from http://pigtail.net/LRP/printsrv/cygwin-sshd.html
This page has been tranlated to Bulgarian by Albert Ward, see this link: http://www.fatcow.com/edu/cygwin-sshd-bl/
Disclaimer
According to some cygwin gods, the only official document that you should use is /usr/share/doc/Cygwin/openssh.README which is probably valid, but it seems to aim at users with a fair bit of Linux/Unix knowledge.
The purpose of this tutorial is for Windows users who are perhaps less familiar with Unix commands wanting to try out the famous Open Source ssh server (openSSH) on a desktop Windows XP , Windows Vista or Windows 7 .The behavior of Windows 2003 Server is different. Follow this link to install Cygwin SSH server on Windows 2003 Server.
There seems to be some problems when using cygwin ssh with McAfee 8.0i. A work around to that problem is available below.
Please don't send any questions to the cygwin mailing list to ask questions about this page as it seems to provoke them severely. They considered and declared the instructions on this page "broken" and "random" but won't constructively say what is "broken"; instead some went on launching personal attacks. The information here is provided "as is, in good faith" with no guarantee it will work. If it doesn't work, then it doesn't work. Don't send any questions to the Cygwin mailing list to ask why to provoke them. If you must go to Cygwin mailing list to ask, you better off completely remove Cygwin before you go to the mailing list to ask questions and don't even mention that you have looked at this web page (to avoid provoking them off).
Read this Disclaimer.
Constructive comments are of course welcome, in the original spirit of the Internet, sharing experience and knowledge regarding bug fixes and improvements to benefit other users of the Internet community. My email address is
How to install a ssh server (called sshd, from OpenSSH) on a Windows 2000 or XP
How to install a sftp server on a Windows 2000 or XP
Windows XP - login as a user with Administrator privilege;
Windows 2003 Server: login as local admin, it will not work for domain users or domain admin.
(1b) Make sure the current admin/user has a Windows password set.
If not, use Control Panel...User Accounts to create a password.
Just to be on the safe side, after you created a password, logoff and then log in again.
(2a) Create a folder c:\cygwin
(2b) Download cygwin's setup.exe from http://www.cygwin.com/ and save setup.exe in c:\cygwin
Cygwin's setup.exe has some uncommon properties, click here to find out more.
(2c) For Windows 7 and Windows Vista, navigate to c:\cygwin in explorer, right click the setup.exe icon, and select "Run as Administrator". Thanks to David Shanks for his contributions.
(2d) For Windows XP: Click Start...Run...and type c:\cygwin\setup.exe
If you are asked to select "Just Me" or "All Users", choose "All Users"
When it asks for "Local Package Directory", type c:\cygwin
Choose a download site that is "close" to you.
When a selection screen comes up (you can resize the windows to see better),
click the little View button for "Full" view ,
find the package "openssh", click on the word "skip" so that an appears in Column B,
see this illustration.
(optional) find the package "tcp_wrappers", click on the word "skip" so that an appears in Column B,
if you add "tcp_wrapper", you will most likely get "ssh-exchange-identification: Connectiion closed by remote host" error.
If you get that error, edit the file /etc/hosts.allow and add these two lines
ALL: 127.0.0.1/32 : allow
ALL: [::1]/128: allow
before the PARANOID line.
(optional) find the package "diffutils", click on the word "skip" so that an appears in Column B,
find the package "zlib", click on the word "skip" (it should be already selected) so that an appears in Column B.
Notes: tcp_wrappers provides host-based access control and possible need you to edit "/etc/hosts.allow"
zlib is the compression and decompression library that is used by many programs. Thanks to Lex Sheehan on the diffutils tips, and Thomas Braun for the hosts.allow tips.
Click to start installing cygwin and ssh.
Size of the basic cygwin system is more than 50 Meg.
(3) This paragraph is no longer valid for newer versions of Cygwin 1.7.2 and later.
REF: http://www.cygwin.com/cygwin-ug-net/ov-new1.7.html Right click My Computer, Properties, Advanced, Environment Variables
See this illustration (red dots)
Click the "New" button to add a new entry to System variables:
variable name is CYGWIN
variable value is ntsec tty
Note: by setting variable ntsec, it will break sshd on MinGW by generating the error "WARNING: UNPROTECTED PRIVATE KEY FILE".
Thanks to Peter Rust for this issue.
(4) Right click My Computer, Properties, Advanced, Environment Variables
See this illustration (green dots)
Select the Path variable and click the "Edit" button:
append ;c:\cygwin\bin to the end of the existing variable string.
(5)
For Windwos XP, you should login as a user with admin privilege and that user belongs to a Windows "Users" group.
For Windows XP , open a cygwin window by double clicking the icon; a black screen pops open,
For Windows Vista and Windows 7 , right click the icon and choose "run as administrator"; a black screen pops open, type
With recent releases of cygwin, there are some permission problems. Add these 6 commands as work around:
chmod +r /etc/passwd
chmod u+w /etc/passwd
chmod +r /etc/group
chmod u+w /etc/group
chmod 755 /var
touch /var/log/sshd.log
chmod 664 /var/log/sshd.log
ssh-host-config (manuall answer Yes to questions except)
If the script says "This script plans to use cyg_server, Do you want to use a different name?"
Answer Yes, and type sshd_server as the user name.
See Note 25 near the end of this web page if you need to run ssh-host-config again.
Thanks to Dave Lennert of Portland Oregon for the Windows 7 tips.
Thanks to Frank Martin for the cyglsa-config tips.
When the script stops and asks you for "environment variable CYGWIN=" your answer is ntsec tty
(click here for an explanation of ntsec)
(click here for an explanation of tty )
(thanks to Peter Reutemann of New Zealand and Ron Dozier of University of Delaware)
(thanks to Mike and Michael Pechner for the Windows Vista tip)
(thanks to Kevin Hilton on the Vista tips in the ssh-host-config section)
reboot the computer.
Pop a cygwin windowRun "rebaseall" as desribed in http://www.acooke.org/cute/CygwinSSHS0.html
(6) While you are still in the (black) cygwin screen, start the sshd service, type
net start sshd
or
cygrunsrv --start sshd
Click here on how to stop the sshd service.
If the service fails to start, try (thanks to Ross Beveridge of HP for this tip)
chown system /etc/ssh*
chown system /var/empty or chown sshd_server /var/empty
net start sshd
If you get "ssh-exchange-identification: Connectiion closed by remote host" error.
edit the file /etc/hosts.allow and add these two lines
ALL: 127.0.0.1/32 : allow
ALL: [::1]/128: allow
before the PARANOID line. Thanks to Thomas Braun for the hosts.allow tips.
(7) Make sure every Windows user has a password set, if not,
go to Control Panel....User Accounts and create a password.
(7a) Make sure every Windows user has done the following at least once:
Login in as the Windows user, pop a console command screen by clicking Start...Run....cmd
Thanks to Magno Corrêa of Brazil for the tip in (7a)
(8) Pop a cygwin window, harmonize Windows user information with cygwin, otherwise they cannot login
mkpasswd -cl > /etc/passwd
mkgroup --local > /etc/group
If your XP logs on to a domain, you most likely have to manually edit /etc/group. See this page.
If your local account name is the same as the domain name, then you would need to use Windows's User admin function to
rename the loacal account from name to name.localThen rebuild the passwd and group files as shown above, then edit the /etc/group file as shown above. Open firewall's TCP port 22
(Thanks to Christopher Poda of Venturi Wireless, Sunnyvale, California)
If your XP logs on to a domain, you may want to edit /etc/passwd to replace /home/username by //unc_server/path_to_home (thanks to Geoff Thomas)
mkpasswd creates a password file from Windows' user list, click here for more details.
mkgroup creates a group file from Windows' user list, click here for more details.
Thanks to John Skiggn of Cingular Wireless in Redmond, Washington for his tweak on domain user /etc/group
Test to see if sshd is working, pop a cygwin window (note: the command below is case sensitive)
whoami
ssh localhost
or
ssh -vvv localhost
or
ssh "$USERNAME@127.0.0.1"
if ssh complains "The authenticity of host xx.xx.xx.xx can't be established .... Are you sure you want to continue connecting (yes/no)?" Answer yes (Thanks to Daniel Griscom of Suitable Systems) If you get an error message like "ssh-exchange-identification: Connection closed by remote host",
it is probably caused by McAfee 8.0i, see this page about the fix. (Thanks to Ron Dozier of University of Delaware, USA)
Error is also related to /etc/hosts.allow file, see http://www.cygwin.com/ml/cygwin/2008-12/msg00678.html
If you get an error message like "entry point _getreent", or "QuerryService Status: Win32 error 1062", it is probably
caused by the existance of an older version of "cygwin1.dll" located in the search path.
Do a full serarch of "cygwin1.dll" and remove the old version, except the current version at c:\cygwin\bin (Thanks to Joe britton)
If you get a prompt without error messages, type
cd /cygdrive/c
ls
if you see a directory listing, success!
(type exit to end the cygwin ssh session)
Thanks to Roger Pack for his tips clarifying between Microsoft's ls.exe (installed by MS compilers) and cygwin's ls.exe
If you have a Windows username that contains space, expand the space into \ [space],
e.g. if the Windows login name is Mickey mouse
ssh Mickey\ mouse@127.0.0.1
If you have a Unix system that does not know what to do with TERM cygwin, add these scripts to .login
If you have troubles ssh into the server, try run ssh-user-config
Windows XP SP2 and SP3: open the Windows Firewall to allow TCP port 22 through
Click Start...Control Panel....Security Centre....Manage Security Settings for Windows Firewall....Exceptions tab....Add Port...
"Name of port" is ssh "Port number" is 22 (check the "TCP" checkbox)
(Thanks to Stefano of Sardegna, Italy for his Windows Firewall reminder) If you don't have sufficient privileges to open port 22 above, possible due to a group policy or other reasons,
you can create an exception for SSHD.
Click Start.. Control Panel...Security Center ... Windows Firewall...select the "Exception" tab.
Click "Add Program" button .. Browse to c:\cygwin\bin\sshd.exe
(Thanks to Thomas Johnson for this work around)
If you previously used Windows XP SP1 and installed sshd service, then upgraded to Windows XP SP2,
The upgrade disables the sshd service and deletes the CYGWIN environment variable.
Re-enter the environment variables and path.
Click Start...Control Panel....Security Centre....Manage Security Settings for Windows Firewall....Exceptions tab....Add Port...
"Name of port" is ssh "Port number" is 22 (check the "TCP" checkbox)
(Thanks to Chris Davitt of New Zealand for this SP1 to SP2 problem)
Multiple Windows users
Create other Windows users using the Control Panel...User Accounts.
After you created (or removed) Windows users
pop a cygwin windows to harmonize Windows user information with cygwin, otherwise they cannot login
mkpasswd --local > /etc/passwd
mkgroup --local > /etc/group
Don't get too carry away with multiple users, if a user can successfully ssh into the box, he can "cd" to just about any directory.
Note: The behaviors of Windows 2003 Server is different.
Follow this link to install OpenSSH on Windows 2003 Server, by Stephen Pillinger of the School of Computer Science, University of Birmingham.
Users from the internal network (geeks call this a LAN) can
ssh usersname@ip_address (e.g. ssh john@192.168.0.100) On Unix/Linux systems, user names do not contains spaces. On Windows system, user names can have spaces.
If you have a Windows username that contains spaces, expand each space into \ [space],
e.g. if the Windows username is mickey mouse
ssh mickey\ mouse@192.168.0.100
If you have a NAT firewall, port forward (D-link calls this Virtual Server) TCP port 22 to the (internal) IP address
of the Windows box where the sshd server is running. See above diagram.
Users from the outside (geeks call this a WAN) can (the IP address is your firewall/router's WAN address)
ssh username@external_ip_address (e.g. ssh john@64.64.64.64 )
ssh mickey\ mouse@external_ip_address (e.g. ssh mickey\ mouse@64.64.64.64 )
Caveat Emptor :
-assuming you have an IP address that is accessible from the outside world; some ISP give non-accessible IP address (RFC1918). to their customers.
-assuming your ISP does not suffer from extreme paranoia, he/she allows "port 22 TCP" traffic through their network.
-assuming your corporate firewall allows TCP port 22 and port forwards to the computer running the ssh server.
If your install includes tcp_wrapper and you get an error message like "ssh-exchange-identification: Connection closed by remote host", do
start ... run ... c:\cygwin\setup.exe , add "mc Midnight Commander" package (a friendly editor for those who are unfamiliar with Unix editors),
Invoke cygwin
cd /etc
mc highlight the file /etc/hosts.deny and edit (F4)
change the line ALL:ALL EXCEPT localhost:DENY to
ALL:ALL EXCEPT localhost AND '192.168.':DENY (assuming your internal network is 192.168.xx.xx )
and edit the content of the file /etc/hosts.allow to be just one line.
sshd: ALL
(Thanks to Carl Falk of Sweden for the hosts.allow and hosts.deny content)
In some extreme cases,
if you want to use TCP port 443 as the sshd listening port (instead of the default SSH port 22), see this page.
(Why? Port 443 is normally assigned to https traffic, even severely paranoia IT geeks will leave this port open. Some IT will even intercept TCP port 443 traffic and redirect them to a proxy server, in that case, you may want to try to use Putty as a ssh client and configure the Connections -> Proxy to connect via a friendly proxy server. )
As a bonus, openssh includes sftp and sftp-server for doing encrypted file transfers.
These two programs function much like the familiar ftp-client and ftp-server.
For example, from a remote laptop, you can transfer (send and retrieve) files to your home computer (see above diagram).
sftp username@ip_address (e.g. sftp john@32.97.166.74 )
sftp username@hostname (e.g. sftp john@supercomputer.ibm.com )
openSSH [which uses openSSL] has strong encryption capability.
The encryption used by openSSH can be either AES-128, AES-192, AES-256, 3DES, Blowfish, cast-128, arcfour (RC4)
The default encryption algorithm (cipher) is AES-128-CBC.
You can force a particular encryption algorithm preference (cipher) by adding a directive such as
Ciphers blowfish-cbc,aes128-cbc,3des-cbc to /etc/sshd_config for faster transfer.
The sftp client I like best is Filezilla.
Caveat Emptor :
-assuming you have an IP address that is accessible by the outside world, some ISP do not give out outside-accessible IP address.
-assuming your ISP does not suffer from extreme paranoia, he/she allows "port 22 TCP" traffic through their network.
-assuming your firewall allows TCP port 22 and port forwards to the computer running the ssh server.
After you establish a ssh or sftp connection into the Windows box,
changing directory is rather painful, for example, to change to "my documents", type
cd "/cygdrive/c/documents and settings/$USERNAME/my documents"
Similarly, to change directory to d: drive
cd /cygdrive/d
To reduce pain, use a graphical sftp client such as Filezilla.
Where can you find a ssh or sftp client ?
(1) Putty is the best ssh client for Windows, it also has psftp.exe which is a console mode sftp client.
(2) Commercial software vendors such as VanDyke Software.
(3) Filezilla, a free, GNU (GPL) licensed sftp client.
If you prefer to use a graphical client to do sftp file transfers,
purchase a high quality commercial software called SecureFX
from VanDyke Software in Albuquerque, New Mexico, USA
or use Filezilla, a free, GNU (GPL) licensed sftp client,
or use WinSCP, a free, GNU (GPL) licensed sftp and scp client.
Also, ftp.ssh.com in their /pub/ssh directory, there is a Windows version of ssh and sftp client for non-commercial use,
thanks to Stephan of Rutgers State University of New Jersey for the link.
Once you have a sshd working and you can ssh into the machine (from LAN or WAN), there are many things you can do with it.
For example, www.sysinternals.com (now absorbed by Microsoft http://technet.microsoft.com/en-us/sysinternals)
has many console mode utilities you can use.
Other very, very useful things you can do with ssh is to tunnel tcp applications under the
ssh protocol, giving them a strong cryptographic protection while traveling over the insecure public network. openSSH [which uses openSSL] has strong encryption capability.
The encryption used by openSSH can be either AES-128, AES-192, AES-256, 3DES, Blowfish, cast-128, arcfour (RC4)
The default encryption algorithm (cipher) is AES-128-CBC.
You can force a particular encryption algorithm preference (cipher) by adding a line such as
Ciphers blowfish-cbc,aes128-cbc,3des-cbc to /etc/sshd_config (Blowfish runs faster than AES-128)
Below are some popular plain-text, pure TCP protocols that are unfortunately still in common use today.
Fortunately these protocols can benefit from the protection of a ssh tunnel:
POP3 (tcp port 110)
IMAP (tcp port 143)
SMTP (tcp port 25)
TELNET (tcp port 21)
VNC (tcp port 5900)
Print server traffic (typically tcp port 9100)
Windows Share, or Samba Share, SMB protocol (tcp port 445)
Note:
The world is moving away (rather slowly) from plain text protocols by hardening them with TLS or SSL:
newer versions of POP3 servers have TLS support at port 110; and SSL support at port 995
newer versions of IMAP servers have TLS support at port 143; and SSL support at port 993
newer versions of SMTP servers have TLS support at port 25
A version of "smtps" uses port 465 with SSL support, now it becomes legacy (depreciated).
SMTP can also use port 587 in plain text or TLS.
newer versions of telnet servers have SSL support at port 992
See this page on how to tunnel VNC traffic under ssh.
See this page on how to tunnel TCP applications under ssh.
See this page on how to set up a dedicated PPTP VPN server at your home office or main office.
See this page on how to tunnel SMB traffic under ssh.
Sometimes, there are applications such as midnight back-up of files to a data centre Linux server using "rsync encrypted with ssh",
you want to be able to ssh from one machine to another machine (without a person sitting at a console to type the password).
See this page on how to ssh from one machine into another machine without typing a password, i.e,
how to use public key authentication.
Once you can ssh from one machine to another machine without typing a password, your task of doing rsync over ssh
is practically 90% done. Furthermore, creating a batch file and invoke the batch file using Control Panel's "Schedule Tasks" (Task Scheduler)
will do "secure backup" automatically to a remote server. In Linux world, add a cron job to invoke "rsync -e ssh"
How to install a ssh client (called ssh)
Click here for a tutorial on how to setup a ssh client on Windows 2000 or Windows XP
How to install a smtp server [exim] on a Windows machine
Click here for a tutorial on how to setup exim, a mail transfer agent
on Windows 2000 or Windows XP as a learning exercise.
Note 25: if you run ssh-host-config when sshd is installed, ssh-host-config will not ask for the CYGWIN value.
In that case, stop and remove the sshd service, then run the ssh-host-config script again, see below.
cygrunsrv --stop sshd
cygrunsrv --remove sshd
ssh-host-config
cygrunsrv --start sshd
Go to Control Panel, Classic View, Administrative Tools, Computer Management,
or click Start...Run...compmgmt.msc
delete the sshd user account.
Thanks to Dave Abrahams of Boost Consulting for the sshd user account deletion hint.
Reference: http://cygwin.com/cygwin-ug-net/
-------------------------------------------------------------------
cygrunsrv --install sshd --path '/usr/sbin/sshd' --env 'PATH=/bin;/sbin' --env 'CYGWIN=ntsec tty' -a -D
The solution is to run the service under a domain user account - one that has access to the shares or servers remote from the server running sshd. In order to switch the service to run under a different user, these steps must be carried out :
This page has been tranlated to Bulgarian by Albert Ward, see this link: http://www.fatcow.com/edu/cygwin-sshd-bl/
Disclaimer
According to some cygwin gods, the only official document that you should use is /usr/share/doc/Cygwin/openssh.README which is probably valid, but it seems to aim at users with a fair bit of Linux/Unix knowledge.
The purpose of this tutorial is for Windows users who are perhaps less familiar with Unix commands wanting to try out the famous Open Source ssh server (openSSH) on a desktop Windows XP , Windows Vista or Windows 7 .The behavior of Windows 2003 Server is different. Follow this link to install Cygwin SSH server on Windows 2003 Server.
There seems to be some problems when using cygwin ssh with McAfee 8.0i. A work around to that problem is available below.
Please don't send any questions to the cygwin mailing list to ask questions about this page as it seems to provoke them severely. They considered and declared the instructions on this page "broken" and "random" but won't constructively say what is "broken"; instead some went on launching personal attacks. The information here is provided "as is, in good faith" with no guarantee it will work. If it doesn't work, then it doesn't work. Don't send any questions to the Cygwin mailing list to ask why to provoke them. If you must go to Cygwin mailing list to ask, you better off completely remove Cygwin before you go to the mailing list to ask questions and don't even mention that you have looked at this web page (to avoid provoking them off).
Read this Disclaimer.
Constructive comments are of course welcome, in the original spirit of the Internet, sharing experience and knowledge regarding bug fixes and improvements to benefit other users of the Internet community. My email address is
How to install a ssh server (called sshd, from OpenSSH) on a Windows 2000 or XP
How to install a sftp server on a Windows 2000 or XP
The ssh server is an emulation of the UNIX environment and OpenSSH for Windows, by Redhat, called cygwin.
The file system on your target machine should be journalled (e.g. NTFS) because FAT file system has bugs in file access.
(1a) Login as AdministratorThe file system on your target machine should be journalled (e.g. NTFS) because FAT file system has bugs in file access.
Windows XP - login as a user with Administrator privilege;
Windows 2003 Server: login as local admin, it will not work for domain users or domain admin.
(1b) Make sure the current admin/user has a Windows password set.
If not, use Control Panel...User Accounts to create a password.
Just to be on the safe side, after you created a password, logoff and then log in again.
(2a) Create a folder c:\cygwin
(2b) Download cygwin's setup.exe from http://www.cygwin.com/ and save setup.exe in c:\cygwin
Cygwin's setup.exe has some uncommon properties, click here to find out more.
(2c) For Windows 7 and Windows Vista, navigate to c:\cygwin in explorer, right click the setup.exe icon, and select "Run as Administrator". Thanks to David Shanks for his contributions.
(2d) For Windows XP: Click Start...Run...and type c:\cygwin\setup.exe
If you are asked to select "Just Me" or "All Users", choose "All Users"
When it asks for "Local Package Directory", type c:\cygwin
Choose a download site that is "close" to you.
When a selection screen comes up (you can resize the windows to see better),
click the little View button for "Full" view ,
find the package "openssh", click on the word "skip" so that an appears in Column B,
see this illustration.
(optional) find the package "tcp_wrappers", click on the word "skip" so that an appears in Column B,
if you add "tcp_wrapper", you will most likely get "ssh-exchange-identification: Connectiion closed by remote host" error.
If you get that error, edit the file /etc/hosts.allow and add these two lines
ALL: 127.0.0.1/32 : allow
ALL: [::1]/128: allow
before the PARANOID line.
(optional) find the package "diffutils", click on the word "skip" so that an appears in Column B,
find the package "zlib", click on the word "skip" (it should be already selected) so that an appears in Column B.
Notes: tcp_wrappers provides host-based access control and possible need you to edit "/etc/hosts.allow"
zlib is the compression and decompression library that is used by many programs. Thanks to Lex Sheehan on the diffutils tips, and Thomas Braun for the hosts.allow tips.
Click to start installing cygwin and ssh.
Size of the basic cygwin system is more than 50 Meg.
(3) This paragraph is no longer valid for newer versions of Cygwin 1.7.2 and later.
REF: http://www.cygwin.com/cygwin-ug-net/ov-new1.7.html Right click My Computer, Properties, Advanced, Environment Variables
See this illustration (red dots)
Click the "New" button to add a new entry to System variables:
variable name is CYGWIN
variable value is ntsec tty
Note: by setting variable ntsec, it will break sshd on MinGW by generating the error "WARNING: UNPROTECTED PRIVATE KEY FILE".
Thanks to Peter Rust for this issue.
(4) Right click My Computer, Properties, Advanced, Environment Variables
See this illustration (green dots)
Select the Path variable and click the "Edit" button:
append ;c:\cygwin\bin to the end of the existing variable string.
(5)
For Windows 7 and Windows Vista
you may need to do additional uninstall steps if previous attempts to install sshd fails. Click here on how to do clean uninstall. |
For Windows XP , open a cygwin window by double clicking the icon; a black screen pops open,
For Windows Vista and Windows 7 , right click the icon and choose "run as administrator"; a black screen pops open, type
With recent releases of cygwin, there are some permission problems. Add these 6 commands as work around:
chmod +r /etc/passwd
chmod u+w /etc/passwd
chmod +r /etc/group
chmod u+w /etc/group
chmod 755 /var
touch /var/log/sshd.log
chmod 664 /var/log/sshd.log
ssh-host-config (manuall answer Yes to questions except)
If the script says "This script plans to use cyg_server, Do you want to use a different name?"
Answer Yes, and type sshd_server as the user name.
See Note 25 near the end of this web page if you need to run ssh-host-config again.
cyglsa-config
Thanks to David Spillett of Londdon, UK on the permission tips.Thanks to Dave Lennert of Portland Oregon for the Windows 7 tips.
Thanks to Frank Martin for the cyglsa-config tips.
When the script stops and asks you for "environment variable CYGWIN=" your answer is ntsec tty
(click here for an explanation of ntsec)
(click here for an explanation of tty )
(thanks to Peter Reutemann of New Zealand and Ron Dozier of University of Delaware)
(thanks to Mike and Michael Pechner for the Windows Vista tip)
(thanks to Kevin Hilton on the Vista tips in the ssh-host-config section)
reboot the computer.
Pop a cygwin windowRun "rebaseall" as desribed in http://www.acooke.org/cute/CygwinSSHS0.html
(6) While you are still in the (black) cygwin screen, start the sshd service, type
net start sshd
or
cygrunsrv --start sshd
Click here on how to stop the sshd service.
If the service fails to start, try (thanks to Ross Beveridge of HP for this tip)
chown system /etc/ssh*
chown system /var/empty or chown sshd_server /var/empty
net start sshd
If you get "ssh-exchange-identification: Connectiion closed by remote host" error.
edit the file /etc/hosts.allow and add these two lines
ALL: 127.0.0.1/32 : allow
ALL: [::1]/128: allow
before the PARANOID line. Thanks to Thomas Braun for the hosts.allow tips.
(7) Make sure every Windows user has a password set, if not,
go to Control Panel....User Accounts and create a password.
(7a) Make sure every Windows user has done the following at least once:
Login in as the Windows user, pop a console command screen by clicking Start...Run....cmd
Thanks to Magno Corrêa of Brazil for the tip in (7a)
(8) Pop a cygwin window, harmonize Windows user information with cygwin, otherwise they cannot login
mkpasswd -cl > /etc/passwd
mkgroup --local > /etc/group
If your XP logs on to a domain, you most likely have to manually edit /etc/group. See this page.
If your local account name is the same as the domain name, then you would need to use Windows's User admin function to
rename the loacal account from name to name.localThen rebuild the passwd and group files as shown above, then edit the /etc/group file as shown above. Open firewall's TCP port 22
(Thanks to Christopher Poda of Venturi Wireless, Sunnyvale, California)
If your XP logs on to a domain, you may want to edit /etc/passwd to replace /home/username by //unc_server/path_to_home (thanks to Geoff Thomas)
mkpasswd creates a password file from Windows' user list, click here for more details.
mkgroup creates a group file from Windows' user list, click here for more details.
Thanks to John Skiggn of Cingular Wireless in Redmond, Washington for his tweak on domain user /etc/group
Test to see if sshd is working, pop a cygwin window (note: the command below is case sensitive)
whoami
ssh localhost
or
ssh -vvv localhost
or
ssh "$USERNAME@127.0.0.1"
if ssh complains "The authenticity of host xx.xx.xx.xx can't be established .... Are you sure you want to continue connecting (yes/no)?" Answer yes (Thanks to Daniel Griscom of Suitable Systems) If you get an error message like "ssh-exchange-identification: Connection closed by remote host",
it is probably caused by McAfee 8.0i, see this page about the fix. (Thanks to Ron Dozier of University of Delaware, USA)
Error is also related to /etc/hosts.allow file, see http://www.cygwin.com/ml/cygwin/2008-12/msg00678.html
If you get an error message like "entry point _getreent", or "QuerryService Status: Win32 error 1062", it is probably
caused by the existance of an older version of "cygwin1.dll" located in the search path.
Do a full serarch of "cygwin1.dll" and remove the old version, except the current version at c:\cygwin\bin (Thanks to Joe britton)
If you get a prompt without error messages, type
cd /cygdrive/c
ls
if you see a directory listing, success!
(type exit to end the cygwin ssh session)
Thanks to Roger Pack for his tips clarifying between Microsoft's ls.exe (installed by MS compilers) and cygwin's ls.exe
If you have a Windows username that contains space, expand the space into \ [space],
e.g. if the Windows login name is Mickey mouse
ssh Mickey\ mouse@127.0.0.1
If you have a Unix system that does not know what to do with TERM cygwin, add these scripts to .login
If you have troubles ssh into the server, try run ssh-user-config
Thanks to Jared Kilgour for above $USERNAME variable substitution.
Thanks to Justin Kerk for the tip on quotes around $USERNAME to allow for spaces in username.
Thanks to Ron Dozier of University of Delaware for the Unix .login tweak.
Thanks to Justin Kerk for the tip on quotes around $USERNAME to allow for spaces in username.
Thanks to Ron Dozier of University of Delaware for the Unix .login tweak.
Windows XP SP2 and SP3: open the Windows Firewall to allow TCP port 22 through
Click Start...Control Panel....Security Centre....Manage Security Settings for Windows Firewall....Exceptions tab....Add Port...
"Name of port" is ssh "Port number" is 22 (check the "TCP" checkbox)
(Thanks to Stefano of Sardegna, Italy for his Windows Firewall reminder) If you don't have sufficient privileges to open port 22 above, possible due to a group policy or other reasons,
you can create an exception for SSHD.
Click Start.. Control Panel...Security Center ... Windows Firewall...select the "Exception" tab.
Click "Add Program" button .. Browse to c:\cygwin\bin\sshd.exe
(Thanks to Thomas Johnson for this work around)
If you previously used Windows XP SP1 and installed sshd service, then upgraded to Windows XP SP2,
The upgrade disables the sshd service and deletes the CYGWIN environment variable.
Re-enter the environment variables and path.
Click Start...Control Panel....Security Centre....Manage Security Settings for Windows Firewall....Exceptions tab....Add Port...
"Name of port" is ssh "Port number" is 22 (check the "TCP" checkbox)
(Thanks to Chris Davitt of New Zealand for this SP1 to SP2 problem)
Multiple Windows users
Create other Windows users using the Control Panel...User Accounts.
After you created (or removed) Windows users
pop a cygwin windows to harmonize Windows user information with cygwin, otherwise they cannot login
mkpasswd --local > /etc/passwd
mkgroup --local > /etc/group
Don't get too carry away with multiple users, if a user can successfully ssh into the box, he can "cd" to just about any directory.
Note: The behaviors of Windows 2003 Server is different.
Follow this link to install OpenSSH on Windows 2003 Server, by Stephen Pillinger of the School of Computer Science, University of Birmingham.
Users from the internal network (geeks call this a LAN) can
ssh usersname@ip_address (e.g. ssh john@192.168.0.100) On Unix/Linux systems, user names do not contains spaces. On Windows system, user names can have spaces.
If you have a Windows username that contains spaces, expand each space into \ [space],
e.g. if the Windows username is mickey mouse
ssh mickey\ mouse@192.168.0.100
If you have a NAT firewall, port forward (D-link calls this Virtual Server) TCP port 22 to the (internal) IP address
of the Windows box where the sshd server is running. See above diagram.
Users from the outside (geeks call this a WAN) can (the IP address is your firewall/router's WAN address)
ssh username@external_ip_address (e.g. ssh john@64.64.64.64 )
ssh mickey\ mouse@external_ip_address (e.g. ssh mickey\ mouse@64.64.64.64 )
Caveat Emptor :
-assuming you have an IP address that is accessible from the outside world; some ISP give non-accessible IP address (RFC1918). to their customers.
-assuming your ISP does not suffer from extreme paranoia, he/she allows "port 22 TCP" traffic through their network.
-assuming your corporate firewall allows TCP port 22 and port forwards to the computer running the ssh server.
If your install includes tcp_wrapper and you get an error message like "ssh-exchange-identification: Connection closed by remote host", do
start ... run ... c:\cygwin\setup.exe , add "mc Midnight Commander" package (a friendly editor for those who are unfamiliar with Unix editors),
Invoke cygwin
cd /etc
mc highlight the file /etc/hosts.deny and edit (F4)
change the line ALL:ALL EXCEPT localhost:DENY to
ALL:ALL EXCEPT localhost AND '192.168.':DENY (assuming your internal network is 192.168.xx.xx )
and edit the content of the file /etc/hosts.allow to be just one line.
sshd: ALL
(Thanks to Carl Falk of Sweden for the hosts.allow and hosts.deny content)
In some extreme cases,
if you want to use TCP port 443 as the sshd listening port (instead of the default SSH port 22), see this page.
(Why? Port 443 is normally assigned to https traffic, even severely paranoia IT geeks will leave this port open. Some IT will even intercept TCP port 443 traffic and redirect them to a proxy server, in that case, you may want to try to use Putty as a ssh client and configure the Connections -> Proxy to connect via a friendly proxy server. )
As a bonus, openssh includes sftp and sftp-server for doing encrypted file transfers.
These two programs function much like the familiar ftp-client and ftp-server.
For example, from a remote laptop, you can transfer (send and retrieve) files to your home computer (see above diagram).
sftp username@ip_address (e.g. sftp john@32.97.166.74 )
sftp username@hostname (e.g. sftp john@supercomputer.ibm.com )
openSSH [which uses openSSL] has strong encryption capability.
The encryption used by openSSH can be either AES-128, AES-192, AES-256, 3DES, Blowfish, cast-128, arcfour (RC4)
The default encryption algorithm (cipher) is AES-128-CBC.
You can force a particular encryption algorithm preference (cipher) by adding a directive such as
Ciphers blowfish-cbc,aes128-cbc,3des-cbc to /etc/sshd_config for faster transfer.
The sftp client I like best is Filezilla.
Caveat Emptor :
-assuming you have an IP address that is accessible by the outside world, some ISP do not give out outside-accessible IP address.
-assuming your ISP does not suffer from extreme paranoia, he/she allows "port 22 TCP" traffic through their network.
-assuming your firewall allows TCP port 22 and port forwards to the computer running the ssh server.
After you establish a ssh or sftp connection into the Windows box,
changing directory is rather painful, for example, to change to "my documents", type
cd "/cygdrive/c/documents and settings/$USERNAME/my documents"
Similarly, to change directory to d: drive
cd /cygdrive/d
To reduce pain, use a graphical sftp client such as Filezilla.
Where can you find a ssh or sftp client ?
(1) Putty is the best ssh client for Windows, it also has psftp.exe which is a console mode sftp client.
(2) Commercial software vendors such as VanDyke Software.
(3) Filezilla, a free, GNU (GPL) licensed sftp client.
If you prefer to use a graphical client to do sftp file transfers,
purchase a high quality commercial software called SecureFX
from VanDyke Software in Albuquerque, New Mexico, USA
or use Filezilla, a free, GNU (GPL) licensed sftp client,
or use WinSCP, a free, GNU (GPL) licensed sftp and scp client.
Also, ftp.ssh.com in their /pub/ssh directory, there is a Windows version of ssh and sftp client for non-commercial use,
thanks to Stephan of Rutgers State University of New Jersey for the link.
Once you have a sshd working and you can ssh into the machine (from LAN or WAN), there are many things you can do with it.
For example, www.sysinternals.com (now absorbed by Microsoft http://technet.microsoft.com/en-us/sysinternals)
has many console mode utilities you can use.
Other very, very useful things you can do with ssh is to tunnel tcp applications under the
ssh protocol, giving them a strong cryptographic protection while traveling over the insecure public network. openSSH [which uses openSSL] has strong encryption capability.
The encryption used by openSSH can be either AES-128, AES-192, AES-256, 3DES, Blowfish, cast-128, arcfour (RC4)
The default encryption algorithm (cipher) is AES-128-CBC.
You can force a particular encryption algorithm preference (cipher) by adding a line such as
Ciphers blowfish-cbc,aes128-cbc,3des-cbc to /etc/sshd_config (Blowfish runs faster than AES-128)
Below are some popular plain-text, pure TCP protocols that are unfortunately still in common use today.
Fortunately these protocols can benefit from the protection of a ssh tunnel:
POP3 (tcp port 110)
IMAP (tcp port 143)
SMTP (tcp port 25)
TELNET (tcp port 21)
VNC (tcp port 5900)
Print server traffic (typically tcp port 9100)
Windows Share, or Samba Share, SMB protocol (tcp port 445)
Note:
The world is moving away (rather slowly) from plain text protocols by hardening them with TLS or SSL:
newer versions of POP3 servers have TLS support at port 110; and SSL support at port 995
newer versions of IMAP servers have TLS support at port 143; and SSL support at port 993
newer versions of SMTP servers have TLS support at port 25
A version of "smtps" uses port 465 with SSL support, now it becomes legacy (depreciated).
SMTP can also use port 587 in plain text or TLS.
newer versions of telnet servers have SSL support at port 992
See this page on how to tunnel VNC traffic under ssh.
See this page on how to tunnel TCP applications under ssh.
See this page on how to set up a dedicated PPTP VPN server at your home office or main office.
See this page on how to tunnel SMB traffic under ssh.
Sometimes, there are applications such as midnight back-up of files to a data centre Linux server using "rsync encrypted with ssh",
you want to be able to ssh from one machine to another machine (without a person sitting at a console to type the password).
See this page on how to ssh from one machine into another machine without typing a password, i.e,
how to use public key authentication.
Once you can ssh from one machine to another machine without typing a password, your task of doing rsync over ssh
is practically 90% done. Furthermore, creating a batch file and invoke the batch file using Control Panel's "Schedule Tasks" (Task Scheduler)
will do "secure backup" automatically to a remote server. In Linux world, add a cron job to invoke "rsync -e ssh"
How to install a ssh client (called ssh)
Click here for a tutorial on how to setup a ssh client on Windows 2000 or Windows XP
How to install a smtp server [exim] on a Windows machine
Click here for a tutorial on how to setup exim, a mail transfer agent
on Windows 2000 or Windows XP as a learning exercise.
Note 25: if you run ssh-host-config when sshd is installed, ssh-host-config will not ask for the CYGWIN value.
In that case, stop and remove the sshd service, then run the ssh-host-config script again, see below.
cygrunsrv --stop sshd
cygrunsrv --remove sshd
ssh-host-config
cygrunsrv --start sshd
Go to Control Panel, Classic View, Administrative Tools, Computer Management,
or click Start...Run...compmgmt.msc
delete the sshd user account.
Thanks to Dave Abrahams of Boost Consulting for the sshd user account deletion hint.
Reference: http://cygwin.com/cygwin-ug-net/
-------------------------------------------------------------------
Installing the Cygwin SSH daemon
How to setup the secure shell daemon on a Windows 2003 server
Note : This set of instructions has worked for me at our institution. You should read /usr/share/doc/Cygwin/openssh.README after installing cygwin and check the cygwin mailing list if you encounter problems.Installing and Testing cygwin
- Create the destination folder (C:\cygwin or D:\cygwin as appropriate). Default permissions will be for administrators and SYSTEM only. Add SERVER\Users with modify control to the list. These permissions will be inherited to the rest of the folder as it is populated.
- Create a directory to locally store the cygwin packages e.g. C:\temp\cygwinarchive. Open a browser window to the following URL http://www.cygwin.com/setup.exe and save the installation file setup.exe to the archive directory just created (C:\temp\cygwinarchive in this example)
- Double click on the downloaded cygwin setup program. The current version is
2.510.2.2 (February 3rd, 2006). Click 'Next' and answer the prompts :
- Leave default "install from internet"
- Install to root directory c:\cygwin
- leave default "install for all users"
- leave default text file type "unix / binary"
- Set local package directory to c:\temp\cygwinarchive (the directory created in the previous step). This should be the default.
- Leave the default "direct connection"
- Select a mirror (any of the ones with starting with http://mirror in the name). The package list will be downloaded.
- The 'Select Packages' window can be stretched. Click on the plus
sign to expand the categories. Install at least the following list of
packages.
- From Admin, select all packages.
- From Archive, select unzip and zip packages.
- From Base, leave the default, select all packages.
- From Doc, leave the default, man and 'cygwin doc' packages.
- From Editors, select vim package.
- From Net, select openssh (openssl will get checked automatically), rsync and tcp_wrappers packages.
- When you've selected these packages, click 'Next'. The installation tells you which packages it is installing as it progresses.
- Uncheck 'Create desktop icon'. Leave default 'Add to start menu'. Click 'Finish'.
- A post install script runs a few final commands. Then you should see a message saying 'Installation complete'. Click 'OK'.
- Edit C:\cygwin\cygwin.bat. Make sure it contains these lines - you
will need to add the line setting the CYGWIN environment variable.
@echo off set CYGWIN=binmode tty ntsec C: chdir \cygwin\bin bash --login -i
- Test cygwin to make sure it works. Start, Programs, Cygnus
Solutions, Cygwin Bash Shell - should get a command window with a
prompt saying 'Administrator@servername'. This is a bash shell and
you can use unix or DOS / NT type commands e.g.
- 'ls /bin' to see the cygwin bin directory
- 'dir c:' to see the contents of the C: directory
- If you get a message saying 'cannot create /home/userid', run this command from the cygwin window "mkpasswd -l >/etc/passwd".
- While you're in the cygwin shell window, run this command to change
the mount prefix from "/cygdrive" to "/". You should logout and back in
again after running this command in order to reset your PATH environment
variable properly.
mount -s --change-cygdrive-prefix /
- Also, create a home directory where you can place user startup files.
The default location is the "Documents and Settings" folder. Creating a
/home directory and using the -p switch to assign the home directory
when adding a new user keeps all the cygwin files under the c:\cygwin
directory.
mkdir -p /home
Installing the SSH daemon service
- From a cygwin prompt (Start, All Programs, Cygwin ?), run ssh-host-config
to create the service, set up the ssh host keys and create the sshd_config
file in /etc/. Note that 2 local users are created, one called sshd to handle
privilege separation and one that is required on Windows 2003 called
sshd_server that runs the service in order to use public key authentication.
You should see output like this:
$ ssh-host-config Generating /etc/ssh_host_key Generating /etc/ssh_host_rsa_key Generating /etc/ssh_host_dsa_key Overwrite existing /etc/ssh_config file? (yes/no) yes Generating /etc/ssh_config file Overwrite existing /etc/sshd_config file? (yes/no) yes Privilege separation is set to yes by default since OpenSSH 3.3. However, this requires a non-privileged account called 'sshd'. For more info on privilege separation read /usr/share/doc/openssh/README.privsep. Should privilege separation be used? (yes/no) yes Warning: The following function requires administrator privileges! Should this script create a local user 'sshd' on this machine? (yes/no) yes Generating /etc/sshd_config file Added ssh to C:\WINDOWS\system32\drivers\etc\services Warning: The following functions require administrator privileges! Do you want to install sshd as service? (Say "no" if it's already installed as service) (yes/no) yes You appear to be running Windows 2003 Server or later. On 2003 and later systems, it's not possible to use the LocalSystem account if sshd should allow passwordless logon (e. g. public key authentication). If you want to enable that functionality, it's required to create a new account 'sshd_server' with special privileges, which is then used to run the sshd service under. Should this script create a new local account 'sshd_server' which has the required privileges? (yes/no) yes Please enter a password for new user 'sshd_server'. Please be sure that this password matches the password rules given on your system. Entering no password will exit the configuration. PASSWORD=xxxxxxx User 'sshd_server' has been created with password 'xxxxxxxx'. If you change the password, please keep in mind to change the password for the sshd service, too. Also keep in mind that the user sshd_server needs read permissions on all users' .ssh/authorized_keys file to allow public key authentication for these users!. (Re-)running ssh-user-config for each user will set the required permissions correctly. Which value should the environment variable CYGWIN have when sshd starts? It's recommended to set at least "ntsec" to be able to change user context without password. Default is "ntsec". CYGWIN=binmode ntsec tty The service has been installed under sshd_server account. To start the service, call net start sshd' or cygrunsrv -S sshd'. Host configuration finished. Have fun!
- You can start the service from the services MMC panel, or using either of the commands listed above ("net start sshd" or "cygrunsrv -S sshd").
Generating public/private SSH keys for a user
- If you need to generate ssh public and private keys for a user on this
machine who will be uploading data or logging in to a remote machine, you
will need to carry out this step. Sign on as the user who needs the keys
created. They will automatically be in their home directory. Run
ssh-user-config to setup the ssh keys. Create only an SSH2 RSA identity
(use a null passphrase - just press return). Output should be similar to this :
cygwinadmin@HICKORY ~ $ ssh-user-config Shall I create an SSH1 RSA identity file for you? (yes/no) no Shall I create an SSH2 RSA identity file for you? (yes/no) (yes/no) yes Generating /home/pswander/.ssh/id_rsa Enter passphrase (empty for no passphrase):Press ENTER Enter same passphrase again:Press ENTER Do you want to use this identity to login to this machine? (yes/no) yes Shall I create an SSH2 DSA identity file for you? (yes/no) (yes/no) no Configuration finished. Have fun!
- Update the file /home/userid/.ssh/authorized_keys with any public keys from other users who you wish to be able to connect to this user's account. Refer to this document for more information. Make sure each entry you add is all on one line.
- Make sure the service is running (state 4 = running)
$ sc query sshd SERVICE_NAME: sshd TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
- Test the service from the cygwin prompt using "ssh -v localhost".
You will get challenged with the new host key and will have to enter
your password as you connect.
You should see output like this:
The authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is 75:8a:67:20:0d:75:dd:06:64:04:d0:ac:23:c7:74:ba. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (RSA) to the list of known hosts. The last line is: You are successfully logged in to this server!!!
- Test the service from a remote host. You can now update the authorized_keys file with the public key file from the user and host you want to connect from. Then test your connection from that host by issuing the command "ssh userid@servername dir c:\"
Adding and removing users from the passwd file
- You can add domain or local users using the mkpasswd command. Test what
would be added for a domain user with this command:
mkpasswd -d domain_name -u joeuser
- You can add an ads domain user to the passwd file and give him a home
directory in /home with this command:
mkpasswd -d ads -p /home -u kscully >>/etc/passwd
- You can add local users using the -l switch instead of the -d switch. Be careful not to use the -d domain_name switch without specifying a user or you will get entries for ALL doamin users in the passwd file.
- Users can be removed and both users and groups can be updated by starting a cygwin shell and using vi to edit the /etc/passwd and /etc/group files.
Restricting SSH access to specific servers
Working on a netsh script to restrict access to specific servers.cygrunsrv --install sshd --path '/usr/sbin/sshd' --env 'PATH=/bin;/sbin' --env 'CYGWIN=ntsec tty' -a -D
Switching the user who runs the service
In a normal installation, the ssh-host-config script creates a local user called sshd_server under whose credentials the ssh daemon runs. This is fine for local shell access to the server and secure file transfers to and from the server, but it is not possible to access any network resources while the service is running under the local user account.The solution is to run the service under a domain user account - one that has access to the shares or servers remote from the server running sshd. In order to switch the service to run under a different user, these steps must be carried out :
- Open "Computer Management", open the Services tab, right click on the "Cygwin sshd" service and stop the service.
- Right click on the "Cygwin sshd" service again and select properties. Under the 'Log On' tab, switch the name of the account the service is running from ".\sshd_server" to domain\userid, where domain and userid correspond to a userid with access to the resources you require in the domain. You will be prompted for this user's password.
- Open Control Panel -> Administratice Tools -> Local Security Settings
-> Local Policies. Then click on 'User Rights Assignment'. Make sure the
domain user you specified in step one is in the list for these 4 rights :
- Adjust memory quotas for a process
- Create a token object
- Log on as a service (already granted if you completed step 1)
- Replace a process level token
- Add the domain user to the local password file
mkpasswd -d domain -u userid >> /etc/passwd
- Change to ownership of the files required by the sshd service owner.
Open a cygwin bash session and run these commands for your userid
$ chown userid /var/log/sshd.log $ chown -R userid /var/empty $ chown userid /etc/ssh*
- In the services tab again, right click on the 'Cygwin sshd' service and select 'start'. Check the event log for a successful start, or for errors in case the service does not start successfully.