Monday, February 21, 2005

Cygwin Documentation for Installing OpenSSH on Windows 2003

Tested on Windows 2003.


If you have trouble, this is also a good resource

http://www.cs.bham.ac.uk/~smp/projects/ssh-windows/


Cygwin Installation Instructions - Optimized for SSH

Purpose
Provide method of secure file transport. This allows for new files to be updated on the servers and for backups between servers to take place securely.

Pre-Installation
See the SSH Installation document for account setup steps that must occur prior to installing Cygwin.

Installation
1) Launch the Setup program.

2) When the setup program starts, click "Next."

3) Select "Install from Local Directory" if you already have the install files downloaded. Otherwise select "Install from Internet." Click next. See below.

4) Enter the desired root directory for Cygwin. This will be the '\' directory in the shell. Install Cygwin "For All Users," otherwise you will have problems with permissions. Pick a text file type (recommend Unix).

5) Set the local package directory if you are installing from local directory. Otherwise select your download site.

6) On the next screen, make sure to have the Cygwin base files and OPENSSH packages installed. I recommend installing OPENSSL as well.

7) The program sets off installing Cygwin packages. This may take a few minutes. When it does get to the next screen, select install Start Menu shortcuts. Click Next.

8) See Install SSH with PKA document for further instruction on setting up SSH services.

Setting up Secure Shell with Public Key Authentication Capability on Cygwin

Pre-Installation
Before installing Cygwin on the server, follow these steps as the administrator account:

1) Open the User/Group manager and create group "grsshd" and user "sshd".

2) Make "sshd" a member of group "grsshd".

3) Install Cygwin as detailed in the Install Cygwin For SSH document.

Installation
Do this after installing Cygwin. Log into the SSH server machine as the system administrator.

1) Execute the following commands from the Cygwin shell:

 $ ssh-host-config -y
$ touch /var/log/sshd.log
$ chown sshd:grsshd /var/empty /var/log/sshd.log /etc/ssh*

2) Open the Services Manager. Open the properties for "Cygwin sshd" service. Navigate to the "Log On" tab. Set the service to use the ".sshd" account and enter the password for the account. Press OK.

3) Open the Local Security Policy manager. Navigate to Local Policies -> User Rights Management. Change the following settings to include the account "sshd":

  • Act as part of operating system
  • Replace process level token
  • Adjust memory quotas for a process
  • Login as service

Close the Policy Manager.

4) Run "cygrunsrv -S sshd". If no errors, run "cygrunsrv -Q sshd" for status of the service. The SSHD service is now established. Proceed to the next section if your account will be pursuing Public Key Authentication.

Establishing Public Key Authentication
These instructions assume you are logged into the client machine and are using OpenSSH (Cygwin) to connect to the SSH server. If you are using another client product, such as Putty, the commands will be slightly modified, but the process is the same. Modify commands as per the requirements of your software.

Cygwin has some limitations with regard to PKA. PKA on the server can only be set up on the account under which the SSHD daemon (service) is run. That means for PKA logins, the connection will always log in as the "sshd" account on the remote server. If you desire access to your own account, you will have to run "ssh " and enter a password, assuming you have previously established your account on that server.

To establish PKA to the "sshd" account, perform the following steps:

1) Generate the DSA keys for SSH protocol 2 authentication. Open a Cygwin shell and execute "ssh-keygen -t dsa". Answer all questions with blanks.

2) Generate the RSA keys for SSH protocol 2 authentication. Execute "ssh-keygen -t rsa". Again, answer blank to all questions.

3) Run "ssh -l sshd ". Enter the password for the "sshd" account you set up while establishing the SSH process on the server. You should now have a prompt at the remote server under the account "sshd".

4) Run "ssh localhost" to generate a .ssh/known_hosts file. This gets the directory established with the proper permissions if it does not yet exist. Enter the password for "sshd" again.

5) Type "exit" and "exit" again. You should have a prompt at your local machine under your normal user account.

6) Move to your own keys directory. Run "cd .ssh".

7) Prepare your public keys for transport to the server. Create a directory to hold your public keys with "mkdir pub". Copy your keys into this new folder with "cp *.pub pub". Adjust the ownership with command "chown -R sshd:grsshd pub".

8) Transfer the keys to the remote SSH server. "scp -r pub sshd@:~/.ssh" You will be prompted for a password. Enter the password for the "sshd" account on the remote server. Watch the status as the files transfer.

9) When done, initiate a shell to the remote server to prepare the keys for use. Run "ssh -l sshd " and enter the "sshd" password. You should now have a prompt indicating you are on the remote SSH server as the "sshd" account.

10) Navigate to your keys with "cd .ssh/pub".

11) Add your keys to the authorized keys file. This will perform the actual authentication the next time you log in. "cat *.pub >> ../authorized_keys".

12) Leave the remote server. Type "exit". You should now be at your local machine as your normal account.

13) Test the public key authenticator. Run "ssh -l sshd ". You should receive no password prompt and should be immediately logged in as the "sshd" account on the remote SSH server.

14) Type "exit" to leave the server. Your account is now set up for automatic Public Key Authentication to the SSH server.

OpenSSHD service / Windows XP startup / crashing / instability problem *and* solution

Dr. Daniel Schmidt
April 02, 2005
from SSH-L listservice (ssh@erdelynet.com)


Hi all,

I recently discovered something interesting and wanted to share it with the list, in the event that someone else will avoid frustrations similar to my own.

I installed OpenSSH for Windows 3.8.1p1 on an XP Pro (SP2) server machine I administer in our research group. Setup was easy and it ran quietly and effectively (once I told the Windows firewall to let it do so via port 22, of course), but I noticed that I had to log in and manually start the OpenSSH service every time the server rebooted (XP is set on autoupdate, so this does indeed happen from time to time). That was a bit annoying, so I enabled automatic startup via Administrative Tools --> Services.

Then, the fun began. After a reboot, I got a BSOD / immediate reboot two or three times in a row before it finally was able to get into Windows, and when it did so, I was getting all *kinds* of errors. Very, very ugly. I tested a bunch of different things related to what else was starting up, tried replacing the Windows firewall with ZoneAlarm, altered some of the other Services starting, but all to no avail - It would make it into Windows maybe half the time, and even when it did, it was not at all stable or behaving properly.

I noted recently that others have had problems with OpenSSHD for Windows with respect to the fact that, when the Service is set to start automatically, it apparently tries to do so before it "should", making the system as a whole very, very unhappy. I'd suspected something similar on our server, and from this article:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q193888

...modified the OpenSSHD Service's registry entry a bit. I noted that the TCIP/IP service was already listed in the "DependOnService" list, so I figured it was probably some other network-related service, maybe the firewall or the antivirus package we're running (Symantec Antivirus Corporate Edition 9). What I decided to do, instead of trying to guess which of the hundred services I needed to have it depend on, was to look here, for the list of Service Groups (I suggest RegEdt32 so that the list doesn’t look like total crap):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder

The Service Groups are listed here in the order Windows starts them. I noted that "Network Provider" was near the bottom of the list, and it certainly seemed reasonable that I would need to be finished starting before OpenSSHD tried to do anything, so I added "Network Provider" to my "DependOnGroup" entry, found here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OpenSSHD

...and it worked fine after that. When in doubt, I would say, just choose the absolute last thing on the Services Groups list and put that in OpenSSHD's "DependOnGroup" entry; this will ensure that it waits until everything else is done before it attempts to start.

Our server survives now rebooting with no problems, and OpenSSHD always starts as it should, with no user intervation (hooray!). To be fair, I'm not the first to try something like this - One can find mention of something like this in an obsolete readme file, here:

http://www.networksimplicity.com/openssh/source/readme.txt

See Troubleshooting (8). Things must've changed since then, however, as this file indicates that "The OpenSSHd service depends on the Computer Browser service so that it starts in the correct order," which is not what I found in my registry.

On my Win2K box at home, on the other hand, and the aforementioned Service Group "Network Provider" does not exist on it; clearly I would have to do something different here than on the aforementioned XP Pro server. It's therefore quite difficult to decide on an appropriate and general dependency for this service, since it's clear that things change quite a bit between various versions of Windows (all to the benefit of the consumer, no doubt) - For the moment it looks like this fix has to be applied on a case by case basis. One further warning, the XP SP2 update renames / changes the default startup values for some services, so we can’t assume that any two MS OS installs with the same name will be "the same" when it comes to such things.

Hope this helps,

Dr. Daniel Schmidt

SSHWindows installation resolution


Original Message----- From: ssh-owner@erdelynet.com mailto:ssh-owner@erdelynet.com On Behalf Of Robert Jacobson Sent: Wednesday, May 18, 2005 7:43 AM To: ssh@erdelynet.com Subject: Re: Automatic Start of opensshd service

At 4:59 PM +0200 5/18/05, M. Franco max-lists-at-ycom.ch |ssh_erdelynet| wrote: >Hi, > >I also have this problem since a reboot after the installation of the >OpenSSHd service. > >I noticed that if I manually start it after a reboot, the service works >well, but not if it's started automatically. > >Note: I use the local system account for this service. > >Anybody got an idea about this ?

This is a now-classic problem with the sshwindows distribution from sourceforge. It is *broken*, and hasn't been updated in about 10 months now.

If you want a working openssh for windows, you will have to first UNINSTALL sshwindows. Make sure you remove the registry keys under HKLM and HKCU for "Software\Cygnus Solutions". (the uninstaller may do this already...

Then install Cygwin (www.cygwin.com). During setup, install the packages:

 cygrunsrv
openssh

rebase

(in addition to the default packages)

After cygwin is installed, start cygwin and run the command:

 ssh-host-config -y

After that, things *should* work -- but maybe not. I've had several problems with permissions and such.

-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Robert Jacobson sohorob@pobox.com BS, Aeronautical Engineering Univ. of Md., College Park Flight Ops. Team - SOlar Heliospheric Observatory (SOHO) -

Cleanup the Cygwin Registry on Removal

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Cygnus Solutions]

[-HKEY_CURRENT_USER\Software\Cygnus Solutions]

[-HKEY_USERS\.DEFAULT\Software\Cygnus Solutions]

No comments: