Setting up and using remote support: Difference between revisions
Line 675: | Line 675: | ||
Finally, check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded. | Finally, check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded. | ||
If you dont reinstall bash after rebooting then the bash prompt will be abbreviated to something different and there will be no response to any command entered. | |||
==== How to check Cygwin version ? ==== | ==== How to check Cygwin version ? ==== |
Revision as of 11:30, 29 September 2014
Getting agreement of client IT staff to provide remote support
Letter to obtain agreement of client IT staff to provide remote support
Initial Connection to the server before setting up permanent remote connection
In case of a remote installation you need to get an initial connection to the server before you can setup Cygwin for a permanent remote connection. For this purpose you can either use your customised reverse connect UltraVNC SC file or the one-time run Teamviewer utility.
Do not use Microsoft Remote Desktop Client (RDP/RDC) on port 3389 at anytime to access the server from the internet since IT suppliers not aware of the situation often setup the initial administrator password to something obvious like "password" or even blank and in this case there is a good chance internet worms will discover the "open door" and install themselves before you get the chance to put a strong password.
Installing and configuring SSH
Installing Cygwin with OPENSSH
These instruction are only for installing in a server NOT part of a domain. For installing in a server that is part of a domain, see http://cygwin.com/faq-nochunks.html#faq.using.sshd-in-domain
Watch out for non-intuitive steps like clicking "skip" to install something.
- Read Avoiding Corrupt Cygwin Installations
- ENSURE that you are logged in as the local (NOT DOMAIN) administrator
- Download/Run/Install http://www.cygwin.com/setup.exe
(you might have to go to the home page http://www.cygwin.com and click the link to setup.exe) - Download source: Install from Internet
- Root Directory: c:\cygwin
- Local Package Directory: c:\cygwin.lib
- Internet Connection: Direct Connection
- Download Site: http://mirrors.kernel.org (near the bottom)
(If this does not show in the list, key in the URL in the field User URL and click on Add) - Select Packages: Maximise window then click View once to get Full. You can then enter the name of the desired packages in the Search box to speed up location of the desired packages.
- Next to the package OPENSSH, click the word Skip (once!) to get version 4.4p1-1 or later
- Next to the package NANO, click the word Skip (once!) to get the latest version available
- Check the NEOSYS INSTALLATION CHECKLIST for any other packages to install like the above.
- Click Next and complete the installation
Win32 Error
The Win32 Error occur when the bad file is cached in internet explorer cache. You can try clearing the internet explorer cache and redownloading or you can try to download from cygwin.com instead of www.cygwin.com so it doesnt look in the cache or www.cygwin.com if your original download was from cygwin.com. All else failing, you can simply upload the setup.exe file from your own pc to the server.
All this relates to win32 error when running a downloaded file. Any downloaded file and not just cygwin.com/setup.exe
Error during setup
In case of the following error, check for proxy settings in internet explorer. It is possible that the client uses a proxy setting. In that case, in Step 7 instead of choosing Direct Connection, choose Use Internet Explorer Proxy Setting.
Unable to get setup.ini from <http://mirrors.kernel.org/>
Configuring and starting SSHD
Open the Cygwin icon to get a linux/bash command line and type:
Run the following commands:
chmod +r /etc/passwd chmod +r /etc/group chmod 777 /var
Prevent cygwin from using Unix like permissions on files it creates
nano /etc/fstab
add the line
none /cygdrive cygdrive binary,posix=0,user,noacl 0 0
Thereafter start with the ssh configuration:
ssh-host-config
Then on the following options type:
Privilege – YES New local sshd account - YES Install SSHD as a service - YES Enter value of daemon - press enter (not "ntsec" as it used to be) Different name - NO Create new privileged user - YES Enter a password now - Set any random password and should not be the same as the neosys server (8 characters min)
At the command prompt type
net start sshd
Configuring SSHD to use a non-standard port number
This is necessary if the router cannot forward port 19580 --> 22 and we don’t want to open port 22 directly.
Capitalization is signification in cygwin/linux commands
open cygwin command prompt
cd /etc chown administrator sshd_config nano sshd_config (assuming that you have installed the NANO editor) notepad sshd_config (incase you havent installed the NANO editor)
Move your cursor to Port 22 and change 22 to 19580.
Also add the last line to the following section. Refer Error when connecting to remote servers to see why this line is added.
# Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no
Press Ctrl+x to save. On the confirmation type Y and on the next prompt hit enter.
chown system sshd_config net stop sshd net start sshd
To check that the connection to port 19580 is successful you can run the following test:
ssh -p 19580 administrator@localhost
You will be prompted to confirm the connection (say yes)
Now enter the system password to complete the procedure.
Changing ssh login from “Administrator” to “administrator”
Current NEOSYS policy to cater for recent versions of Cygwin is to rename the windows Administrator user to administrator to keep a consistent ssh login across all installations.
If you forget to do this before installing or upgrading Cygwin then you must to the following:
- Rename “Administrator” to “administrator” in Windows
- If you cannot rename Administrator to administrator, follow the procedure mentioned at Changing username from Administrator to administrator
- In a Cygwin console do:
mkpasswd > /etc/passwd
It should come back with nothing
Error while changing Cygwin port 22 to 19580
Error Message:
"Could not open file for writing: permission denied"
Occurrence: Sometimes when you edit the sshd_config file through NANO.
Solution: In SSH shell, follow these commands:
cp sshd_config ashwin_temp #copies sshd_config to a new file ashwin_temp rm sshd_config #deletes sshd_config cp ashwin_temp sshd_config #copies ashwin_temp to sshd_config
In case it does not copy sshd_config to ashwin_temp, than check whether an ashwin_temp filename exists and delete it using the rm command.
Opening up ssh connections to additional source ip nos
Starting a NEOSYS process will automatically restrict cygwin ssh to accept connections from known NEOSYS company static ip numbers.
In the cygwin command line, insert a line in the list of allowable hosts
DO NOT ALLOW ALL OR GENERAL SSH ACCESS TO NEOSYS CLIENTS SERVERS WITHOUT GETTING PERMISSION *AND* INSTALLING EMAIL ALERTS FOR LOGINS AS DESCRIBED BELOW
nano /etc/hosts.allow
sshd: ALL
or a ip numbers or CIDR format
sshd 12.34.56.78 sshd 12.34.0.0/16
Setting up email alerts for cygwin ssh logins
Use http://www.cygwin.com/setup.exe to install "email" and "whois" packages
Insert the following script using cygwin command prompt.
NOTE! it@neosys.com to whatever you want.
cd /etc nano sshrc
#!/bin/bash # #you configure this ALERTEMAILADDRESS=it@neosys.com # #get the ip number without the ipv6 prefix FROMIPNO=`echo $SSH_CLIENT|cut -f 1 -d " "|sed 's/::ffff://'` # #quit with no message if from a known host if grep -x $FROMIPNO /etc/trustedipnos then exit fi # #get the host name by reverse lookup FROMHOST=`nslookup $FROMIPNO|grep "name ="` # #get whois info about the login ip number #and pipe it into the mail program #"&" on the end creates a new process in order not to delay login whois $FROMIPNO|\ email -q -f nl1@neosys.com -s "login $USER $FROMIPNO $FROMHOST" -r \ mailout.neosys.com -p 2500 $ALERTEMAILADDRESS&
Make sure that you configure the file permissions
chmod a+x sshrc
Inserted trusted ip nos.
cd /etc nano trustedipnos
#sorry, ip ranges and cidr etc not accepted yet #vm1.neosys.com for remote checking 85.17.154.105 #nl1.neosys.com 83.149.104.167 #nl2.neosys.com 85.17.154.66 #uk.neosys.com 78.143.212.191 #nl3.neosys.com 94.75.233.2
Make sure that you configure the file permissions
chmod a+x sshrc
Testing SSH connection to the NEOSYS server over port 19580
If you cannot connect to the server using SSH, see Troubleshooting NEOSYS remote support port forwarding
Troubleshooting SSH: If SSH connects and then disconnects immediately without exchanging keys
The first time that NEOSYS runs, it automatically adds source ip number restrictions to the sshd remote support configuration in /etc/hosts.allow and /etc/hosts.deny. This is an important security procedure to allow connection to clients systems from NEOSYS ip numbers only. This process allows only local and known NEOSYS ip numbers to connect using SSH. Upgrading NEOSYS will add and/or remove allowable ip numbers as NEOSYS configuration changes.
It is possible that in some client network configurations incoming ssh connections will appear to be from the clients internal routers with an ip unknown to NEOSYS due to NAT configurations. Therefore ssh connections will be blocked unless specifically allow the local ip number or it is added into an upgraded version of NEOSYS.
NOTE: Therefore you must check that remote support via ssh works AFTER you have run NEOSYS once (maintenance mode).
- Look in the Windows, Computer Management, System Tools, Event Viewer, Application
- Search for entries from source "sshd", double click and look in the Event Properties, Description for ip numbers
- Information type sshd entries will give the ip number of successful sshd connections.
- Warning type sshd entries will give the ip number of failed sshd connections.
- Find the ip number of failed connections.
Possible Problem 1 - Port mapping in router is using NAT
If the ip number of failed connections is some local ip number (of the router for example) then possibly the inbound port forwarding has been done with NAT and the source ip number has been lost. Therefore the NEOSYS ip restrictions are blocking ssh connections because they appear to be coming from an unknown ip number (ie that of the router)
Solution 1A
Change the router configuration to not use NAT and leave the genuine original source IP number
Solution 1B
The router is sadly using NAT instead of plain old port forwarding.
DO NOT USE THIS PROCEDURE TO BREAK NEOSYS SECURITY. DO NOT GRANT ACCESS TO ANY IP OTHER THAN CLIENTS ROUTER IPS
The solution is to add NAT router IP to the list of authorised IP numbers on the NEOSYS server. This solution provides access to NEOSYS server from outside office unrestricted by IP number, hence Client Management approval must be obtained before this solution is applied.
Sample Email to Management-
Dear XXXX, Support must have remote access to the NEOSYS server via SSH but currently we don’t have access. This is because your router is using NAT. The NAT router translates the source IP to its own hence the source IP is lost. NEOSYS server has a list of allowed source IPs and since the router’s IP is not in the list, connection fails. The solution to establish successful connectivity is to allow access to NEOSYS server from your NAT router by adding the router’s IP in list of allowed IPs on the server. We need your agreement to carry out this solution because authorizing this access means access to NEOSYS from outside office will not be restricted by IP any more. Please confirm that this solution is OK. Best Regards
On receipt of Management approval, add the routers IP number to the list of authorised IP numbers in the cygwin hosts.allow file as follows:
nano /etc/hosts.allow
and add the line as follows but put the IP number of your router
sshd: allow 192.168.0.99
Warning
- If the router IP changes then NEOSYS remote support will fail until this line is changed
- Do not grant access to 192.168.* etc. since this allows local LAN viruses to attack
Troubleshooting sshd
You can run the sshd service interactively to see all messages instead of having to search logs/events etc.
Unfortunately this will not work the same as the normal windows sshd service unless you assume the identity of the sshd_server user. To assume the identity of the sshd_server user you will have to reset its password to something new (since we dont take a record of it during sshd-host-setup) AND ALSO place the new password in the logon properties of the sshd windows service.
su sshd_server /usr/sbin/sshd -D -p 19580
Reinstalling SSHD if service fails to startup
Sometimes reinstallation isnt necessary and sshd can be made to restart by doing
mkpasswd > /etc/passwd mkgroup > /etc/group
If all else fails:
- Look in /var/log/sshd.log for errors
- Delete the following users: sshd and sshd_server
- Remove the sshd service at the cygwin prompt type cygrunsrv –R sshd
- Do the above Configuration and starting SSHD step again
Note that you don't have to reinstall cygwin entirely, just sshd with the above steps.
Upgrading SSHD / Cygwin
NEOSYS relies on cygwin to provide secure network access and support various linux/unix services under Windows, mainly rsync for interoffice consolidation.
Just like MS Windows update, cygwin should be updated at regular intervals to close security holes discovered in the software by its authors. This is particularly important for cygwin's remote access service sshd since it is exposed to the internet although on a non-standard port.
Join the cygwin and sshd security news email lists to learn about when cygwin upgrades sshd and/or when there are issues generally with sshd
To find out what versions of cygwin/sshd are installed at NEOSYS clients, in Nagios check "Status Information" of the neosys-ssh service
SSH OK - OpenSSH_5.9 (protocol 2.0)
Upgrading Cygwin remotely
TODO correct mentions of server reboot
NEOSYS normal remote server support connection uses cygwin/ssh. Cygwin can be upgraded while in use but only if a reboot is performed and perhaps some cygwin packages reinstalled.
You can use:
- vnc server
- direct rdp connection
- directly on the server
- teamviewer started manually on the server
You cannot use:
- standard NEOSYS remote support connection using rdp/cygwin/sshd
- teamviewer started using a standard NEOSYS remote support connection.
Since cygwin cannot be upgraded while using tunnelier+cygwin/sshd, we can use tunnelier to setup Teamviewer *temporarily* to do the upgrade.
Teamviewer must be uninstalled afterwards because it is not secure because NEOSYS has no way to manage TV to limit connections by IP number like cygwin sshd in the same way.
Upgrading Cygwin with a script
The following script can be used to automatically upgrade cygwin to the latest version quite easily even when people are using NEOSYS. However it carries a small risk described below.
WARNING This script temporarily disconnects and disables all ssh remote support connections, including any ssh connection you are using to initiate the process, for the duration of the upgrade. Therefore, since something could always go wrong and the script might FAIL to renable ssh remote connections, you should take one of the precautionary measures listed.
- either perform a temporary Teamviewer installation. The quick teamviewer zero installation remote support method will not work under rdp/tunnelier/remmina
- or ensure that client IT support is available onsite to provide temporary teamviewer access in the event of any problem
- or be prepared to lose the ability to provide remote support to the installation until the previous item is available
Running the script
Just locate the upgradecygwin.cmd script and run it some usual way by clicking and pressing Enter.
If you initiate the script while connected on ssh using tunnelier/remmina etc. half way through the script you will be disconnected.
The script will take a few minutes to download and install any cygwin upgrades.
Once the script is finished, it will reenable creation of new incoming ssh connections and attempt to send an email to support@neosys.com via the standard mailout.neosys.com:2500 email server.
You should then be able to reconnect using ssh and tunnelier/remmina. If you do not get any email then perhaps the script is unable to send email to the standard mailout.neosys.com:2500 email server due to a firewall. In this case after 10 minutes or so you should be able to reconnect using ssh anyway.
- upgradecygwin.log - contents of the email that would have been sent
- upgradecygwin.err - any errors that prevent sending email
If you cannot connect on ssh using tunnelier/remmina after say 20 minutes then the script must have failed. To resolve that problem, either use your existing Teamviewer connection or get client IT support to physically access the server to install Teamviewer for you.
Running the script multiple times will not cause any issue. If there is little or nothing to upgrade then the time to complete will be short since there is less to download and install.
Verifying successful run
- You must carefully inspect the email or log for "error" or "fail" and ntelligently and thoughtfully find any other unexpected results and deal with them. It is impossible to give guidelines for everything so this requires brainwork.
- You must check the versions of "cygwin" and "openssh" at a minimum and ensure they agree with the latest expected version numbers.
- You must check for the word "reboot" especially in the following scenarios:
Installing file cygfile:///usr/bin/cygwin1.dll io_stream_cygfile: fopen(/usr/bin/cygwin1.dll) failed 13 Permission denied Failed to open cygfile:///usr/bin/cygwin1.dll for writing. Scheduled reboot replacement of file C:\cygwin\bin/cygwin1.dll with C:\cygwin\bin/cygwin1.dll.new
mbox note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate incorrectly until you reboot.
note: In-use files have been replaced. You need to reboot as soon as possible to activate the new versions. Cygwin may operate incorrectly until you reboot. Ending cygwin install
Dealing with reboot required
The script attempts to shutdown sshd and some services that may be present in some installations like rsync and exim.
The script attempts to avoid causing "reboot required" by stopping the upgrade if any cygwin processes are found to be running. "Reboot required" indicates that some cygwin program was running while the upgrade process was running and this usually IRRETRIEVABLY BREAKS the cygwin functionality because cygwin's upgrade isnt smart enough to deal with this.
It is quite likely that a reboot will NOT solve various problems.
Rerunning the script will not show the errors again but the problem of bad upgrade.
SOLUTION: You should completely clean out all traces of cygwin in the computer and then reinstall cygwin completely from scratch. How to clean thoroughly is documented in wiki.
Finding the script
The script is installed in the neosys\neosys directory or for older versions of NEOSYS it can be created as follows:
Assuming that NEOSYS is installed in the root directory of D:
Single installation
notepad d:\neosys\neosys\upgradecygwin.cmd
Multiple installation
notepad d:\hosts\CLIENTCODE\neosys\upgradecygwin.cmd
set THISIS=upgradecygwin.cmd version 2014-09-28T18:06 set TOEMAIL=support@neosys.com set CYGWINBIN=c:\cygwin\bin set CYGWINDLL=cygwin1.dll set LOGFILE=upgradecygwin.log set RESULT= if exist %LOGFILE% del %LOGFILE% echo LOG OPENED > %LOGFILE% 2>&1 date /t >> %LOGFILE% 2>&1 time /t >> %LOGFILE% 2>&1 echo . >> %LOGFILE% 2>&1 echo This is %THISIS% >> %LOGFILE% 2>&1 echo It should be created and run in neosys\neosys folder where wget.exe is. >> %LOGFILE% 2>&1 echo . >> %LOGFILE% 2>&1 echo WARNING!!! It will disconnect and prevent ssh connections for the duration of the >> %LOGFILE% 2>&1 echo upgrade so that cygwin1.dll and other dlls can be upgraded without issues>> %LOGFILE% 2>&1 echo . >> %LOGFILE% 2>&1 echo --- ***** YOU MUST CHECK THIS EMAIL OR LOG FILE FOR ERROR AND FAIL ETC>> %LOGFILE% 2>&1 echo --- ***** AND IF UPGRADE IS SUCCESSFUL ALSO>> %LOGFILE% 2>&1 echo --- ***** VERIFY THAT THE VERSIONS "CYGWIN" AND "OPENSSH" ARE>> %LOGFILE% 2>&1 echo --- ***** IN FACT THE REQUIRED LATEST VERSIONS NOS>> %LOGFILE% 2>&1 echo . >> %LOGFILE% 2>&1 echo --- CHECKING FOR wget.exe >> %LOGFILE% 2>&1 if not exist wget.exe ( set RESULT=FAILURE echo ############################################################## >> %LOGFILE% 2>&1 echo ############################################################## >> %LOGFILE% 2>&1 echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1 echo ### COULD NOT FIND WGET.EXE ### >> %LOGFILE% 2>&1 echo ### THIS SCRIPT CURRENT DIR MUST CONTAIN WGET.EXE ### >> %LOGFILE% 2>&1 echo ############################################################## >> %LOGFILE% 2>&1 echo ############################################################## >> %LOGFILE% 2>&1 goto emailandexit ) echo ok found >> %LOGFILE% 2>&1 echo . >> %LOGFILE% 2>&1 echo --- DELETING ANY EXISTING SETUP-X86.EXE >> %LOGFILE% 2>&1 if exist setup-x86.exe ( del setup-x86.exe >> %LOGFILE% 2>&1 echo ok found and deleted setup-x86.exe >> %LOGFILE% 2>&1 ) else ( echo ok not found>> %LOGFILE% 2>&1 ) echo . >> %LOGFILE% 2>&1 echo --- DOWNLOADING LATEST VERSION OF CYGWIN'S SETUP-X86.EXE >> %LOGFILE% 2>&1 wget -O setup-x86.exe http://www.cygwin.com/setup-x86.exe >> %LOGFILE% 2>&1 echo . >> %LOGFILE% 2>&1 echo --- CHECKING SETUP-X86.EXE DOWNLOADED OK>> %LOGFILE% 2>&1 if not exist setup-x86.exe ( set RESULT=FAILURE echo ############################################################## >> %LOGFILE% 2>&1 echo ############################################################## >> %LOGFILE% 2>&1 echo ### ERROR: CANNOT UPGRADE BECAUSE ### >> %LOGFILE% 2>&1 echo ### COULD NOT DOWNLOAD http://www.cygwin.com/setup-x86.exe ### >> %LOGFILE% 2>&1 echo ############################################################## >> %LOGFILE% 2>&1 echo ############################################################## >> %LOGFILE% 2>&1 goto emailandexit ) rem dir setup-x86.exe >> %LOGFILE% 2>&1 echo ok setup-x86.exe downloaded>> %LOGFILE% 2>&1 echo . >> %LOGFILE% 2>&1 echo --- STOPPING ANY OTHER CYGWIN SERVICES LIKE RSYNC, EXIM (DOES NOT EXIST = OK) --- >> %LOGFILE% 2>&1 net stop cygwinrsync >> %LOGFILE% 2>&1 net stop exim >> %LOGFILE% 2>&1 echo --- STOPPING SSHD SERVICE FOR MINIMUM TIME POSSIBLE --- >> %LOGFILE% 2>&1 net stop sshd >> %LOGFILE% 2>&1 echo --- KILLING ANY CURRENT SSHD CONNECTIONS (NOT FOUND = OK) --- >> %LOGFILE% 2>&1 taskkill /f /im sshd.exe >> %LOGFILE% 2>&1 taskkill /f /im bash.exe >> %LOGFILE% 2>&1 rem seems to leave actual services running rem echo --- KILLING ANY REMAINING CYGWIN SERVICES --- >> %LOGFILE% 2>&1 rem taskkill /f /im cygrunsvr.exe >> %LOGFILE% 2>&1 rem delay three seconds to ensure all stopped/killed ping -n 3 127.0.0.1 > null echo .>> %LOGFILE% 2>&1 echo --- CHECK THERE ARE NOW NO CYGWIN PROGRAMS RUNNING --- >> %LOGFILE% 2>&1 set BACKUPDLL=cygwin1BACKUP.dll if exist %CYGWINBIN%\%BACKUPDLL% del %CYGWINBIN%\%BACKUPDLL% copy %CYGWINBIN%\%CYGWINDLL% %CYGWINBIN%\%BACKUPDLL% del %CYGWINBIN%\%CYGWINDLL% if exist %CYGWINBIN%\%CYGWINDLL% ( set RESULT=FAILURE echo ############################################################################# >> %LOGFILE% 2>&1 echo ############################################################################# >> %LOGFILE% 2>&1 echo ### ERROR: CANNOT UPGRADE BECAUSE SOME CYGWIN PROGRAMS ARE STILL RUNNING ### >> %LOGFILE% 2>&1 echo ### CLOSE THEM ALL AND TRY AGAIN OR ### >> %LOGFILE% 2>&1 echo ### CHECK USING SYSINTERNALS PROCESS EXPLORER - FIND HANDLE %CYGWINDLL% ### >> %LOGFILE% 2>&1 echo ############################################################################# >> %LOGFILE% 2>&1 echo ############################################################################# >> %LOGFILE% 2>&1 goto skipupgrade ) ren %CYGWINBIN%\%BACKUPDLL% %CYGWINDLL% if exist %CYGWINBIN%\%BACKUPDLL% copy %CYGWINBIN%\%BACKUPDLL% %CYGWINBIN%\%CYGWINDLL% echo OK %CYGWINBIN%\%CYGWINDLL% is not in use and can be updated >> %LOGFILE% 2>&1 rem ### RUNNING CYGWIN UPGRADE EVERYTHING NON-INTERACTIVE ### echo . >> %LOGFILE% 2>&1 echo --- RUNNING CYGWIN UPGRADE --- >> %LOGFILE% 2>&1 setup-x86.exe --no-desktop --no-shortcuts --no-startmenu --quiet-mode >> %LOGFILE% 2>&1 :skipupgrade echo . >> %LOGFILE% 2>&1 echo --- RESTARTING SSHD SERVICE (TO REENABLE REMOTE SUPPORT ASAP) --- >> %LOGFILE% 2>&1 net start sshd >> %LOGFILE% 2>&1 echo ---STARTING CYGWINRSYNC IF PRESENT (IS INVALID = OK) >> %LOGFILE% 2>&1 net start cygwinrsync >> %LOGFILE% 2>&1 echo --- CHECKING CYGWIN VERSIONS >> %LOGFILE% 2>&1 %CYGWINBIN%\cygcheck -c >> %LOGFILE% 2>&1 :emailandexit echo . >> %LOGFILE% 2>&1 echo --- FINISHED upgradecygwin.cmd %RESULT% --- >> %LOGFILE% 2>&1 echo fromaddress=upgradecygwin@neosys.com> upgradecygwin.par echo smtphostname=mailout.neosys.com>> upgradecygwin.par echo smtpportno=2500>> upgradecygwin.par %CYGWINBIN%\echo -n "subject=Cygwin Upgrade: %RESULT% ">> upgradecygwin.par dir ..\data\*. /B|%CYGWINBIN%\head -n 1 >> upgradecygwin.par echo . >> %LOGFILE% 2>&1 echo --- EMAILING LOG TO %TOEMAIL% >> %LOGFILE% 2>&1 time /t >> %LOGFILE% start /w sendmail.js /e upgradecygwin.err /p upgradecygwin.par /t %TOEMAIL% /b "@%LOGFILE%" echo . >> %LOGFILE% 2>&1 echo --- CLOSING LOG >> %LOGFILE% 2>&1 rem end of script
Upgrading Cygwin manually
Install Teamviewer (will be commercial on server) and allow unattended access.
Note the Teamviewer number and password during installation.
Logout of tunnelier.
Connect on teamviewer using the number and password
In command console type the following commands:
net stop sshd net stop cygwinrsync net stop exim
In task viewer, ensure no bash or ssh processes and kill any such processes.
Run the cygwin upgrade procedure starting with http://www.cygwin.com and setup.exe etc. If you get any message about file in use, do not ignore, make sure you kill all cygwin related processes in task manager. If necessary find and kill the process holding the files open. For example using sysinternal’s process explorer “find file handle”
If not already done, rename Administrator to administrator and run mkpasswd/mkgroup in Cygwin console. (See Changing ssh login from “Administrator” to “administrator”)
In command console type the following commands:
mkpasswd -l > /etc/passwd mkgroup -l > /etc/group
Start the NEOSYS remote connection service - cygwin/sshd, and any cygwin services stopped:
net start sshd net start cygwinrsync net start exim
Check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.
For eg - To check the version of the openssh package you will have to type the following command in cygwin:
cygcheck -c openssh
The output should be as follows:
Package Version Status openssh 6.0p1-2 OK
Login using tunnelier. If successful, close your Teamviewer on the server
Uninstall Teamviewer and REMOVE SETTINGS to avoid accidental reinstallation. Teamviewer must NOT BE LEFT with permanent login by number and password! Teamviewer options, security, REMOVE "Predefined password (For unattended access)"
Upgrading Cygwin with server reboot
If not already done, rename Windows “Administrator” user to “administrator” before upgrading
Connect using usual NEOSYS remote support.
Follow the usual cygwin installation procedure.
If and when cygwin "says files in use" then at console command prompt then click "continue". NB "retry" will not work because your NEOSYS remote support uses files like cygwin1.dll that are being updated by cygwin.
If you have used the "continue" option then, towards the end of the cygwin installation process, you may get error messages similar to the one below. You can ignore them.
"the procedure point __ctype_ptr__ could not be located in the dynamic link library cygwin1.dll"
Finally, you may get a message "postinstall script errors". Copy this message so you know what packages have to be reinstalled.
Your list may vary! The list of packages is longer if the cygwin1.dll file has to be upgraded as this is an essential library file for all cygwin programs.
Package: base-cygwin Package: coreutils Package: bash Package: terminfo Package: _update-info-dir Package: base-files Package: colordiff Package: man Package: terminfo0 Package: vim Package: wget
Reboot the server
Reinstall Bash and check that you can connect using usual NEOSYS remote support.
- The login user name might be changed to "Administrator" instead of "administrator".
- If you cannot reconnect after rebooting then the following steps (in particular the cygwin sshd package) may have to be performed directly on the server directly or using the usual initial NEOSYS remote installation procedures that do not rely on cygwin/sshd.
Reinstall any problematic Cygwin packages
- Select View: "Up to date"
- "Keep" to "Reinstall" for the packages listed in the previous section.
Check that you can run the ls command in a cygwin command prompt window.
Finally, check the version of the packages you installed using the cygcheck command mentioned below to ensure that they have been upgraded.
If you dont reinstall bash after rebooting then the bash prompt will be abbreviated to something different and there will be no response to any command entered.
How to check Cygwin version ?
If you are looking for the version number for the whole Cygwin release, there is none.
Each package in the Cygwin release has its own version.
To find the version of the Cygwin Package installed, you can use
cygcheck -c PACKAGE_NAME
eg - To check the version of the openssh package you will have to type the following command in cygwin:
cygcheck -c openssh
The output should be as follows:
Package Version Status openssh 6.0p1-2 OK
How to uninstall/reinstall cygwin
With setup.exe (the installer file of cygwin) you can uninstall individual packages but not Cygwin.
Before you do this, make sure you have stopped the cygwin service (NET STOP SSHD), removed the sshd server (cygrunsrv -R sshd), deleted the sshd & sshd_server users (net user sshd/DELETE)
To uninstall Cygwin you have to run the following in DOS prompt:
rmdir /s /q C:\cygwin
You cannot delete the cygwin folder from Windows explorer due to a Access Denied error and this is the best way to uninstall cygwin.
Getting Ownership and Permissions Correct
Installation of cygrin under domain administrator account needs to be fixed as follows:
- c:\cygin Properties, Security, Advanced
- Change owner to: Administrators
- Tick: Replace owner on subcontainers
After changing ownership of all cygwin folders to Administrators all ssh login will be blocked and you will get a windows application event log message. "root" actually means sshd's user which is sshd_server by default or can be found in the cygwin ssh windows services properties under log on
fatal: /var/empty must be owned by root and not group or world-writable.
Fix this in cygwin console as follows:
chown sshd_server /var/empty
Configuring Firewall/Router
You will have to port forward 19580 on the router to port 19580 on the neosys server. Some routers call port forwarding “port mapping” or “virtual servers”
It is BAD idea to simply open port 22 since an open port 22 attracts scanners/hackers like flies.
Configure port forwarding of port 4430 ONLY if access from outside office is required by the client. Support MUST obtain Client management permission before port forwarding 4430.
Configuring Specific Client Routers
Adline Dubai - CISCO PIX Firewall
Sonicwall Firewall Configuration
How to install ssh on port 19580 over vnc on port 19580
Install vnc on port 19580
connect on vnc
setup cygwin sshd on port 22
test you can login on port 22
ssh neosys@127.0.0.1
change sshd port to 19580 (but it wont start)
schedule a windows system reboot in 10 mins at windows command prompt
shutdown -t 600
change vnc port to 5900 (if will disconnect you)
wait for 10 mins and try to ssh login on port 19580
Changing user on Cygwin=
On SSH command line:
ssh neosys@127.0.0.1 (where 'neosys' is the username)
Installing and configuring UltraVNC
VNC/Putty is not typically used for NEOSYS remote support anymore and has been replaced by tunnelier/rdp
Installing and configuring UltraVNC
Remote Desktop Connection
Servers are normally not exposed to the internet so IT staff and suppliers are often not careful to use strong passwords and use things like "password" or blank.
Given the above, it is NEOSYS policy NOT to use remote desktop via direct access from the internet at all and especially not long term. This is to prevent worms from instantly discovering possible entry points - typically before NEOSYS can even begin to enforce strong administrator password.
If it is otherwise IMPOSSIBLE (difficult or inconvenient does NOT count as impossible!) to avoid using remote desktop protocol to the public internet then a simple and effective way of significantly increasing security is to change the remote desktop port from 3389 to something else e.g. 33890 as per NEOSYS convention.
Changing RDC port from standard to nonstandard
- Start Registry Editor.
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
- On the Edit menu, click Modify, and then click Decimal.
- Type the new port number, and then click OK.
- Quit Registry Editor.
Solving "Authentication that can continue: publickey,password" Error when connecting to remote servers via remote access clients
Some remote access clients cannot connect to ssh servers without special configuration.
For example remina/ssh cannot connect to windows/cygwin/sshd in their default configuration.
Error Message
SSH password authentication failed: Access denied. Authentication that can continue: publickey,password,keyboard-interactive
Solution 1
If possible configure the client to not perform challenge response during login.
There appears to be no way to do this for remina currently
Solution 2
On the target server:
Edit the ssh service configuration
nano /etc/sshd_config
Add the last line to the following section
# Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no
Restart the ssh service
net stop sshd net start sshd
Check that you can login using password from one workstation and it will be solved for all workstations for that server
Solution 3
On a client workstation:
- Use the autologin.sh script to configure automatic login. Refer Autologin.sh
- For "Authentication/Login Method" choose option "Public Key"
Check that you can login using password. This will have to be done on every workstation for every server so is rather tedious but it does not require reconfiguration of the server.