SFTP - Windows Server 2016 install of Cygwin OpenSSH with User Restricted to Home Directory

Подписаться 13 тыс.

Просмотров 66 тыс.

50% 1

Link to Cygwin Install Notes - goo.gl/mnbYB7
Updated to include better user Restriction Instructions locking user into their Home Directory in SFTP
Updated video on how to install SFTP on a Windows Server using Cygwin OpenSSH for Windows Server 2003, 2008, 2008R2, 2012, 2014, 2016
STEP #0 = Install Cygwin and OpenSSH Files
1) Install files as instructed in this video
2) Note always run all terminals as Administrator when doing the
instructions below
STEP #1 = Create a Windows Users, Groups and User Directories
1) For Example, create windows users sftpuser01, sftpuser02, sftpuser03
2) For Example, create windows group sftp_group
3) Place users in the sftp_group
4) Under windows create the Folder C:\SFTP_ROOT
5) Create a folder for each user, in my case its
a) C:\SFTP_ROOT\sftpuser01
b) C:\SFTP_ROOT\sftpuser02
c) C:\SFTP_ROOT\sftpuser03
STEP #2 = Open Cygwin Terminal Shell install SSH
1) In the Cygwin Terminal Shell type
export CYGWIN='ntsec tty'
chmod 0755 /var
ssh-host-config
Answers to the questions when prompted for from ssh-host-config
===================================================================
a) should strictmodes be used? no
b) Should privilege separation be used? yes
c) New local account 'sshd'? yes
d) do you want to install sshd as a service? yes
e) Enter the value of CYGWIN daemon? sshd
f) do you want to use a different name? no
g) Create a new privileged user account 'cyg_server'? yes
STEP #3 = Create password and Group file
1) Create the Password File and Group File, in the CygWin Termina type
mkgroup [redirect output to] /etc/group
#for local users
mkpasswd -cl [redirect] /etc/passwd
#for domain users
#mkpasswd -d [redirect] /etc/passwd
chmod +rw /etc/group
chmod +rw /etc/passwd
STEP #4 = Edit the FSTAB File system table
1) Some FSTAB Entries for Your Reference
cygwin.com/cygwin-ug-net/using...
2) Use these entries
C:/cygwin64 / ntfs override,binary,noacl 0 0
C:/SFTP_ROOT /home ntfs override,binary,noacl 0 0
C:/cygwin64/bin /usr/bin ntfs override,binary,noacl 0 0
C:/cygwin64/lib /usr/lib ntfs override,binary,noacl 0 0
C:/cygwin64/etc/terminfo /usr/share/terminfo ntfs override,binary,noacl 0 0
STEP #5 = Change the nsswitch.conf file
1) This allows only users in the passwd file to login, otherwise if you
specify "db" it allows users in the Active Directory to log in also
If you want User Login Access to be soley Controlled by PASSWD file not Active Directory
edit the /etc/nsswitch.conf
/etc/nsswitch.conf
Defaults:
passwd: files db
group: files db
db_enum: cache builtin
db_home: /home/%U
db_shell: /bin/bash
passwd: files
group: files
STEP #6 = Now Start the Service
1) Start the Service
net stop sshd
net start sshd
netstat -a
2) Make sure to change the Firewall to allow for port 22
STEP #7 = Restrict users to home dir
0) Allow edit to sshd_config in cygwin terminal
chmod 777 /etc/sshd_config
1) Restrict users to home direct, edit the /etc/sshd_config add the lines below
a) comment out
#Subsystem sftp /usr/sbin/sftp-server
b) paste below the subsystem and match group
Subsystem sftp internal-sftp
Match group sftp_group
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
2) Edit the /etc/passwd file for the user "cyg_server" give it the root id of 0
this is necessary for restricting the user to their own home directory
cyg_server:*:0
3) Append these to /etc/fstab file, this will hid the /cygdrive and /dev folder
after you have restricted the user to the /home directory
/dev /null none bind
none / cygdrive user 0 0
4) Go into Cygwin Terminal assign cyg_server /home this is required
for the restricting of the user to the home directory
chown cyg_server /home
chmod 0755 /home
5) Start the Service
net stop sshd
net start sshd

Наука

Опубликовано:

5 сен 2015

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 150

@ritabowers5553 7 лет назад

Something that stumped me for a long time. My connection was getting access denied for my users. But connection successful for my local admin account. After days of frustration, this is what solved my problem. On the server (in my case, Windows 2008 R2), go to start then type in Edit Group Policy and click on it. Go to Local Computer Policy->Windows Settings->Security Settings->Local Policies->User Rights Assignment. Double click "Allow log on locally". If "Users" is not in that list, your local users will not be able to get a successful connection. In my case, I could not add a User or Group because it was grayed out even though I'm an admin. So, I added my sftpuser01, sftpuser02, and sftpuser03 to one of the groups that was in the list. Then my connections worked perfectly. Hope this helps someone else.

@jaredday4398 7 лет назад

This helped me a lot! thanks!

@MuneebQureshi1 4 года назад

I got the same problem on Windows 10. Solved by clicking 'Add User' Selected all from Object Types Wrote my group name "sftpgroup" and clicked Check Names It retrieved my required info and the just clicked OK and Apply

@ODB-gy2dr 4 года назад

Thank you sooooooo much ! I honestly have been looking for a way to setup sFTP on my Windows server 2016 for days !! And your great video helps doing just that as well as teaching a lot of essential. As a beginner in Network engineering, i say THANK YOU!

@robshin8078 Год назад

Your videos on installing and configuring Cywin are VERY helpful. Thank you!! Many thanks.

@davidnguyen962 6 лет назад

Awesome step-by-step. This saved me many frustrating hours!

@lovemyway 8 лет назад

Thanks mate, you really helped me to configure the SFTP in my company :)

@BarryMichaelDoyle 8 лет назад

How do you add an sftp user after it's all setup? I followed step 1 and it didn't work, what am I missing?

@frederickrelenas 6 лет назад

Hi, thanks for this. Everything works in my set-up except for the dev folder not being hidden. Any ideas?

@diyhntr-BradySmith 8 лет назад

Excellent tutorial! Thank you! I have both FTP and SFTP pointing to the same user folders which is working great. However, I have multiple users that need to manage the same website files. I manage this in IIS via Virtual Folders. How do you do Virtual Directories with this CYGWIN install?

@AngelBatallaGMail 8 лет назад

Good morning! Thanks for the great video tutorial Need some help. I followed the instructions, tested the connection from another machine to the Admin and one user accounts, but when I did Step 7-4 and run net "stat sshd" in PowerShell got an ugly error message: Translation is something like "CYGWIN service unable to initialize". If i try to start the service from the Services pane get "CYGWIN sshd service in local machine started and stopped after. Some services stop automatically if they are not used by any service or program". Looking at cyg_server user properties, in Description says "

@ritabowers5553 7 лет назад

What's involved if you want to have a both Local Users and Domain Users be able to SFTP? I assume I could run the mkpasswd for local then run in a separate file for -d then copy the desired entries into the first one? How about folder permissions? Will certain folders need to be able to be read by Domain Users? I just tried running the mkpasswd -d using my local admin account and it will not generate the rows for the domains.....help!

@liebenberggideon007 8 лет назад

Hi CodeCowboyOrg, appreciate the video. It really helps a guy that hasn't worked with SFTP what so ever. But my question, can you assist in setting up an SFTP site on a Domain environment? And also how to set Cygwin SSH to open the SFTP_Root folder by Default(Without all the user profiles and folders, just the Root Folder on its own), when adding a new user to the SFTP_Group? Hope this makes sense and hope to here from you?

@polekasutusel1975 8 лет назад

Great video, just had to do this on a domain server and thus had to modify the groups and passwd file accordingly, because it took automatically the domain groups, not from local machine. "mkgroup -l" helped. Also had to remove the local machine name from both files which got added before local groups and user accounts. Thanks.

@wilfredosh 8 лет назад

Thanks for tip

@rakesh9635 5 лет назад

Good presentation. This video helped alot.

@Theicebergx 8 лет назад

Hello, Thanks for the detailed walk threw. I ran into a issue and wanted to see if you can help. When I try to connect the SFTP I get an authentication failed error. I wanted the user to be managed by the local file and not the domain. Any help would be greatly appreciated.

@jacobm.1154 6 лет назад

Thanks for this video. It helped me get my SFTP server up and running quickly. However, I'm having an issue with /dev still being visible to the users upon logging in through FileZilla. After going through the passes in your video several times I don't see any missed or incorrect steps. I see a few people down also have this issue. DO you have any pointers by chance? Thanks again!

@renorcabual9677 8 лет назад

I followed all the steps and I can now login using WinSCP Utility on my local accounts using servername+username method. It worked as it should an the account can only see it's own home directory. For some reason I could not get my Domain users to worked. The Domain users were added using the append method to /etc/passwd. Could this be a Domain policy issue? One more thing, I could not make FileZilla to work. I'm running it on Windows 2012 R2 server that will be replacing Windows 2008 R2 server that uses CopSSH. I had the same issue when I tried to install CopSSH. I found out later that CopSSH is no longer supported in favor of Cygwin.

@gokhanyucel8500 6 лет назад

hitting some weird issues-really technical I know: when I close the cygwin64 terminal the permissions on the folders revert I can see this when I relaunch the Cygwin terminal with ls -l. I am unable to hide the /dev folder and the chroot stops working as expected. initially it seems to be fine except for "hiding" the folders cygwin and dev...also I do not get the "b)" question when configuring the shell "should privilege separation be used" I have read that this is "yes" by default somewhere on the NET..something not quite rite I have deviated from the instruction in only one area and that is the home directory to D:\sftp_root not c:\sftp_root following the instructions should work without touching NTFS permissions I would have thought..a little disappointing I have tried twice now going for a third but I don't expect any change--the old saying "doing the same thing expecting different result" not going to happen with everything else remaining the same....it seems hinding the Cygwin and dev directories are causing issues...3 years down the track it maybe stale....oh well...

@testersoftware970 8 лет назад

How would you configure Cygwin OpenSSH to work with Azure File Storage instead of using a folder on a local drive for each user?

@ritabowers5553 7 лет назад

Will this work if you install and configure with a DOMAIN ADMIN account versus a LOCAL ADMIN account? I've tried both and had some issues with the DOMAIN ADMIN account and noticed the permissions it places on folders and files is very different than when using a LOCAL ADMIN account.

@prakharjalan 3 года назад

Many thanks to you CodeCowboyOrg for this video! I got one question - in the Cygwin version which I downloaded, I don't have the "cyg_server:*:0" entry in the /etc/passwd file. Where should I include this? Thanks!

@ThoCav 2 года назад

Do you have the 'cyg_server' user available? If this is not the case, the problem can be solved by creating the Group file before launching the configuration. Then the 'ssh-host-config' command should be completed so that you have this correct following sequence in STEP #2: export CYGWIN='ntsec tty' chmod 0755 /var mkgroup -l > /etc/group ssh-host-config --privileged --user cyg_server Otherwise, just relaunch the 'mkpasswd -cl > /etc/passwd' command.

@ritabowers5553 6 лет назад

This has been running great for almost 2 years and then all of the sudden my clients' connections are taking a very long time. They use to take a couple seconds and now are taking around 2 minutes and sometimes not able to connect. Any ideas what could cause this or how to fix it. All the configurations have been set for 2 years with everything in this video.

@zandokanism 7 лет назад

Im trying to add a NAS as a home directory, I tried what you said in step 4 and instead I put U:/SFTP_ROOT /home ntfs override,binary,noacl 0 0 When I login I can see the directory for CYGWIN and I can access all of it but the NAS is not there.

@brettmealor5809 7 лет назад

The service starts and crashes immediately. The sshd log is empty, however in Event Viewer I see the following errors (note that I have opened the ports in the firewall): sshd: PID 4964: error: Bind to port 22 on :: failed: Operation not permitted. sshd: PID 4964: error: Bind to port 22 on 0.0.0.0 failed: Operation not permitted. This is when the service is using the local privileged account. After switching to using local system the service starts up successfully, however I continuously get authentication failed messages in Filezilla when connecting to the ftps server. Any assistance would be greatly appreciated.

@AB-nl2hh 7 лет назад

How do I connect to the sftp site from a different machine? The demo just appears to connect from the same PC? Also, how do I change the name of the sftp site from local host to something else of my choosing

@mukeshpatil8532 6 лет назад

Thanks this really help but this was for inbound to window server ..what about if we want to access other server with window server using cygin ssh

@tubeysocks 6 лет назад

How should the sshd_config file be modified to only allow SSH from particular IP address ranges? I've tried removing the #ListenAddress comment and specifying an IP address range, but haven't had any luck

@nadeem02964 6 лет назад

I am not able to hide /dev folder only. can I get help to hide this folder from user. I removed cygdrive folder by using none / cygdrive binary 0 0 in fstab.

@OscarGonzalez-uk9gw 3 года назад

I have several problems when installing I can't get the second openssh-devel when I configure from the terminal and I give no to "should strictmodes be used? no" it doesn't ask me anything else and saves the configuration and when I try to connect it throws an error

@jeffharris7182 8 лет назад

I followed the instructions and wasn't able to connect. When I switched the service back to local system I was able to connect. Any ideas

@snakeyes807 4 года назад

TY bro! from Argentina!

@MACHADOPPO 6 лет назад

"i added the two lines to fstab but the "/dev" device is mount when i login in server...."

@michaelbriancummings 7 лет назад

What can I do in the event that the Cygwin password was forgotten?

@jackysparrow5387 7 лет назад

Sorry how can i get log of ftp or ssh. and deploy permission when mount in fstab. thank in advanced

@atc-nepal 5 лет назад

Hi, could not connect to FTP server after applying directory security setting, could you please help me on this?

@yifengchen5274 8 лет назад

any tutorial about remote connect to this sftp server via internet using other machine? and also authentication maybe?

@StellarSp0rk 3 года назад

I followed the info on your video i have everything set but i can't connect to it states remote host or something closed the connection

@ylwdkta 8 лет назад

One thing I discovered was that you MUST close filezilla to recognize the user restriction changes. I left my filezilla window open (just connecting and disconnecting) while going to through the user restriction settings and it would still list the directory. I was troubleshooting the issue and discovered that once I closed and reopened filezilla it cleared the cache and did not list the other user directories.

@martho14 7 лет назад

When I use the "mkpasswd -cl > /etc/passwd" command in step 3 the usernames are returned prefaced by "MACHINE-NAME+". I have tried both an upper and lower case l with no change in output. While I am able to configure and connect the the server from filezilla, I must use MACHINE-NAME+username in order to connect.

@kamiltitera 7 лет назад

there is different between -l and -L , so try to use mkgroup -l > /etc/group

@itadminbre 6 лет назад

You can delete "MACHINE-NAME+" from your passwd file and it will work just with your username.

@helpinghand2508 5 лет назад

@@itadminbre : This may create unknown response from server error

@joshuadefante2235 5 лет назад

Hi step 7 is not working for me. Can you please help me? Error: Received unexpected end-of-file from SFTP server when adding the Subsystem sftp internal-sftp Match group sftp_group ChrootDirectory /home/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp

@BarryMichaelDoyle 8 лет назад

I've been following all the steps exactly but I've run into a problem in Cygwin while trying to install SSH. Upon opening the Cygwin64 Terminal I typed the following $ export CYGWIN='ntsec tty' $ chmod 0755 /var $ ssh-host-config Then I get to the questions The first question is Should StrictModes be used? (yes/no) where I type no. The next question is Should privilege separation be used? (yes/no) where I type yes. Then I get the following error/warning (Regardless of whether I select no or yes): *** Warning: Couldn't determine name of user running sshd service from account database! *** Warning: As a result, this script cannot make sure that the files used *** Warning: by the sshd service belong to the user running the service. *** Warning: Host configuration exited with 1 errors or warnings! *** Warning: Make sure that all problems reported are fixed, *** Warning: then re-run ssh-host-config I'm not sure how to resolve these errors! What should I do?

@BarryMichaelDoyle 8 лет назад

It worked when I said yes to the first question so I took it from there :)

@paolosantiago2924 8 лет назад

How do I configure this without user isolation?

@adriancepero78 7 лет назад

Cannot get the sshd service to start. I've narrowed down my issue to this line in sshd_config: Match group HPSCAFETERIA+SFTP ChrootDirectory /home X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp I removed %u because I want all users to drop files into the home folder (no subdirectories).

@adriancepero78 7 лет назад

Disregard, reformatting the line solved it.

@dmizen 6 лет назад

Everything works good, until Step 7-4. When I attempt to run the "chown cyg_server /home" command, I get this response: chown: invalid user: 'cyg_server' And I can still see and interact with the root directory.

@MuneebQureshi1 4 года назад

same issue: Instead of cyg_user I replaces Administrator and it worked, also changing Administrator initial id in FSTAB to 0

@alaingaspar4404 5 лет назад

Hi how do i change the ftp root directory to D drive?

@failtv5442 4 года назад

i love you thank you so much!

@sakibdabhoya 6 лет назад

Implemented this in Server 2012 R2 (AD) and client is FileZilla on Win 10 (AD). Works file before I perform lock down steps. specially(7-1-b) gives error in client Error: Received unexpected end-of-file from SFTP server Error: Could not connect to server And secondly, for (step 7-2): I have run the mkpasswd command with -d switch and thus there is no cygwin_server entry in the file. I have redirected the output of the command with -cl switch to another file and copied the line with cyg_server:*:0 entry to existing file but then net start gives no error and service wont start.

@joshuadefante2235 5 лет назад

Hi, I have the same issue, did you resovle it?

@wilfredosh 8 лет назад

How to generate a public key? I need to connect an OpenVMS server using public key but I don´t know how do do it? Thanks for your hel

@CodeCowboyOrg 8 лет назад

Try this video I made. Using keys to connect from Linux to the Cygwin SFTP. ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-hY6pthfoNjw.html

@ancaris1074 7 лет назад

I added the following lines in the"/dev /null none bind" and "none / cygdrive user 0 0" to fstab file, but both /cygdrive and /dev folders are present in the user home folder...

@gmorf33 6 лет назад

Did you ever figure this out? We had this working for a long time but it seems like maybe the newer versions of cygwin binaries cause this to stop working. I have a newer install that's not working. /dev still shows up for every user in their chroot'd home directory.

@johnsandonas2477 6 лет назад

someone solved the problem with ./dev, I still can not block

@azhorel 6 лет назад

Having the same issue, did you solve it?

@paolosantiago2924 7 лет назад

hi,, i need your help. I tried this procedure in setting up an SFTP server on one of our local VMs and it's working fine. But when I tried it on Azure i got some errors, I have tried adding the opening the ports on the firewall but i cannot seem to make it work. i got "connection reset by peer" error.

@CodeCowboyOrg 7 лет назад

When you say Firewall, you mean you opened up the Windows Firewall as well as the port 22 on the Network Security Profile which you assign to VM's within Azure Portal?

@paolosantiago2924 7 лет назад

How do i setup key authentication?

@DonLeeelbow667 8 лет назад

I have went over the instructions twice, wiping the computer and re-imaging in between, I keep getting prompted for password when attempting to connect. the error message is access denied.

@doncollector 8 лет назад

+Don Lee I had the same problem, first I disabled firewall in my computer then I tried to login with SERVER+sftpuser user instead of sftpuser..this notation is reflected in passwd file

@amersleman3792 6 лет назад

How i can solve it 1- change default directory path to D:/NewFolder. 2- change default port of SFTP.

@dhowser2008 5 лет назад

Cygwin no longer has openSSH in it. Nor does it have the view setting.

@jovanm.3951 7 лет назад

Hi Master Code, is it possible to create a user with underscore? sample: sftpuser_01 I encountered the Access denied! I hope for your response. Thanks!

@ritabowers5553 6 лет назад

So, it's been almost a year since I installed this on Windows 2008 R2. Now, I'm being asked to change the password for the cyg_server ID. When simply changing the password for cyg_server and stopping and starting the sshd service, I cannot start the sshd service due to a logon issue. Does anyone have any help they can provide for this problem? What are the proper steps to take to change the cyg_server password?

@buf2srq2 6 лет назад

I ran into the same problem. Double-click the service, click the LOG ON tab, then enter the password for the CYG_SERVER user account. If it still doesn't work, change the password for this user and re-enter it in the service box, and it should work. Good luck!

@BrianEHo 4 года назад

Thanks for sharing this video. Microsoft released Windows Server 2019 with OpenSSH feature. Is it possible to use Microsoft OpenSSH without Cygwin OpenSSH and restrict User to Home Directory?

@mikeerandio7502 5 лет назад

hi dude, Im getting this error on the first set up. see below, any advise? *** Warning: Expected privileged user 'cyg_server' does not exist. *** Warning: Defaulting to 'SYSTEM' *** Info: The sshd service has been installed under the LocalSystem *** Info: account (also known as SYSTEM). To start the service now, call *** Info: `net start sshd' or `cygrunsrv -S sshd'. Otherwise, it *** Info: will start automatically after the next reboot. *** Warning: Host configuration exited with 1 errors or warnings! *** Warning: Make sure that all problems reported are fixed, *** Warning: then re-run ssh-host-config.

@vamsiathota170 7 лет назад

Thank you for the video. Step # 7 isnt working for me. I am running cygwin as Administrator. When I do, ls - l, it shows rw-r--r--. Any thoughts on what I am doing wrong?

@vamsiathota170 7 лет назад

I meant to say, I get access denied on trying to change sshd_config. I have tried step #7 as Administrator but it doesn't seem to change anything, although I don't get an error.

@ritabowers5553 7 лет назад

I got the same thing and ended up making a copy of sshd_config and editing the copy then renaming the sshd_config to sshd_config.bak and renaming the copy to sshd_config. Then I had to give cyg_server full rights to the file via Windows...matching the security that was on the original sshd_config. This worked for me.

@yohancreations7894 6 лет назад

Hi Anyone please help me how to restrict winscp SFTP login users home directory

@doncollector 8 лет назад

I had some issues but found how to solve them If it's useful for anybody here is my experience *ssh-host-config was able to create the cyg_server but not to create service with cyg_server user, instead of created it with SYSTEM user (this is not recomended) So I deleted service after wizard finished (sc delete sshd) and deleted ssh_config and sshd_config files, ran ssh-host-config again and because of the user already existed it created the service correctly *my users and groups were not recognized like "cyg-server" so I had to user notation: server+cyg_Server to identify users and server+ftp_group to identify groups *connection problems were solved disabling firewall in client computer (the one that tries to connect to sftp) You saved my job CodecowboyOrg thanks!

@BrianWood 8 лет назад

I have ftp with user isolation running on server 2008r2. Will this work to add sftp to that server?

@CodeCowboyOrg 8 лет назад

It will work as long as you point the SFTP to the respective folders of the users on FTP. I demo that procedure here. The SFTP installation has changed somewhat since then. ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-YHumlBae3L0.html

@BrianWood 8 лет назад

Great, Thanks!

@dallasguy77 8 лет назад

I followed all of the steps in the video and the notes, but authentication is failing when I try to log in using SFTP. The event viewer on the server is showing an audit failure for the cyg_server account each time I attempt to log in. Do you have any idea what would cause this? The service is running under this account, and the account is part of the local Administrators group. Thanks!

@dallasguy77 8 лет назад

Just as a test, I temporarily reconfigured the SSHD service to start under the local Administrator account but got the same result. The only differences in the event log entry were the "Security ID" and "Account Name" fields under Subject, both of which referenced the local Administrator rather than the cyg_server account. Under "Account For Which Login Failed", the "Security ID" field was still "NULL SID", and the "Account Name" was still NOUSER. The question is what is causing this to happen.

@dallasguy77 8 лет назад

Apparently I'm the only one this is happening to? Weird, considering I've done it on two different VMs and gotten the same result.

@CodeCowboyOrg 8 лет назад

+dallasguy77 Did you try logging into a session using the username and password of the cyg_server to confirm that the password is correct? What is the exact audit failure message?

@doncollector 8 лет назад

+dallasguy77 I had the same problem, first I disabled firewall in my computer then I tried to login with SERVER+sftpuser user instead of sftpuser..this notation is reflected in passwd file

@Ryan-xh6bg 8 лет назад

Awesome!

@MuneebQureshi1 4 года назад

Thanks a lot. May Allah Bless you.

@michelinno88 7 лет назад

Hi i added the two lines to fstab but the "/dev" device is mount when i login in server. /dev /null none bind none / cygdrive user 0 0

@eddiewilson1611 7 лет назад

I am having the same issue. Has anyone come up with a fix for this?

6 лет назад

The same thing happens to me, and I do not know how to repair it.

@gmorf33 6 лет назад

Did you ever firgure this out? We had this working for a long time but it seems like maybe the newer versions of cygwin binaries cause this to stop working. I have a newer install that's not working. /dev still shows up for every user in their chroot'd home directory.

@atul898 6 лет назад

Did anyone figure this "/dev" out?

@seanofto 8 лет назад

The command mkgroup > /etc/group, is that a typo? That command populates the groups from AD and not local system.

@imtiyazkhot851 8 лет назад

I am facing the same issue. Did you find any solution?

@CodeCowboyOrg 8 лет назад

Use mkgroup -L for local system, documentation is here www.cygwin.com/cygwin-ug-net/mkgroup.html

@kamiltitera 7 лет назад

there are sometimes differents between -l and -L , so try to use mkgroup -l > /etc/group. -L gives COMPUTERNAME+sftp_group but -l gives just sftp_group so check this out if your file "group" has correct group names :)

@FORESTBERRYKINNIE 6 лет назад

Hello, First of all thanks for such a great video. Everything worked as you said. My only issue it that dev and cygdrive are still visible when I connect via Filezilla. This is after following all the steps and double checked. Can you please assist please with my issue. Thanks

@azhorel 6 лет назад

Having the same issue... Did you solve it?

@imtiyazkhot851 8 лет назад

Hi, I am getting the following error: *** Query: Should privilege separation be used? (yes/no) yes *** Info: Updating /etc/sshd_config file *** Info: Sshd service is already installed. *** Warning: Couldn't determine name of user running sshd service from account database! *** Warning: As a result, this script cannot make sure that the files used *** Warning: by the sshd service belong to the user running the service. *** Warning: Host configuration exited with 1 errors or warnings! *** Warning: Make sure that all problems reported are fixed, *** Warning: then re-run ssh-host-config.

@imtiyazkhot851 8 лет назад

I deleted the service to resolve the issue

@martho14 7 лет назад

Step 7 restricting users to home dir fails because the group also includes the machine name preface. If I add the machine name preface to the match group command so the group name matches then I get an unexpected end of file error when logging in from filezilla.

@glenncourington3375 7 лет назад

I am getting this same thing. I've changed the sshd_config to make sure that it points to the VFWEB04+sftp_group and made sure that I am logging in with VFWEB04+sftpuser01 and I'm getting the unexpected end of file error. were you able to resolve this?

@glenncourington3375 7 лет назад

Actually, once I went into the passwd and group files and edited them to remove the machine name in front of the user, it resolved the problem and all restrictions worked as required.

@kamiltitera 7 лет назад

there is different between -l and -L , so try to use mkgroup -l > /etc/group

@snakez1924 8 лет назад

Great video. I have followed your instructions and finally make it work. In my case I keep my "nsswitch.conf" default as I want domain users been able to connect too. My SFTP server is a dedicated Win2008R2 part of a domain. In my case for security I want create external users accounts as local user accounts in server only with folder security restriction. But I was having authentication problems with all local user accounts in the server. Domain user account connect correctly. After troubleshooting back and forward I have found the following: 1. username are case sensitive. If account created is "SFTP-user01" but I tried to login from client using "sftp-user01" authentication failed. Discovered that I need to specify the username in the client as local account was created "SFTP-user01" and authentication is successful then. 2. Local users in the local machine(server) are seen by Cygwin OpenSSH in the "passwd" file as "LocalMachineName+Username" instead of "Username" only. As my configuration in "nsswitch.conf" is default to use passwd file and db. I have found that I have to include the local user account in the "passwd" using the command "mkpasswd -cl > /etc/passwd2.txt" to copy the local username account in the original "passwd" and edit the user account in the "passwd" deleting "LocalMachineName+" added by Cygwin in the local user account. Ex: SFTP-Svr+SFTP-user01 ->wrong SFTP-user01 -> successful I noticed that if I run "mkpasswd -d > /etc/passwd" to bring all domain user account to passwd file. All domain user accounts didn't include the domain name in front "DomainName+Username" only the username. But local user account were including the localmachine in front of the username in the passwd. After modifying the username in the passwd file. Walahhhh connection successful!!!! Is there a reason for this?? Or any way to correct this problem?? As this will force me to add every single new local account created in the passwd file and change that in order to make the account work.

@repzli30 4 года назад

Hello friend, how can I reinstall the whole process? executing step 2, does not give the option to answer yes or no in the following questions.: b) Should privilege separation be used? yes c) New local account 'sshd'? yes f) do you want to use a different name? no g) Create a new privileged user account 'cyg_server'? yes I don't know what it could be :(

@baikaiyao8004 7 лет назад

Follow your instruction i can login into /home/user but my local account still can see /cydwin64 root directory

@rajdip2836 8 лет назад

gating access denied :( please help me...

@JunxiGuo 8 лет назад

I followed all the steps and setup on Windows 2012. I have created password file for domain. When I try a user with domain admin right, I be able to connect and every thing work as on the video. When I try to connect as a domain user under the sftp_group, I got "Authentication failed. Critical error: Could not connect to server" Do you have any idea what would cause this? Thank your for your help...

@zockborges 8 лет назад

I have the same issue... I only connect with domain user... :-/

@JunxiGuo 8 лет назад

I got that sorted. You need to change the group policy on the window server.

@zockborges 8 лет назад

Hey Junxi, tks for your answer... Can you send me more details? alexandre.black@gmail.com Tks in advance!!

@imtiyazkhot851 8 лет назад

Hi, Can you please send me the details on kimtiyaz@hotmail.com I am facing the same issue.

@magritskaya 8 лет назад

Hello! I repeat all this steps till 7. The only difference is the server is 2012, in domain,not published(for internal use only). But to be on the safe side I made local users and repeat all your steps. Service running. Files the same with yours. But my FileZilla can not make connection. How can I debug what's wrong? Then I tryed to recreate file passwd for domain. In this case the service can not start at all. Need help!

@CodeCowboyOrg 8 лет назад

+Елена Магрицкая What is the error from FileZilla? Are you trying to connect locally first? Can you do netstat -a on the command prompt to see if port 22 is listening for connections? Did you check the fire wall? What is the exact error message from FileZilla?

@CodeCowboyOrg 8 лет назад

+Елена Магрицкая Try it with the origiinal /etc/sshd_config then make sure to comment out #Subsystem sftp /usr/sbin/sftp-server in the file.

@magritskaya 8 лет назад

1.Critical Error. Authentication error. Can not connect to server. Tried locally.The same error. Service runnung. Port 22 is open (chqcked by telnet). 2.Stoped service to change sshd_config/ Comment the line you mentioned, but can't save file. Someone hold it.

@CodeCowboyOrg 8 лет назад

+Елена Магрицкая You likely forgot to do step #7-0 0) Allow edit to sshd_config in cygwin terminal chmod 777 /etc/sshd_config

@CodeCowboyOrg 8 лет назад

+Елена Магрицкая Step #7-0 allows you to edit the sshd_config file.

@anain78 7 лет назад

hi,I got error Connection reset by 127.0.0.1 port 22 after I change cyg_server:*:0:

@oculus1gs733 5 лет назад

I have same issue. Can't connect once I change cyg_server:*:0:

@IPm4n493r 8 лет назад

ssh-host-config command not found what can i do?

@CodeCowboyOrg 8 лет назад

double check that you added all the packages during the installation

@_sharpeagle_ 6 лет назад

c:\cygwin\bin should be first appended to PATH variable (in admin cmd: SET PATH=%PATH%;c:\cygwin\bin). Or cd /bin and after execute ssh-host-config.

@gerardkoerek3949 7 лет назад

Has anybody find a solution for this issue.. "i added the two lines to fstab but the "/dev" device is mount when i login in server...." I am also having this issue...

@gmorf33 6 лет назад

@johnsandonas2477 6 лет назад

someone solved the problem with .\dev, I still can not block

@gokhanyucel8500 6 лет назад

Same issue..can hide others except /dev..not sure why...

@azhorel 6 лет назад

Same here, still not able to hide /dev...

@helpinghand2508 5 лет назад

@@johnsandonas2477 it did not work for me :(

@MuneebQureshi1 4 года назад

I was not able to stop user from accessing root and each other files and folders. I ended up assigning permissions manually. I denied all access rights to cygwin, SFTP_ROOT for sftpuser1-3, then assigned all rights to these users for sftpuser1-2 folders. and it worked. even i don't know how. some help from: stackoverflow.com/questions/12058016/sftp-failing-with-match-group-clause and also didn't add any match group

@tolgaozel2177 6 лет назад

I did everything exactly but still see /dev in the client.

@bingo.channel 6 лет назад

Have you figured it out?

@gmorf33 6 лет назад

@crajzz 8 лет назад

19:00 .. for some reason even after using chmod 777 I cannot seem to edit ssh_config. I am 100% sure I am using chmod 777 /etc/sshd_config and not ssh_config :S

@CodeCowboyOrg 8 лет назад

if thats the case, go to Windows, give the user "Everyone" permission, do Full Control and then edit the file and unset the permissions after you are done.

@ranjanarai715 7 лет назад

I am having the same problem, i cant edit sshd_config file. Would you please elaborate your above comment as to which user.

@crajzz 7 лет назад

Grant login access rights to cygserver account and login to windows using this account. You should then be able to edit.. Once done revoke access

@GraceRussel 6 лет назад

Hi. How to grant login access to cygserver?

@m0rphe0-8 6 лет назад

letter very small please zoom +

@jovanm.3951 8 лет назад

Hi Master! Please create a video on how to access the SFTP using the public key

@irieldabasol3937 7 лет назад

how can i allow this *** Warning: The owner and the Administrators need *** Warning: to have .w. permission to /var/run. *** Warning: Here are the current permissions and ACLS: *** Warning: drwxr-xr-x 1 Administrator None 0 Jul 14 00:09 /var/run *** Warning: # file: /var/run *** Warning: # owner: Administrator *** Warning: # group: None *** Warning: user::rwx *** Warning: group::r-x *** Warning: other:r-x *** Warning: *** Warning: Please change the user and/or group ownership, *** Warning: permissions, or ACLs of /var/run.

@kamiltitera 7 лет назад

STEP #7 - doesnt work for me (Windows Server 2008 R2 DataCenter) users can still list and edit folders other users. NTFS DENY permission helps to me ( ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-4W5t943E7sI.html)