a service", which I did not.

StratégieUtilisateur

.the error also depends on the parameters of the service, currently it is configured in this way: sshPrivilèges propriétaireDossierProgramDataSSH connexionParCompte

I don’t get the same error if I log in locally :

connexionLocal connexionLocalErreur

could you help me ? Regards

Expected behavior

service sshd in windows is correctly started

Actual behavior

problems displayed , as I showed in the screenshots

Error details

as displayed with screenshots

Environment data

windows 10 client machine , lastest build : 19045.5011

Version

PS C:\Program Files\OpenSSH> .\sshd.exe -d debug1: sshd version OpenSSH_for_Windows_9.5, LibreSSL 3.8.2 debug1: private host key #0: ssh-rsa SHA256:ClEXD2C/iaTwtFDxUOPwcIrK8+CqXHlutDxXSgzIPTM debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:7qwfTYBphjkTNFm+wSF+LX9P9JKPMgu++qLcOKjd/FQ debug1: private host key #2: ssh-ed25519 SHA256:T3TryzsUax+Lm1/tPpZtoH12STRWvMY/teFwy4HPa6o debug1: rexec_argv[0]='C:\\Program Files\\OpenSSH\\sshd.exe' debug1: rexec_argv[1]='-d' debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22.

Visuals

ccjimmy777 commented 1 month ago

same error +1.

maertendMSFT commented 1 month ago

Do either of the work arounds from these issues resolve what you are seeing?

https://github.com/PowerShell/Win32-OpenSSH/issues/2287 https://github.com/PowerShell/Win32-OpenSSH/issues/2282

aragon5956 commented 1 month ago

ça m'aide pas

tgauth commented 1 month ago

Can you run the following from an elevated PowerShell session:

# limit ssh folder permissions to full control for system and local group administrators, and read for authenticated users
$directoryPath = "$env:ProgramData\ssh"
$acl = Get-Acl -Path $directoryPath
$sddlString = “O:BAD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)”
$securityDescriptor = New-Object System.Security.AccessControl.RawSecurityDescriptor $sddlString
$acl.SetSecurityDescriptorSddlForm($securityDescriptor.GetSddlForm("All"))
Set-Acl -Path $directoryPath -AclObject $acl

# limit log folder permissions to full control for system and local group administrators, and read for authenticated users
$directoryPath = "$env:ProgramData\ssh\logs"
$acl = Get-Acl -Path $directoryPath
$sddlString = “O:BAD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)”
$securityDescriptor = New-Object System.Security.AccessControl.RawSecurityDescriptor $sddlString
$acl.SetSecurityDescriptorSddlForm($securityDescriptor.GetSddlForm("All"))
Set-Acl -Path $directoryPath -AclObject $acl

aragon5956 commented 1 month ago

I will see as soon as, if the service configuration points to

 C:\Program Files\OpenSSH\sshd

And no to

C:\Program Files\OpenSSH\

aragon5956 commented 4 weeks ago

Can you run the following from an elevated PowerShell session:

# limit ssh folder permissions to full control for system and local group administrators, and read for authenticated users
$directoryPath = "$env:ProgramData\ssh"
$acl = Get-Acl -Path $directoryPath
$sddlString = “O:BAD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)”
$securityDescriptor = New-Object System.Security.AccessControl.RawSecurityDescriptor $sddlString
$acl.SetSecurityDescriptorSddlForm($securityDescriptor.GetSddlForm("All"))
Set-Acl -Path $directoryPath -AclObject $acl

# limit log folder permissions to full control for system and local group administrators, and read for authenticated users
$directoryPath = "$env:ProgramData\ssh\logs"
$acl = Get-Acl -Path $directoryPath
$sddlString = “O:BAD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)”
$securityDescriptor = New-Object System.Security.AccessControl.RawSecurityDescriptor $sddlString
$acl.SetSecurityDescriptorSddlForm($securityDescriptor.GetSddlForm("All"))
Set-Acl -Path $directoryPath -AclObject $acl

awesome !! it's solved the problem of starting the service sshd in windows after create the logs directory for local account , but no for account normalAccount noirmalAccountErro

trying to modify the given script one realizes that one can not make exceptions for Administrators and System fr: en essayant de modifier le script donné on se rend compte que l'on peut pas faire des exceptions pour Administrateurs et System

PowerShell / Win32-OpenSSH