Windows assign user privileges SeTcbPrivilege, SeCreateTokenPrivilege, SeAssignPrimaryTokenPrivilege to cyg_server user for sshd

To set up sshd on cygwin:

  1. install cygwin including the openssh package
  2. create local (or domain?) user “cyg_server” and make it member of the “Administrators” group
  3. gpedit.msc
  • Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment
  • right click “Act as part of the operating system” -> Properties -> Add User or Group
  • right click “Create a token object” -> Properties -> Add User or Group
  • right click “Replace a process level token” -> Properties -> Add User or Group

Perform a “gpupdate” to sync the policy changes in the domain.

  1. start a bash (cygwin terminal) with Administrative privileges
  2. mkpasswd -l -d YOUR_DOMAIN > /etc/passwd #(skip -d YOUR_DOMAIN if not using a domain)
  3. mkgroup -l -d YOUR_DOMAIN > /etc/group #(skip -d YOUR_DOMAIN if not using a domain)
  4. ssh-host-config -y
  5. “cygrunsrv -S sshd” or “net start sshd”

Done! 🙂


X11 connection rejected because of wrong authentication – X11 forwarding suddenly fails

After ages of flawless X11 forwarding over SSH, today I started getting authentication errors and couldn’t even get a remote xterm to display locally over my ssh tunnel.


I tried ssh -Y, ssh -X and changes in sshd_conf on the remote server and ssh_conf locally, even though I knew that nothing had changed except a few patches to unrelated software on the local machine. Of course that didn’t help.

I ran xauth on the remote server, no indication of any errors.

It turned out that the remote /home filesystem was out of space, and this prevented the ssh X11 forwarding from working properly. I write this as a note-to-self, as it could happen again…

authorized_keys SELinux pubkey authentication on RHEL / CentOS

So, you have correct permissions on your home directory and all the way up to /, with no other-writable directories in the path, as well as correct permissions on the .ssh directory in $HOME, and it still doesn’t work? You probably have SELinux, and need to put the newly created files in the correct security context. Do it with restorecon like this:

chmod 700 ~/.ssh
cd ~/.ssh
chmod 600 ~/.ssh/*
chmod 644 ~/.ssh/authorized_keys
chmod 644 ~/.ssh/known_hosts
chmod 644 ~/.ssh/config
restorecon -R -v ~/.ssh