chdir("/"): PermissionDenied #1054

smayott · 2018-02-01T19:27:28Z

OpenSSH for Windows version 0.0.24.0 on Windows Server 2012 R2. Client Operating system Windows Server 2012 R2.

Issue:

At startup of SSHD services there is a log entry "error: chdir("/"): Permission denied" .

I have reran the FixHostFilePermissions and FixUserFilePermissions scripts several times. I am thinking that this is why I can not SCP to the server. Any ideas?

Thanks

bagajjal · 2018-02-01T19:29:02Z

please share the sshd_config and sshd.log (with DEBUG3 enabled)

smayott · 2018-02-01T19:42:19Z

As requested

sshd_config:

$OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $

This is the sshd server system-wide configuration file. See

sshd_config(5) for more information.

This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

The strategy used for options in the default sshd_config shipped with

OpenSSH is to specify options with their default value where

possible, but leave them commented. Uncommented options override the

default value.

AddressFamily inet
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

The default requires explicit activation of protocol 1

#Protocol 2
Protocol 1

HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h
#ServerKeyBits 1024

Logging

obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH
#LogLevel INFO
LogLevel DEBUG3

Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

RSAAuthentication yes
PubkeyAuthentication yes

The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

but this is overridden so installations will only check .ssh/authorized_keys

AuthorizedKeysFile .ssh/authorized_keys

For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

similar for protocol version 2

#HostbasedAuthentication no

Change to yes if you don't trust ~/.ssh/known_hosts for

RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes
#PermitEmptyPasswords no

Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

Kerberos options

#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

GSSAPI options

GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

Set this to 'yes' to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will

be allowed through the ChallengeResponseAuthentication and

PasswordAuthentication. Depending on your PAM configuration,

PAM authentication via ChallengeResponseAuthentication may bypass

the setting of "PermitRootLogin without-password".

If you just want the PAM account and session checks to run without

PAM authentication, then enable this but set PasswordAuthentication

and ChallengeResponseAuthentication to 'no'.

#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
PidFile E:\OpenSSH-Win32\logs\sshd.pid

#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

no default banner path

#Banner none

override default of no subsystems

Subsystem sftp sftp-server.exe
#Subsystem scp scp.exe

Example of overriding settings on a per-user basis

#Match User anoncvs

X11Forwarding no

AllowTcpForwarding no

ForceCommand cvs server

PubkeyAcceptedKeyTypes ssh-ed25519*

hostkeyagent \.\pipe\openssh-ssh-agent

sshd log:

11256 14:39:07:215 debug1: sshd version OpenSSH_7.6, LibreSSL 2.5.3
11256 14:39:07:230 debug3: ReadFileEx() ERROR:38, io:02D6C320
11256 14:39:07:230 debug3: read - no more data, io:02D6C320
11256 14:39:07:230 debug3: ReadFileEx() ERROR:38, io:02D6C320
11256 14:39:07:230 debug3: read - no more data, io:02D6C320
11256 14:39:07:230 debug1: private host key #0: ssh-rsa SHA256:Hm6tW0/OC11ae4SZi1k5Ax3UW654t3BmWZJnS48TMWM
11256 14:39:07:230 debug3: ReadFileEx() ERROR:38, io:02D871B8
11256 14:39:07:230 debug3: read - no more data, io:02D871B8
11256 14:39:07:230 debug3: ReadFileEx() ERROR:38, io:02D871B8
11256 14:39:07:230 debug3: read - no more data, io:02D871B8
11256 14:39:07:230 debug1: private host key #1: ssh-dss SHA256:cUPnFEee4QuT7iCV4wCInoZPTyB9Al9wINMmxQpcB54
11256 14:39:07:230 debug3: ReadFileEx() ERROR:38, io:02D6C320
11256 14:39:07:230 debug3: read - no more data, io:02D6C320
11256 14:39:07:230 debug3: ReadFileEx() ERROR:38, io:02D6C320
11256 14:39:07:230 debug3: read - no more data, io:02D6C320
11256 14:39:07:246 debug1: private host key #2: ecdsa-sha2-nistp256 SHA256:rRdDBM2rXDj/S54UjR4HD6XwQ2pwgZqB7XtdMVUyFVc
11256 14:39:07:246 debug3: ReadFileEx() ERROR:38, io:02D6C320
11256 14:39:07:246 debug3: read - no more data, io:02D6C320
11256 14:39:07:246 debug3: ReadFileEx() ERROR:38, io:02D6C320
11256 14:39:07:246 debug3: read - no more data, io:02D6C320
11256 14:39:07:246 debug1: private host key #3: ssh-ed25519 SHA256:xSujr0qmlxirRtl4AlcQe15FQ6C7W58bTmNlwfdrV8Y
11256 14:39:07:246 error: chdir("/"): Permission denied
11256 14:39:07:246 debug2: fd 3 setting O_NONBLOCK
11256 14:39:07:246 debug1: Bind to port 22 on 0.0.0.0.
11256 14:39:07:246 Server listening on 0.0.0.0 port 22.

smayott · 2018-02-01T19:44:52Z

Sorry not sure why the large font

bagajjal · 2018-02-01T20:12:48Z

Looks like sshd service doesn't have permission to root drive like "c:" (drive in which sshd binary exists).

As per the comments around the logic, it can be ignored.
This problem can be solved if you move to new version v1.0.0.0 in which sshd service starts as SYSTEM,

Here is the code snippet,

smayott · 2018-02-01T20:16:22Z

The binary are actually on e:. So this is an error I can ignore is what you are saying? I was hoping this had to do with an issue with being able to scp to openssh.

bagajjal · 2018-02-01T20:20:54Z

During SCP failure did you see any errors in sshd.log?
I would suggest to use new version v1.0.0.0.

smayott · 2018-02-01T20:22:32Z

There were different errors. I'll close this issue and open a separate issue for that. Thanks

smayott closed this as completed Feb 1, 2018

bagajjal self-assigned this Feb 1, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chdir("/"): PermissionDenied #1054

chdir("/"): PermissionDenied #1054

smayott commented Feb 1, 2018

bagajjal commented Feb 1, 2018

smayott commented Feb 1, 2018 •

edited

smayott commented Feb 1, 2018

bagajjal commented Feb 1, 2018 •

edited

smayott commented Feb 1, 2018

bagajjal commented Feb 1, 2018

smayott commented Feb 1, 2018

chdir("/"): PermissionDenied #1054

chdir("/"): PermissionDenied #1054

Comments

smayott commented Feb 1, 2018

bagajjal commented Feb 1, 2018

smayott commented Feb 1, 2018 • edited

$OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $

This is the sshd server system-wide configuration file. See

sshd_config(5) for more information.

This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

The strategy used for options in the default sshd_config shipped with

OpenSSH is to specify options with their default value where

possible, but leave them commented. Uncommented options override the

default value.

The default requires explicit activation of protocol 1

HostKey for protocol version 1

HostKeys for protocol version 2

Lifetime and size of ephemeral version 1 server key

Logging

obsoletes QuietMode and FascistLogging

Authentication:

The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

but this is overridden so installations will only check .ssh/authorized_keys

For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

similar for protocol version 2

Change to yes if you don't trust ~/.ssh/known_hosts for

RhostsRSAAuthentication and HostbasedAuthentication

Don't read the user's ~/.rhosts and ~/.shosts files

To disable tunneled clear text passwords, change to no here!

Change to no to disable s/key passwords

Kerberos options

GSSAPI options

Set this to 'yes' to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will

be allowed through the ChallengeResponseAuthentication and

PasswordAuthentication. Depending on your PAM configuration,

PAM authentication via ChallengeResponseAuthentication may bypass

the setting of "PermitRootLogin without-password".

If you just want the PAM account and session checks to run without

PAM authentication, then enable this but set PasswordAuthentication

and ChallengeResponseAuthentication to 'no'.

no default banner path

override default of no subsystems

Example of overriding settings on a per-user basis

X11Forwarding no

AllowTcpForwarding no

ForceCommand cvs server

PubkeyAcceptedKeyTypes ssh-ed25519*

smayott commented Feb 1, 2018

bagajjal commented Feb 1, 2018 • edited

smayott commented Feb 1, 2018

bagajjal commented Feb 1, 2018

smayott commented Feb 1, 2018

smayott commented Feb 1, 2018 •

edited

bagajjal commented Feb 1, 2018 •

edited