Installing and Testing cygwin

http://ist.uwaterloo.ca/~kscully/CygwinSSHD_W2K3.html

Installing and Testing cygwin

• Create the destination folder (C:\cygwin or D:\cygwin as appropriate).Default permissions will be for administrators and SYSTEM only. AddSERVER\Users with modify control to the list. These permissions willbe inherited to the rest of the folder as it is populated.
• Create a directory to locally store the cygwin packages e.g.C:\temp\cygwinarchive. Open a browser window to the following URL http://www.cygwin.com/setup.exeand save the installation file setup.exe to the archive directory justcreated (C:\temp\cygwinarchive in this example)
• Double click on the downloaded cygwin setup program. The current version is 2.510.2.2 (February 3rd, 2006). Click 'Next' and answer the prompts :
  • Leave default "install from internet"
  • Install to root directory c:\cygwin
  • leave default "install for all users"
  • leave default text file type "unix / binary"
  • Set local package directory to c:\temp\cygwinarchive (the directory created in the previous step). This should be the default.
  • Leave the default "direct connection"
  • Select a mirror (any of the ones with starting with http://mirror in the name). The package list will be downloaded.
  • The 'Select Packages' window can be stretched. Click on the plus sign to expand the categories. Install at least the following list of packages.
    • From Admin, select all packages.
    • From Archive, select unzip and zip packages.
    • From Base, leave the default, select all packages.
    • From Doc, leave the default, man and 'cygwin doc' packages.
    • From Editors, select vim package.
    • From Net, select openssh (openssl will get checked automatically), rsync and tcp_wrappers packages.
  • When you've selected these packages, click 'Next'. The installationtells you which packages it is installing as it progresses.
  • Uncheck 'Create desktop icon'. Leave default 'Add to start menu'.Click 'Finish'.
  • A post install script runs a few final commands. Then you should seea message saying 'Installation complete'. Click 'OK'.
• Edit C:\cygwin\cygwin.bat. Make sure it contains these lines - youwill need to add the line setting the CYGWIN environment variable.

  @echo off
  set CYGWIN=binmode tty ntsec
  C:
  chdir \cygwin\bin
  
  bash --login -i
  

• Test cygwin to make sure it works. Start, Programs, CygnusSolutions, Cygwin Bash Shell - should get a command window with aprompt saying 'Administrator@servername'. This is a bash shell andyou can use unix or DOS / NT type commands e.g.
  • 'ls /bin' to see the cygwin bin directory
  • 'dir c:' to see the contents of the C: directory
  Type "control d" or "logout" to exit the shell.
  
• If you get a message saying 'cannot create /home/userid', runthis command from the cygwin window "mkpasswd -l >/etc/passwd".
  
• While you're in the cygwin shell window, run this command to change the mount prefix from "/cygdrive" to "/". You should logout and back in again after running this command in order to reset your PATH environmentvariable properly.

  mount -s --change-cygdrive-prefix /
  

• Also, create a home directory where you can place user startup files.The default location is the "Documents and Settings" folder. Creating a/home directory and using the -p switch to assign the home directorywhen adding a new user keeps all the cygwin files under the c:\cygwindirectory.

  mkdir -p /home
  

Installing the SSH daemon service

• From a cygwin prompt (Start, All Programs, Cygwin ?), run ssh-host-config to create the service, set up the ssh host keys and create the sshd_config file in /etc/. Note that 2 local users are created, one called sshd to handle privilege separation and one that is required on Windows 2003 calledsshd_server that runs the service in order to use public key authentication.You should see output like this:

  $ ssh-host-config
  Generating /etc/ssh_host_key
  Generating /etc/ssh_host_rsa_key
  Generating /etc/ssh_host_dsa_key
  Overwrite existing /etc/ssh_config file? (yes/no) yes
  Generating /etc/ssh_config file
  Overwrite existing /etc/sshd_config file? (yes/no) yes
  Privilege separation is set to yes by default since OpenSSH 3.3.
  However, this requires a non-privileged account called 'sshd'.
  For more info on privilege separation read
  /usr/share/doc/openssh/README.privsep.
  
  Should privilege separation be used? (yes/no) yes
  Warning: The following function requires administrator privileges!
  Should this script create a local user 'sshd' on this machine? (yes/no) yes
  Generating /etc/sshd_config file
  Added ssh to C:\WINDOWS\system32\drivers\etc\services
  
  
  Warning: The following functions require administrator privileges!
  
  Do you want to install sshd as service?
  (Say "no" if it's already installed as service) (yes/no) yes
  
  You appear to be running Windows 2003 Server or later.  On 2003 and
  later systems, it's not possible to use the LocalSystem account
  if sshd should allow passwordless logon (e. g. public key authentication).
  If you want to enable that functionality, it's required to create a new
  account 'sshd_server' with special privileges, which is then used to run
  the sshd service under.
  
  Should this script create a new local account 'sshd_server' which has
  the required privileges? (yes/no) yes
  
  Please enter a password for new user 'sshd_server'.  Please be sure that
  this password matches the password rules given on your system.
  Entering no password will exit the configuration.  PASSWORD=xxxxxxx
  
  User 'sshd_server' has been created with password 'xxxxxxxx'.
  If you change the password, please keep in mind to change the password
  for the sshd service, too.
  
  Also keep in mind that the user sshd_server needs read permissions on all
  users' .ssh/authorized_keys file to allow public key authentication for
  these users!.  (Re-)running ssh-user-config for each user will set the
  required permissions correctly.
  
  
  Which value should the environment variable CYGWIN have when
  sshd starts? It's recommended to set at least "ntsec" to be
  able to change user context without password.
  Default is "ntsec".  CYGWIN=binmode ntsec tty
  
  The service has been installed under sshd_server account.
  To start the service, call net start sshd' or cygrunsrv -S sshd'.
  
  Host configuration finished. Have fun!
  

• You can start the service from the services MMC panel, or using either ofthe commands listed above ("net start sshd" or "cygrunsrv -S sshd").

Generating public/private SSH keys for a user

• If you need to generate ssh public and private keys for a user on thismachine who will be uploading data or logging in to a remote machine, youwill need to carry out this step. Sign on as the user who needs the keyscreated. They will automatically be in their home directory. Run ssh-user-config to setup the ssh keys. Create only an SSH2 RSA identity (use a null passphrase - just press return). Output should be similar to this :

     cygwinadmin@HICKORY ~
     $ ssh-user-config
     Shall I create an SSH1 RSA identity file for you? (yes/no) no
     Shall I create an SSH2 RSA identity file for you? (yes/no)  (yes/no) yes
     Generating /home/pswander/.ssh/id_rsa
     Enter passphrase (empty for no passphrase):Press ENTER
     Enter same passphrase again:Press ENTER
     Do you want to use this identity to login to this machine? (yes/no) yes
     Shall I create an SSH2 DSA identity file for you? (yes/no)  (yes/no) no
  
     Configuration finished. Have fun!
  

• Update the file /home/userid/.ssh/authorized_keys with any public keysfrom other users who you wish to be able to connect to this user's account.Refer to thisdocument for more information. Make sure each entry you add is all on one line.
• Make sure the service is running (state 4 = running)

  $ sc query sshd
  
  SERVICE_NAME: sshd 
          TYPE               : 10  WIN32_OWN_PROCESS  
          STATE              : 4  RUNNING 
                                  (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN))
          WIN32_EXIT_CODE    : 0  (0x0)
          SERVICE_EXIT_CODE  : 0  (0x0)
          CHECKPOINT         : 0x0
          WAIT_HINT          : 0x0
  

• Test the service from the cygwin prompt using "ssh -v localhost". You will get challenged with the new host key and will have to enteryour password as you connect.You should see output like this:

  The authenticity of host 'localhost (127.0.0.1)' can't be established.
  RSA key fingerprint is 75:8a:67:20:0d:75:dd:06:64:04:d0:ac:23:c7:74:ba.
  Are you sure you want to continue connecting (yes/no)? yes
  Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
  
  The last line is:
  You are successfully logged in to this server!!!
  
  

• Test the service from a remote host. You can now update the authorized_keys file with the public key file from the user and host you want to connectfrom. Then test your connection from that host by issuing thecommand "ssh userid@servername dir c:\"

Adding and removing users from the passwd file

• You can add domain or local users using the mkpasswd command. Test what would be added for a domain user with this command:

  mkpasswd -d domain_name -u joeuser
  

• You can add an ads domain user to the passwd file and give him a home directory in /home with this command:

  mkpasswd -d ads -p /home -u kscully >>/etc/passwd
  

• You can add local users using the -l switch instead of the -d switch. Becareful not to use the -d domain_name switch without specifying a user oryou will get entries for ALL doamin users in the passwd file.
• Users can be removed and both users and groups can be updated by starting a cygwin shell and using vi to edit the /etc/passwd and /etc/group files.

Restricting SSH access to specific servers

Working on a netsh script to restrict access to specific servers.

cygrunsrv --install sshd --path '/usr/sbin/sshd' --env 'PATH=/bin;/sbin' --env 'CYGWIN=ntsec tty' -a -D

Switching the user who runs the service

In a normal installation, the ssh-host-config script creates a local user called sshd_server under whose credentials the ssh daemon runs. Thisis fine for local shell access to the server and secure file transfers toand from the server, but it is not possible to access any network resourceswhile the service is running under the local user account.

The solution is to run the service under a domain user account - one thathas access to the shares or servers remote from the server running sshd. Inorder to switch the service to run under a different user, these steps mustbe carried out :

• Open "Computer Management", open the Services tab, right click onthe "Cygwin sshd" service and stop the service.
• Right click on the "Cygwin sshd" service again and select properties.Under the 'Log On' tab, switch the name of the account the service is running from ".\sshd_server" to domain\userid, where domain and userid correspond to a userid with access to the resources you require in the domain. You will be prompted for this user's password.
• Open Control Panel -> Administratice Tools -> Local Security Settings-> Local Policies. Then click on 'User Rights Assignment'. Make sure the domain user you specified in step one is in the list for these 4 rights :
  1. Adjust memory quotas for a process
  2. Create a token object
  3. Log on as a service (already granted if you completed step 1)
  4. Replace a process level token
• Add the domain user to the local password file

      mkpasswd -d domain -u userid >> /etc/passwd
      

• Change to ownership of the files required by the sshd service owner. Open a cygwin bash session and run these commands for your userid

      $ chown userid /var/log/sshd.log
      $ chown -R userid /var/empty
      $ chown userid /etc/ssh*
      

• In the services tab again, right click on the 'Cygwin sshd' serviceand select 'start'. Check the event log for a successful start, or forerrors in case the service does not start successfully.