OpenSSH for Windows

13年前

8/17/2010
Eric Low

 

Setting up OpenSSH Server on Windows

First, download the Windows version (binary installer) here. This will put a minimal cygwin installation in place and keygen the appropriate server keys. It will also install the "OpenSSH Server" service, but not start it. The service will be set to run under the Local System Account, because this account is able to become any user. Therefore, do not change that!

Create a local Windows group. I named mine ssh-users. After this is done, open a cmd prompt and navigate to the OpenSSH\bin directory. From here, run the following command to create a group file (local groups):

mkgroup -l >> ..\etc\group

This will basically add every local Windows group that already exists on the computer to the group file. I did not want every group in there, however. So, I manually edited the group file and deleted every group except ssh-users.

Then, add any users that need to use the system to the passwd file with the following command:

mkpasswd -l -u username >> ..\etc\passwd

username must be a user that already exists on the system, otherwise it will tell you that the user name could not be found.

I then edited the passwd file and changed the user's starting directory. If you do not do this, when the user logs on through SSH, they will be able to get to whatever drive/dir they want to. However, when they connect with SCP or SFTP, they will start in their home directory (which may say /home/username in the passwd file, but most likely maps to C:\Documents and Settings\username, depending on what version of Windows). When they try to navigate to root, they actually find themselves jailed in the base OpenSSH directory.

So, the 6th entry on the line in that passwd file for a particular user specifies their start directory. I changed this to /cygdrive/c. Now, when they logged on through SCP, they would start in the /cygdrive/c directory. If they went up a directory, they could select any drive letter from there. If they went up another directory, they would find themselves in the base OpenSSH directory. I thought this looked sloppy, however. Everyone would just wonder what this cygdrive crap is (either that or nobody would care, haha)!

So, I opened regedit and navigated to HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\.

I added a REG_DWORD called "Cygdrive flags" set its value to 2A. I then added a REG_SZ string value called "Cygdrive prefix" and set its value to the new prefix. If you set it to "/" your c drive will be accessible at /c. *** This never worked for me. It appears that newer versions of CygWin may simply use the etc/fstab file!! ***

 

For Windows 7 64-bit:

OpenSSH for Windows does NOT work on Windows 64-bit next! There is a variation of OpenSSH, called CopSSH, that does, and this is what I used.

First, I installed the current cygwin (which involves simply downloading the setup.exe from www.cygwin.com and then running it). I installed the base plus net->openssl (which automatically added the OpenSSL runtime environment for me).

I then installed CopSSH and had it create the user with which to run the service. After installation, I noticed that the service was already started and listening on port 22! In order to handle running CMD and also handle SCP at the same time, and in order to not have to write a bash script for the purpose, I grabbed the switch program from OpenSSH for Windows and entered that as the user's default shell (CopSSH comes with programs to activate or deactivate a user, which takes care of all the rights and generates keys if you want them. It will also let you type in the shell that they start with (which is then, of course, stored in the passwd file).

According to this post, recent versions of OpenSSH (CopSSH) on Windows do not use the AuthorizedKeysFile line from the sshd_config file as relative to the user's home directory anymore. Therefore, if you wish to use keypairs for authentication, you must change the line "AuthorizedKeysFile .ssh/authorized_keys" to "AuthorizedKeysFile %h/.ssh/authorized_keys." The %h variable points to the user's home directory, which is the 6th field for a user in the passwd file.

If you use "AuthorizedKeysFile %u/.ssh/authorized_keys," it will use //username/.ssh/authorized_keys. Therefore, if I wanted to change the user's home directory in the passwd file (which is also the directory in which the user starts their session), and I still needed to have OpenSSH check the proper location for the user's authorized_keys file, I would use the following line in sshd_config:

AuthorizedKeysFile /home/%u/.ssh/authorized_keys

Then, I would define where /home is, according to cygwin, in the registry :

Under HKLM/SOFTWARE/Cygnus Solutions/Cygwin/mounts v2/home

... the string native would read ...

C:\Program Files(x86)\OpehSSH/home

Now, if you want to import a public key generated by PuTTY, you need to do a little conversion in order to get it into the correct format for OpenSSH' authorized_keys file. With the pubkeyfile in ther user\.ssh directory, type the following command:

..\..\..\bin\ssh-keygen -i -f pubkeyfile >> authorized_keys

 

ChrootDirectory

Now, I wanted the user to only see the drives (c:\, d:\, e:\) when they logged on through sftp. I did not want them seeing all the stuff in the OpenSSH directory, nor did I want them to have to be in the \cygdrive virtual directory to see the drive letters.

CopSSH/OpenSSH has a ChrootDirectory directive that is similar to chroot in that it changes their root directory to a different directory. To use this, you must first change the ScvCOPSSH account to be UID 0. Edit etc/passwd and change that third field to zero. That will make Cygwin think that account is root.

Next, I created a directory called drive under the OpenSSH directory. From what I can tell, you cannot change the actual mapping of the root directory. It must stay as the OpenSSH base directory! Next, I edited /etc/fstab and added the following mappings:

C:/ /drives/c ntfs override,binary,noacl 0 0
D:/ /drives/d ntfs override,binary,noacl 0 0
E:/ /drives/e ntfs override,binary,noacl 0 0

When I tried logging the user in through sftp, before messing with any ChrootDirectory crap, the drive letters appeared mapped under that directory. However, when I added the line ChrootDirectory /drives to the etc/sshd_config file, it would chroot just fine, but those directories would not appear!

To make this work correctly, here's what I did.

- I created a directory named drives under the OpenSSH directory.
- in etc/passwd, I set the user's home directory as the root directory, /
- in sshd_config, I specified the following:
ChrootDirectory /drives
Subsystem sftp internal-sftp
- Finally, in etc/fstab, I put entries for the mounts.. the catch is, I put in two different entries for each mount:
C: /drives/c ntfs override,binary,noacl 0 0
D: /drives/d ntfs override,binary,noacl 0 0
E: /drives/e ntfs override,binary,noacl 0 0

C: /c ntfs binary 0 0
D: /d ntfs binary 0 0
E: /e ntfs binary 0 0

The caveat with this, unfortunately, is that SSH will no longer work. This is most likely because you need copies of certain directories/files under the jail (such as /bin/sh.exe, etc.) I did not bother to troubleshoot this, however.

 

To hide the SvcCOPSSH account name from the login screen, add this to the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
"SvcCOPSSH"=dword:00000000

Note that you may need to create the "SpecialAccounts" and "UserList" keys in order to stick the dword value underneath them.

 

authorized keys problem with CopSSH: http://www.itefix.no/i2/node/12277