OpenSSH for Windows 2003 Server
Installing OpenSSH for Windows 2003 Server - How to get it working
In order to get host based authentication with OpenSSH to work under Windows 2003 server it is necessary to run the server with privilege separation instead of as the system account.
- Either download
and install OpenSSH for Windows, which quite an old version now, or
follow my instructions to compile your own.
I'm assuming you installed the package inC:\Program Files\OpenSSH
- Change the OpenSSH\etc\sshd_config file:
- UsePrivilegeSeparation yes
- Create an empty folder in
C:\Program Files\OpenSSH\var\empty
which will be the OpenSSH server user's home directory.
- Create the server users account:
net user sshd password /add /fullname:"sshd daemon" /homedir:"C:\Program Files\OpenSSH\var\empty"
Check that the account's password will not expire in your usual user management GUI.
- Add the server users account (sshd) to the Administrators group.
net localgroup Administrators sshd /add
- Assign the server users account (sshd) the appropriate rights:
ntrights +r SeAssignPrimaryTokenPrivilege -u sshd
ntrights +r SeCreateTokenPrivilege -u sshd
ntrights +r SeDenyInteractiveLogonRight -u sshd
ntrights +r SeDenyNetworkLogonRight -u sshd
ntrights +r SeDenyRemoteInteractiveLogonRight -u sshd
ntrights +r SeIncreaseQuotaPrivilege -u sshd
ntrights +r SeServiceLogonRight -u sshd
- Give the server users account (sshd) Read, Read & Execute and
List Folder Contents permissions to the OpenSSH folder and
subtree.
- Give the server users account (sshd) ownership and full control of the OpenSSH/var
folder and subtree.
- Now set up the group and passwed files. I've only used local accounts
but domain accounts and groups can be used using the -d flag and appending
these onto the local files.
cd C:\Program Files\OpenSSH\bin
mkgroup -l > ..\etc\group
mkpasswd -l > ..\etc\passwd
- If you're not using the full Cygwin install you probably won't have
bash
so you will need to change the shells in thepasswd
file to use/cygdrive/c/Windows/system32/cmd.exe
, alternatively if you are going to needscp
you will probably want to compileswitch.exe
and use that. - Open the Services control panel and change the Log On tab on the
OpenSSH service to use the server account.
- Start/Restart the OpenSSH service.
- What to do if service doesn't start
Additionally, you'd probably want to change OpenSSH\etc\banner.txt to reflect your own sites policies.
To enable host based authentication:
- Change the OpenSSH\etc\sshd_config file:
- HostBasedAuthentication yes
- IgnoreRhosts no
- Copy public keys from any hosts you want to allow access:
ssh-keyscan -t dsa host.domain > ..\etc\ssh_known_hosts
- Create OpenSSH\etc\shosts.equiv with entries for any hosts
you want to allow access:
host.domain user
To enable public key authentication for Administrator:
- Change the OpenSSH\etc\sshd_config file:
- RSAAuthentication yes
- PubkeyAuthentication yes
- PasswordAuthentication no
- Create a directory OpenSSH in
C:\Documents and Settings\Administrator
- Move
C:\Documents and Settings\Administrator\.ssh
to the above OpenSSH directory- If the
.ssh
directory does not already exist, create one using themkdir
from a command prompt
- If the
- Create an authorized_keys2 file in the .ssh directory containing the public key of the user you are logging in from.
- Change ownership of the OpenSSH tree including .ssh and authorized_keys2 file to Administrator.
- Remove all permissions from the above OpenSSH tree, except Administrator.
- Add read and execute permissions to the above OpenSSH tree for the
sshd
user. - Change Administrator entry in OpenSSH\etc\passwd to be
/home/Administrator/OpenSSH
- Restart the OpenSSH service.
To enable public key authentication for users other than Administrator:
The basic principle is the same as for the Administrator account, here are some things to remember:
- Make sure the user is in OpenSSH\etc\passwd. If not add them
using
mkpasswd -l >> ..\etc\passwd
(replace the -l with a -d if the user is a domain users). You will probably need to remove any duplicate entries thatmkpasswd
will have put in. - You will also need to check the group entry in the passwd file for the user. The fields are separated by colons and the group entry is the fourth field. It should be set to something sensible from the OpenSSH\etc\groups file, probably Domain Users which, on my installation, is 513.
- Make sure you've created an OpenSSH directory in the users
profile directory. This should contain the .ssh directory and
the authorized_keys2 file. The OpenSSH tree should be
owned by the user and the
sshd
must have read and execute permissions - you probably want to give Administrator permission too just so you can change things! - Make sure the directory entry for the user in the
OpenSSH\etc\passwd points at the
OpenSSH
directory instead of/home/user
. - Make sure that the user has read/execute permissions to the OpenSSH\bin folder and the file OpenSSH\bin\switch.exe. You can do this with the Authenticated Users group or some other suitable group.