Cygwin SSH Not Working - Permission denied error

Our PPM 9.32 is on Window 2012 R2 server. We just installed the most recent Cywin, and went through all the steps to set up the SSH for PPM object migration. But we cannot get the SSH working so the PPM environment check failed. When I tested the SSH command to the current PPM server, I always got the error of "Permission denied" even the password and user account are correct. The account used is a domain account which we used to install the PPM and Cygwin. 
We went through the steps of creating CYGWIN sshd service by running Cygwin ssh-host-config command, also created the pubic and private keys folllowing the PPM Installation and Admin guide.

When we test the SSH from command prompt, we kept getting the error "Permission denied, please try again", after we providede password.

Anybody else had this issue?

Thanks a lot!



  • Hi Daniel,

    Couplle of things to check:

    1. User that is running the sshd service was used to perform cygwin installation?

    2. Make sure the user is part of the passwd and group files present under C:/Cygwin/etc [or where ever cygwin is installed]. To do so, take a backup of passwd and group files; place the backup files locally somewhere not under '/cygwin/etc' folder.

    3. To modify passwd file, launch cygwin from shortcut and type:

          mkpasswd -l > /etc/passwd

          mkpasswd -d -u userUsedtoRunSSHD >> /etc/passwd

    4. To modify group file, type; replace <DOMAIN> with user domain.

         mkgroup -l > /etc/group

         mkgroup -d <DOMAIN> -g 'Domain Users' >> /etc/group 

    5. Make the user who is running the ssh service is owner of var, log and empty files.

    6. Check the permissions on 'var' and 'log' files present under C:/Cygwin/var and C:/Cygwin/Var/log. To change permission, launch cygwin and type chmod 711 /var ; chmod 711 /var/empty

    ideally the permissions and owner in step 5 and 6 should be correct, if the user that is runnig sshd service was used to do the cygwin installation.

    Let me know how it goes.




  • Hi Ajay,

    I used one Window domain account to install PPM application and Cywin: ourdomain\ppmadmin

    During the SSH configuration by running the ssh-host-config, a default account cyg_server was created. This is the account which is the logon of the Cygwin SSHD service. I tried to change the logon from cyg_server to ourdomain\ppmadmin and local admin, but then I couldn't start this sshd service, so I had to change it back.

    I did updated the passwd file, tried to add both ppmadmin and cyg_server accounts, but still failed with permission denied error.

    I tried change the permission of the var folder, also no luck...

    Anything else I am missing?



  • Hi Daniel,

    The matter of fact that you created a user during ssh-host-config; the ssh service is trying and using it. When you use other domain users to start the service you wont be able to as there are multiple permissions on various files. 

    Can you check?

    1. Anything captured in the logs c:/cygwin/var/log look at sshd file; typically after every error, there is a log generated under there. 

    2. Did you try to run the service under 'local system account' instead of running under domain or cyg_server? 

    3. If all these doesnt work then you may uninstall sshd service and reinstall it using ssh-host-config this time do not create cyg_server user; you can say I want to use my own account, then use the ppmadmin account there.


    Let me know how it goes.



  • oh one more thing, since you are on Windows 2012.. Please check which Cygwin version you are installing.. I recollect having some issues with 2012.. had to get the latest cygwin package. I will have to double check which version i installed. or maybe some dll was missing.. Can you also check the logs.. 

    In the meanwhile i will try and find more details. 



  • Ajay,

    The error in the sshd log is "/var/empty must be owned by root and not group or world-writable."

    I had to changed the owner of the "empty" folder in order to start the sshd service by 'local system account'.

    Then I tried the sshd using my PPM admin account, but it still failed with permission denied error. The onlything is that this time the sshd log is updated with a new error.

    Any thoughts?



  • Hi Daniel,

    clearly it is permission issue - basically you have installed ssh using different user and trying to run the service using different user. Try running ssh service using cyg_server user (one that you created during installation). 

    Else try and uninstall ssh and reinstall this time use your domain account. 

    If you want a installation guide, send me your email address and i will flick you one. 



  • Ajay,

    Thanks for your installation guide!

    I was able to create SSHD service and then get it running using my ourdomain\ppmadmin account. This is the same domain account to install Cygwin and PPM. I think there is still some file permission issue when I tried SSH.

    In the meantime, it seemes it messed up its Remote Desktop access. Once I got it resolved, I will try to work on the file permission issue again.



  • Ajay,

    Now I am able to establish the SSH connection. I verified the SSH connection to the current PPM server through the command prompt on this server using SSH command. After I provided my password, the connection was established. Also the known_host file was generated. Then I followed the PPM Admin guide to create id_rsa,, authorized_keys files in the .ssh folder.

    I also added the com.kintana.core.server.SSH2_JSCH_KNOWN_HOSTS_FILE_PATH in the server.conf.

    I checked the current environement through Workbench, but received error as: D:\Server_Apps\Cygwin64\home\ppmadm\.ssh\           (Access is denied)com.jcraft.jsch.JSchException: D:\Server_Apps\Cygwin64\home\ppmadm\.ssh\id_rsa (Access is denied)

    Then I granted full access of id_rsa file to my PPM server administrator account, but still received the same error...

    Any thoughts?

    Thanks again in advance...


  • Hi Daniel,

    Why do you need to set up the id_rsa, id_pub_rsa and host_keys files ? are you planning to use 'key' based (password less)  authentication?

    Further, It is not recommended to give full access to id_rsa key as that is a private key.

    If you dont want to use 'key' based authentication or in short keyboard authentication, then probably remove the id_rsa and id_rsa_pub files ... 

    Also ok for you send the screen shot? 


  • Verified Answer

    That's right, I am giving up the key authentication now. I really don't think that's worth the time...

    Also ran into the permission issue again, but later found out that the account is somehow in the Window local policy of Deny Log On Locally. It's kind of funny even the same account is in the Allow Log On locally, but it could still in the same Deny policy...

    Issue resolved, and thanks again...