Openssh error 1067 after window patch

[MikeEunLim]

Prerequisites

• Write a descriptive title.
• Make sure you are able to repro it on the latest version
• Search the existing issues.

Steps to reproduce

After patching These updates i've been getting the following error.

• Security Update for Microsoft Windows (KB5044281) 10/12/2024
• Update for Microsoft Windows (KB5044025) 10/12/2024

The OpenSSH SSH Server service could not be started. A system error has occurred. System error 1067 has occurred. The process terminated unexpectedly.

I try installing new version:
v9.8.1.0p1-Preview

Expected behavior

sshd.exe to run

Actual behavior

sshd.exe fail to run

Error details

No response

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.20348.2652
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.20348.2652
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version

v9.8.1.0p1-Preview

Visuals

No response

[tgauth]

Can you verify the permissions on the ProgData\ssh and ProgData\ssh\logs folders per #2282 (comment)?

Starting with v9.4, the sshd service will check the folder permissions upon startup to ensure only SYSTEM and Administrator accounts have write access (or higher) to the folder; similar to the existing check upon install in contrib\win32\openssh\install-sshd.ps1.

[MikeEunLim]

PS C:\Windows\system32> icacls "C:\ProgramData\ssh"
C:\ProgramData\ssh NT AUTHORITY\Authenticated Users:(OI)(CI)(RX)
SSHSTORAGE\root:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files
PS C:\Windows\system32> icacls "C:\ProgramData\ssh\logs"
C:\ProgramData\ssh\logs NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
RRISD\sshadmins:(OI)(CI)(RX,W)

Successfully processed 1 files; Failed processing 0 files

already ran install-sshd.ps1

[MikeEunLim]

thsi may be important issue i saw :
debug1: get_passwd: lookup_sid() failed: 1332.

[tgauth]

What is SSHSTORAGE\root? The account should have RX permissions at most on the SSH folder

For the log folder, RRISD\sshadmins should not have W permissions, just RX

[MikeEunLim]

i added root local accoutn jsut to see f that fixes on log on service policy for service.exe I can remove that

[MikeEunLim]

For the log folder, RRISD\sshadmins should not have W permissions, just RX , removed but still an issue totally the new patch broke it , seeing if I can undue the patch and try again

[MikeEunLim]

C:\Program Files\OpenSSH-Win64> sshd -D -ddd
debug2: load_server_config: filename PROGRAMDATA\ssh/sshd_config
debug2: load_server_config: done config len = 2584
debug2: parse_server_config_depth: config PROGRAMDATA\ssh/sshd_config len 2584
debug3: PROGRAMDATA\ssh/sshd_config:25 setting SyslogFacility LOCAL0
debug3: PROGRAMDATA\ssh/sshd_config:26 setting LogLevel Debug3
debug3: PROGRAMDATA\ssh/sshd_config:40 setting AuthorizedKeysFile .ssh/authorized_keys
debug3: PROGRAMDATA\ssh/sshd_config:82 setting Subsystem sftp sftp-server.exe -d D:\
debug3: checking syntax for 'Match User root'
debug3: checking syntax for 'Match User svc_ftp_cppm'
debug3: checking syntax for 'Match User svc_ftp_fac'
debug3: checking syntax for 'Match User SSH_User'
debug3: checking syntax for 'Match Group administrators'
debug1: sshd version OpenSSH_for_Windows_9.8 Win32-OpenSSH-GitHub, LibreSSL 3.9.2
debug1: private host key #0: ssh-rsa SHA256:
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:
debug1: private host key #2: ssh-ed25519 SHA256:
debug1: get_passwd: lookup_sid() failed: 1332.
debug1: rexec_argv[1]='-D'
debug1: rexec_argv[2]='-ddd'
debug3: using c:\program files\openssh-win64/sshd-session.exe for re-exec
debug2: fd 7 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 7 IPV6_V6ONLY
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug2: fd 8 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.

[MikeEunLim]

used to work until new patch was installed

[tgauth]

Ok - so with v9.8.1.0, the server runs in debug mode but the service won't start?

[MikeEunLim]

Ok - so with v9.8.1.0, the server runs in debug mode but the service won't start?

yes... added debug log mode on config..... but anywho.... trying to see if patch can be reverted and try again

[tgauth]

It still sounds like an issue with the folder permissions. I would ensure only SYSTEM and the administrators group have full control over ProgData\ssh and ProgData\ssh\logs and that all other accounts only have read access.

[MikeEunLim]

they both have full control..... do you have specific command line?

I used
icacls "C:\ProgramData\ssh" /grant SYSTEM:F /grant Administrators:F
icacls "C:\ProgramData\ssh\logs" /grant SYSTEM:F /grant Administrators:F

still same issue

[tgauth]

And all other accounts only have read access?

[MikeEunLim]

some have write to upload.

[tgauth]

To upload to the ProgData\ssh folder? The accounts need to be limited to read access, at least to start the service.

[MikeEunLim]

sorry just for these following directory
Match User svc_ftp_cppm
ChrootDirectory D:\Network\cppm

Match User svc_ftp_fac
ChrootDirectory D:\Network\FAC

Match User SSH_User
ChrootDirectory D:\Vmware

[MikeEunLim]

removing the root fixed it, on ssh

[MikeEunLim]

i think the solution is reinstall done fixhost ps1 and change the full access for programapp/ssh and logs and remove what I added on net user add.....

[kali-777]

I have SAME problem after "cleanup" permissions i was able to start but ONLY once, then its stopped, unable to start again?! 😣
I tried to uninstall/install now my Event Logs is FULL with message like this
"The OpenSSH SSH Server service terminated unexpectedly. It has done this 7021 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service." 🙄

PS C:\Users\klakos> net start sshd
The OpenSSH SSH Server service is starting.
The OpenSSH SSH Server service could not be started.

A system error has occurred.

System error 1067 has occurred.

The process terminated unexpectedly.

PS C:\Users\klakos> Start-service -verbose sshd
VERBOSE: Performing the operation "Start-Service" on target "OpenSSH SSH Server (sshd)".
Start-Service: Failed to start service 'OpenSSH SSH Server (sshd)'.
PS C:\Users\klakos> Start-service -verbose sshd
VERBOSE: Performing the operation "Start-Service" on target "OpenSSH SSH Server (sshd)".
PS C:\Users\klakos> services.msc
PS C:\Users\klakos> Start-service -verbose sshd
VERBOSE: Performing the operation "Start-Service" on target "OpenSSH SSH Server (sshd)".
Start-Service: Failed to start service 'OpenSSH SSH Server (sshd)'.
PS C:\Users\klakos> icacls "C:\ProgramData\ssh"
C:\ProgramData\ssh NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
BUILTIN\Users:(OI)(CI)(RX)

Successfully processed 1 files; Failed processing 0 files
PS C:\Users\klakos> icacls "C:\ProgramData\ssh\logs"
C:\ProgramData\ssh\logs NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)

Successfully processed 1 files; Failed processing 0 files

[kali-777]

I have SAME problem after "cleanup" permissions i was able to start but ONLY once, then its stopped, unable to start again?! 😣 I tried to uninstall/install now my Event Logs is FULL with message like this "The OpenSSH SSH Server service terminated unexpectedly. It has done this 7021 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service." 🙄

PS C:\Users\klakos> net start sshd The OpenSSH SSH Server service is starting. The OpenSSH SSH Server service could not be started.

A system error has occurred.

System error 1067 has occurred.

The process terminated unexpectedly.

PS C:\Users\klakos> Start-service -verbose sshd VERBOSE: Performing the operation "Start-Service" on target "OpenSSH SSH Server (sshd)". Start-Service: Failed to start service 'OpenSSH SSH Server (sshd)'. PS C:\Users\klakos> Start-service -verbose sshd VERBOSE: Performing the operation "Start-Service" on target "OpenSSH SSH Server (sshd)". PS C:\Users\klakos> services.msc PS C:\Users\klakos> Start-service -verbose sshd VERBOSE: Performing the operation "Start-Service" on target "OpenSSH SSH Server (sshd)". Start-Service: Failed to start service 'OpenSSH SSH Server (sshd)'. PS C:\Users\klakos> icacls "C:\ProgramData\ssh" C:\ProgramData\ssh NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX)

Successfully processed 1 files; Failed processing 0 files PS C:\Users\klakos> icacls "C:\ProgramData\ssh\logs" C:\ProgramData\ssh\logs NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F) BUILTIN\Users:(I)(OI)(CI)(RX)

Successfully processed 1 files; Failed processing 0 files

Sorry, finally its WORKING now just needed to remove Users Read permission from Keys which got inherited! 😊

[aragon5956]

j'ai toujours le même problème

# Définir le propriétaire et les permissions
$sshPath = "C:\ProgramData\ssh"
$acl = Get-Acl $sshPath
$acl.SetOwner([System.Security.Principal.NTAccount]"NT AUTHORITY\SYSTEM")

# Supprimer toutes les règles existantes
$acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }

# Ajouter les nouvelles règles
$rule1 = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$rule2 = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators","FullControl","ContainerInherit,ObjectInherit","None","Allow")

$acl.AddAccessRule($rule1)
$acl.AddAccessRule($rule2)

# Appliquer les nouvelles permissions
Set-Acl $sshPath $acl

# Appliquer récursivement aux sous-dossiers
Get-ChildItem $sshPath -Recurse | ForEach-Object {
    Set-Acl $_.FullName $acl
}

après ce script ,et encore l'erreur 1067, si je l'éxécute je n'ai pas d'erreur , mais j'ai toujours l'erreur.Et je n'ai pas de dossiers logs.
pouvez vous m'aider ?

[aragon5956]

il y a quelqu'un pour m'aider ??

[fabpiaf]

I had the same problem and could fix it with (#2290 (comment))

# limit ssh folder permissions to full control for system and local group administrators, and read for authenticated users
$directoryPath = "$env:ProgramData\ssh"
$acl = Get-Acl -Path $directoryPath
$sddlString = “O:BAD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)”
$securityDescriptor = New-Object System.Security.AccessControl.RawSecurityDescriptor $sddlString
$acl.SetSecurityDescriptorSddlForm($securityDescriptor.GetSddlForm("All"))
Set-Acl -Path $directoryPath -AclObject $acl

# limit log folder permissions to full control for system and local group administrators, and read for authenticated users
$directoryPath = "$env:ProgramData\ssh\logs"
$acl = Get-Acl -Path $directoryPath
$sddlString = “O:BAD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)”
$securityDescriptor = New-Object System.Security.AccessControl.RawSecurityDescriptor $sddlString
$acl.SetSecurityDescriptorSddlForm($securityDescriptor.GetSddlForm("All"))
Set-Acl -Path $directoryPath -AclObject $acl

[bropines]

I have the same mistake. And it occurs when I grant myself the rights to read the folder with logs.
This is such utter nonsense that it's terrible. And how can I read the logs?

And this fix works.
#2290 (comment)

[tgauth]

I have the same mistake. And it occurs when I grant myself the rights to read the folder with logs. This is such utter nonsense that it's terrible. And how can I read the logs?

And this fix works. #2290 (comment)

Are you still having trouble reading the logs? The fix should permit read access to the logs for authenticated users.

[bropines]

I have the same mistake. And it occurs when I grant myself the rights to read the folder with logs. This is such utter nonsense that it's terrible. And how can I read the logs?
And this fix works. #2290 (comment)

Are you still having trouble reading the logs? The fix should permit read access to the logs for authenticated users.

Yep. I didn't write it clearly. After your fix, everything works as it should. Thanks