OpenSSH for Windows 2003 Server

Installing OpenSSH for Windows 2003 Server - How to get it working

In order to get host based authentication with OpenSSH to work under Windows 2003 server it is necessary to run the server with privilege separation instead of as the system account.

  • Either download and install OpenSSH for Windows, which quite an old version now, or follow my instructions to compile your own.
    I'm assuming you installed the package in C:\Program Files\OpenSSH
  • Change the OpenSSH\etc\sshd_config file:
    UsePrivilegeSeparation yes

  • Create an empty folder in C:\Program Files\OpenSSH\var\empty which will be the OpenSSH server user's home directory.
  • Create the server users account:
    net user sshd password /add /fullname:"sshd daemon" /homedir:"C:\Program Files\OpenSSH\var\empty"
    Check that the account's password will not expire in your usual user management GUI.

  • Add the server users account (sshd) to the Administrators group.
    net localgroup Administrators sshd /add

  • Assign the server users account (sshd) the appropriate rights:
    ntrights +r SeAssignPrimaryTokenPrivilege -u sshd
    ntrights +r SeCreateTokenPrivilege -u sshd
    ntrights +r SeDenyInteractiveLogonRight -u sshd
    ntrights +r SeDenyNetworkLogonRight -u sshd
    ntrights +r SeDenyRemoteInteractiveLogonRight -u sshd
    ntrights +r SeIncreaseQuotaPrivilege -u sshd
    ntrights +r SeServiceLogonRight -u sshd

  • Give the server users account (sshd) Read, Read & Execute and List Folder Contents permissions to the OpenSSH folder and subtree.

  • Give the server users account (sshd) ownership and full control of the OpenSSH/var folder and subtree.

  • Now set up the group and passwed files. I've only used local accounts but domain accounts and groups can be used using the -d flag and appending these onto the local files.
    cd C:\Program Files\OpenSSH\bin
    mkgroup -l > ..\etc\group
    mkpasswd -l > ..\etc\passwd

  • If you're not using the full Cygwin install you probably won't have bash so you will need to change the shells in the passwd file to use /cygdrive/c/Windows/system32/cmd.exe, alternatively if you are going to need scp you will probably want to compile switch.exe and use that.
  • Open the Services control panel and change the Log On tab on the OpenSSH service to use the server account.

  • Start/Restart the OpenSSH service.

  • What to do if service doesn't start

Additionally, you'd probably want to change OpenSSH\etc\banner.txt to reflect your own sites policies.

To enable host based authentication:

  • Change the OpenSSH\etc\sshd_config file:
    HostBasedAuthentication yes
    IgnoreRhosts no

  • Copy public keys from any hosts you want to allow access:
    ssh-keyscan -t dsa host.domain > ..\etc\ssh_known_hosts

  • Create OpenSSH\etc\shosts.equiv with entries for any hosts you want to allow access:
    host.domain user

To enable public key authentication for Administrator:

  • Change the OpenSSH\etc\sshd_config file:
    RSAAuthentication yes
    PubkeyAuthentication yes
    PasswordAuthentication no

  • Create a directory OpenSSH in C:\Documents and Settings\Administrator
  • Move C:\Documents and Settings\Administrator\.ssh to the above OpenSSH directory
    • If the .ssh directory does not already exist, create one using the mkdir from a command prompt
  • Create an authorized_keys2 file in the .ssh directory containing the public key of the user you are logging in from.
  • Change ownership of the OpenSSH tree including .ssh and authorized_keys2 file to Administrator.
  • Remove all permissions from the above OpenSSH tree, except Administrator.
  • Add read and execute permissions to the above OpenSSH tree for the sshd user.
  • Change Administrator entry in OpenSSH\etc\passwd to be /home/Administrator/OpenSSH
  • Restart the OpenSSH service.

To enable public key authentication for users other than Administrator:

The basic principle is the same as for the Administrator account, here are some things to remember:

  • Make sure the user is in OpenSSH\etc\passwd. If not add them using mkpasswd -l >> ..\etc\passwd (replace the -l with a -d if the user is a domain users). You will probably need to remove any duplicate entries that mkpasswd will have put in.
  • You will also need to check the group entry in the passwd file for the user. The fields are separated by colons and the group entry is the fourth field. It should be set to something sensible from the OpenSSH\etc\groups file, probably Domain Users which, on my installation, is 513.
  • Make sure you've created an OpenSSH directory in the users profile directory. This should contain the .ssh directory and the authorized_keys2 file. The OpenSSH tree should be owned by the user and the sshd must have read and execute permissions - you probably want to give Administrator permission too just so you can change things!
  • Make sure the directory entry for the user in the OpenSSH\etc\passwd points at the OpenSSH directory instead of /home/user.
  • Make sure that the user has read/execute permissions to the OpenSSH\bin folder and the file OpenSSH\bin\switch.exe. You can do this with the Authenticated Users group or some other suitable group.