How to setup the secure shell daemon on a Windows 2003 server
Note : This set of instructions has worked for me at our institution. You should read /usr/share/doc/Cygwin/openssh.README after installing cygwin and check the cygwin mailing list if you encounter problems.
Installing and Testing cygwin
- Create the destination folder (C:\cygwin or D:\cygwin as appropriate). Default permissions will be for administrators and SYSTEM only. Add SERVER\Users with modify control to the list. These permissions will be inherited to the rest of the folder as it is populated.
- Create a directory to locally store the cygwin packages e.g. C:\temp\cygwinarchive. Open a browser window to the following URL http://www.cygwin.com/setup.exe and save the installation file setup.exe to the archive directory just created (C:\temp\cygwinarchive in this example)
- Double click on the downloaded cygwin setup program. The current version is
2.510.2.2 (February 3rd, 2006). Click 'Next' and answer the prompts :
- Leave default "install from internet"
- Install to root directory c:\cygwin
- leave default "install for all users"
- leave default text file type "unix / binary"
- Set local package directory to c:\temp\cygwinarchive (the directory created in the previous step). This should be the default.
- Leave the default "direct connection"
- Select a mirror (any of the ones with starting with http://mirror in the name). The package list will be downloaded.
- The 'Select Packages' window can be stretched. Click on the plus
sign to expand the categories. Install at least the following list of
- From Admin, select all packages.
- From Archive, select unzip and zip packages.
- From Base, leave the default, select all packages.
- From Doc, leave the default, man and 'cygwin doc' packages.
- From Editors, select vim package.
- From Net, select openssh (openssl will get checked automatically), rsync and tcp_wrappers packages.
- When you've selected these packages, click 'Next'. The installation tells you which packages it is installing as it progresses.
- Uncheck 'Create desktop icon'. Leave default 'Add to start menu'. Click 'Finish'.
- A post install script runs a few final commands. Then you should see a message saying 'Installation complete'. Click 'OK'.
- Edit C:\cygwin\cygwin.bat. Make sure it contains these lines - you
will need to add the line setting the CYGWIN environment variable.
@echo off set CYGWIN=binmode tty ntsec C: chdir \cygwin\bin bash --login -i
- Test cygwin to make sure it works. Start, Programs, Cygnus
Solutions, Cygwin Bash Shell - should get a command window with a
prompt saying 'Administrator@servername'. This is a bash shell and
you can use unix or DOS / NT type commands e.g.
- 'ls /bin' to see the cygwin bin directory
- 'dir c:' to see the contents of the C: directory
- If you get a message saying 'cannot create /home/userid', run this command from the cygwin window "mkpasswd -l >/etc/passwd".
- While you're in the cygwin shell window, run this command to change
the mount prefix from "/cygdrive" to "/". You should logout and back in
again after running this command in order to reset your PATH environment
mount -s --change-cygdrive-prefix /
- Also, create a home directory where you can place user startup files.
The default location is the "Documents and Settings" folder. Creating a
/home directory and using the -p switch to assign the home directory
when adding a new user keeps all the cygwin files under the c:\cygwin
mkdir -p /home
Installing the SSH daemon service
- From a cygwin prompt (Start, All Programs, Cygwin ?), run ssh-host-config
to create the service, set up the ssh host keys and create the sshd_config
file in /etc/. Note that 2 local users are created, one called sshd to handle
privilege separation and one that is required on Windows 2003 called
sshd_server that runs the service in order to use public key authentication.
You should see output like this:
$ ssh-host-config Generating /etc/ssh_host_key Generating /etc/ssh_host_rsa_key Generating /etc/ssh_host_dsa_key Overwrite existing /etc/ssh_config file? (yes/no) yes Generating /etc/ssh_config file Overwrite existing /etc/sshd_config file? (yes/no) yes Privilege separation is set to yes by default since OpenSSH 3.3. However, this requires a non-privileged account called 'sshd'. For more info on privilege separation read /usr/share/doc/openssh/README.privsep. Should privilege separation be used? (yes/no) yes Warning: The following function requires administrator privileges! Should this script create a local user 'sshd' on this machine? (yes/no) yes Generating /etc/sshd_config file Added ssh to C:\WINDOWS\system32\drivers\etc\services Warning: The following functions require administrator privileges! Do you want to install sshd as service? (Say "no" if it's already installed as service) (yes/no) yes You appear to be running Windows 2003 Server or later. On 2003 and later systems, it's not possible to use the LocalSystem account if sshd should allow passwordless logon (e. g. public key authentication). If you want to enable that functionality, it's required to create a new account 'sshd_server' with special privileges, which is then used to run the sshd service under. Should this script create a new local account 'sshd_server' which has the required privileges? (yes/no) yes Please enter a password for new user 'sshd_server'. Please be sure that this password matches the password rules given on your system. Entering no password will exit the configuration. PASSWORD=xxxxxxx User 'sshd_server' has been created with password 'xxxxxxxx'. If you change the password, please keep in mind to change the password for the sshd service, too. Also keep in mind that the user sshd_server needs read permissions on all users' .ssh/authorized_keys file to allow public key authentication for these users!. (Re-)running ssh-user-config for each user will set the required permissions correctly. Which value should the environment variable CYGWIN have when sshd starts? It's recommended to set at least "ntsec" to be able to change user context without password. Default is "ntsec". CYGWIN=binmode ntsec tty The service has been installed under sshd_server account. To start the service, call net start sshd' or cygrunsrv -S sshd'. Host configuration finished. Have fun!
- You can start the service from the services MMC panel, or using either of the commands listed above ("net start sshd" or "cygrunsrv -S sshd").
Generating public/private SSH keys for a user
- If you need to generate ssh public and private keys for a user on this
machine who will be uploading data or logging in to a remote machine, you
will need to carry out this step. Sign on as the user who needs the keys
created. They will automatically be in their home directory. Run
ssh-user-config to setup the ssh keys. Create only an SSH2 RSA identity
(use a null passphrase - just press return). Output should be similar to this :
cygwinadmin@HICKORY ~ $ ssh-user-config Shall I create an SSH1 RSA identity file for you? (yes/no) no Shall I create an SSH2 RSA identity file for you? (yes/no) (yes/no) yes Generating /home/pswander/.ssh/id_rsa Enter passphrase (empty for no passphrase):Press ENTER Enter same passphrase again:Press ENTER Do you want to use this identity to login to this machine? (yes/no) yes Shall I create an SSH2 DSA identity file for you? (yes/no) (yes/no) no Configuration finished. Have fun!
- Update the file /home/userid/.ssh/authorized_keys with any public keys from other users who you wish to be able to connect to this user's account. Refer to this document for more information. Make sure each entry you add is all on one line.
- Make sure the service is running (state 4 = running)
$ sc query sshd SERVICE_NAME: sshd TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
- Test the service from the cygwin prompt using "ssh -v localhost".
You will get challenged with the new host key and will have to enter
your password as you connect.
You should see output like this:
The authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is 75:8a:67:20:0d:75:dd:06:64:04:d0:ac:23:c7:74:ba. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (RSA) to the list of known hosts. The last line is: You are successfully logged in to this server!!!
- Test the service from a remote host. You can now update the authorized_keys file with the public key file from the user and host you want to connect from. Then test your connection from that host by issuing the command "ssh userid@servername dir c:\"
Adding and removing users from the passwd file
- You can add domain or local users using the mkpasswd command. Test what
would be added for a domain user with this command:
mkpasswd -d domain_name -u joeuser
- You can add an ads domain user to the passwd file and give him a home
directory in /home with this command:
mkpasswd -d ads -p /home -u kscully >>/etc/passwd
- You can add local users using the -l switch instead of the -d switch. Be careful not to use the -d domain_name switch without specifying a user or you will get entries for ALL doamin users in the passwd file.
- Users can be removed and both users and groups can be updated by starting a cygwin shell and using vi to edit the /etc/passwd and /etc/group files.
Restricting SSH access to specific servers
Working on a netsh script to restrict access to specific servers.
cygrunsrv --install sshd --path '/usr/sbin/sshd' --env 'PATH=/bin;/sbin' --env 'CYGWIN=ntsec tty' -a -D
Switching the user who runs the service
In a normal installation, the ssh-host-config script creates a local user called sshd_server under whose credentials the ssh daemon runs. This is fine for local shell access to the server and secure file transfers to and from the server, but it is not possible to access any network resources while the service is running under the local user account.
The solution is to run the service under a domain user account - one that has access to the shares or servers remote from the server running sshd. In order to switch the service to run under a different user, these steps must be carried out :
- Open "Computer Management", open the Services tab, right click on the "Cygwin sshd" service and stop the service.
- Right click on the "Cygwin sshd" service again and select properties. Under the 'Log On' tab, switch the name of the account the service is running from ".\sshd_server" to domain\userid, where domain and userid correspond to a userid with access to the resources you require in the domain. You will be prompted for this user's password.
- Open Control Panel -> Administratice Tools -> Local Security Settings
-> Local Policies. Then click on 'User Rights Assignment'. Make sure the
domain user you specified in step one is in the list for these 4 rights :
- Adjust memory quotas for a process
- Create a token object
- Log on as a service (already granted if you completed step 1)
- Replace a process level token
- Add the domain user to the local password file
mkpasswd -d domain -u userid >> /etc/passwd
- Change to ownership of the files required by the sshd service owner.
Open a cygwin bash session and run these commands for your userid
$ chown userid /var/log/sshd.log $ chown -R userid /var/empty $ chown userid /etc/ssh*
- In the services tab again, right click on the 'Cygwin sshd' service and select 'start'. Check the event log for a successful start, or for errors in case the service does not start successfully.