diff options
| author | Darren Tucker <dtucker@zip.com.au> | 2003-11-13 11:28:49 +1100 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2003-11-13 11:28:49 +1100 |
| commit | 798ca84d606abba35ea790ba0a8abb25ca2b67cb (patch) | |
| tree | 24c77b415e09044bcb059252d07348c67636427f /contrib/cygwin/README | |
| parent | 0947ddff72097b45021facdae40d0beac0fe1e10 (diff) | |
- (dtucker) [README ssh-host-config ssh-user-config Makefile] (All
contrib/cygwin). Major update from vinschen at redhat.com.
- Makefile provides a `cygwin-postinstall' target to run right after
`make install'.
- Better support for Windows 2003 Server.
- Try to get permissions as correct as possible.
- New command line options to allow full automated host configuration.
- Create configs from skeletons in /etc/defaults/etc.
- Use /bin/bash, allows reading user input with readline support.
- Remove really old configs from /usr/local.
Diffstat (limited to 'contrib/cygwin/README')
| -rw-r--r-- | contrib/cygwin/README | 122 |
1 files changed, 68 insertions, 54 deletions
diff --git a/contrib/cygwin/README b/contrib/cygwin/README index ec58964c9..1cc6ae65c 100644 --- a/contrib/cygwin/README +++ b/contrib/cygwin/README | |||
| @@ -1,4 +1,49 @@ | |||
| 1 | This package is the actual port of OpenSSH to Cygwin 1.5. | 1 | This package describes important Cygwin specific stuff concerning OpenSSH. |
| 2 | |||
| 3 | The binary package is usually built for recent Cygwin versions and might | ||
| 4 | not run on older versions. Please check http://cygwin.com/ for information | ||
| 5 | about current Cygwin releases. | ||
| 6 | |||
| 7 | Build instructions are at the end of the file. | ||
| 8 | |||
| 9 | =========================================================================== | ||
| 10 | Important change since 3.7.1p2-2: | ||
| 11 | |||
| 12 | The ssh-host-config file doesn't create the /etc/ssh_config and | ||
| 13 | /etc/sshd_config files from builtin here-scripts anymore, but it uses | ||
| 14 | skeleton files installed in /etc/defaults/etc. | ||
| 15 | |||
| 16 | Also it now tries hard to create appropriate permissions on files. | ||
| 17 | Same applies for ssh-user-config. | ||
| 18 | |||
| 19 | After creating the sshd service with ssh-host-config, it's advisable to | ||
| 20 | call ssh-user-config for all affected users, also already exising user | ||
| 21 | configurations. In the latter case, file and directory permissions are | ||
| 22 | checked and changed, if requireed to match the host configuration. | ||
| 23 | |||
| 24 | Important note for Windows 2003 Server users: | ||
| 25 | --------------------------------------------- | ||
| 26 | |||
| 27 | 2003 Server has a funny new feature. When starting services under SYSTEM | ||
| 28 | account, these services have nearly all user rights which SYSTEM holds... | ||
| 29 | except for the "Create a token object" right, which is needed to allow | ||
| 30 | public key authentication :-( | ||
| 31 | |||
| 32 | There's no way around this, except for creating a substitute account which | ||
| 33 | has the appropriate privileges. Basically, this account should be member | ||
| 34 | of the administrators group, plus it should have the following user rights: | ||
| 35 | |||
| 36 | Create a token object | ||
| 37 | Logon as a service | ||
| 38 | Replace a process level token | ||
| 39 | Increase Quota | ||
| 40 | |||
| 41 | The ssh-host-config script asks you, if it should create such an account, | ||
| 42 | called "sshd_server". If you say "no" here, you're on your own. Please | ||
| 43 | follow the instruction in ssh-host-config exactly if possible. Note that | ||
| 44 | ssh-user-config sets the permissions on 2003 Server machines dependent of | ||
| 45 | whether a sshd_server account exists or not. | ||
| 46 | =========================================================================== | ||
| 2 | 47 | ||
| 3 | =========================================================================== | 48 | =========================================================================== |
| 4 | Important change since 3.4p1-2: | 49 | Important change since 3.4p1-2: |
| @@ -114,54 +159,6 @@ ${SYSTEMROOT}/system32/drivers/etc/services file: | |||
| 114 | 159 | ||
| 115 | ssh 22/tcp #SSH daemon | 160 | ssh 22/tcp #SSH daemon |
| 116 | 161 | ||
| 117 | =========================================================================== | ||
| 118 | The following restrictions only apply to Cygwin versions up to 1.3.1 | ||
| 119 | =========================================================================== | ||
| 120 | |||
| 121 | Authentication to sshd is possible in one of two ways. | ||
| 122 | You'll have to decide before starting sshd! | ||
| 123 | |||
| 124 | - If you want to authenticate via RSA and you want to login to that | ||
| 125 | machine to exactly one user account you can do so by running sshd | ||
| 126 | under that user account. You must change /etc/sshd_config | ||
| 127 | to contain the following: | ||
| 128 | |||
| 129 | RSAAuthentication yes | ||
| 130 | |||
| 131 | Moreover it's possible to use rhosts and/or rhosts with | ||
| 132 | RSA authentication by setting the following in sshd_config: | ||
| 133 | |||
| 134 | RhostsAuthentication yes | ||
| 135 | RhostsRSAAuthentication yes | ||
| 136 | |||
| 137 | - If you want to be able to login to different user accounts you'll | ||
| 138 | have to start sshd under system account or any other account that | ||
| 139 | is able to switch user context. Note that administrators are _not_ | ||
| 140 | able to do that by default! You'll have to give the following | ||
| 141 | special user rights to the user: | ||
| 142 | "Act as part of the operating system" | ||
| 143 | "Replace process level token" | ||
| 144 | "Increase quotas" | ||
| 145 | and if used via service manager | ||
| 146 | "Logon as a service". | ||
| 147 | |||
| 148 | The system account does of course own that user rights by default. | ||
| 149 | |||
| 150 | Unfortunately, if you choose that way, you can only logon with | ||
| 151 | NT password authentification and you should change | ||
| 152 | /etc/sshd_config to contain the following: | ||
| 153 | |||
| 154 | PasswordAuthentication yes | ||
| 155 | RhostsAuthentication no | ||
| 156 | RhostsRSAAuthentication no | ||
| 157 | RSAAuthentication no | ||
| 158 | |||
| 159 | However you can login to the user which has started sshd with | ||
| 160 | RSA authentication anyway. If you want that, change the RSA | ||
| 161 | authentication setting back to "yes": | ||
| 162 | |||
| 163 | RSAAuthentication yes | ||
| 164 | |||
| 165 | Please note that OpenSSH does never use the value of $HOME to | 162 | Please note that OpenSSH does never use the value of $HOME to |
| 166 | search for the users configuration files! It always uses the | 163 | search for the users configuration files! It always uses the |
| 167 | value of the pw_dir field in /etc/passwd as the home directory. | 164 | value of the pw_dir field in /etc/passwd as the home directory. |
| @@ -169,7 +166,7 @@ If no home diretory is set in /etc/passwd, the root directory | |||
| 169 | is used instead! | 166 | is used instead! |
| 170 | 167 | ||
| 171 | You may use all features of the CYGWIN=ntsec setting the same | 168 | You may use all features of the CYGWIN=ntsec setting the same |
| 172 | way as they are used by the `login' port on sources.redhat.com: | 169 | way as they are used by Cygwin's login(1) port: |
| 173 | 170 | ||
| 174 | The pw_gecos field may contain an additional field, that begins | 171 | The pw_gecos field may contain an additional field, that begins |
| 175 | with (upper case!) "U-", followed by the domain and the username | 172 | with (upper case!) "U-", followed by the domain and the username |
| @@ -186,6 +183,8 @@ way as they are used by the `login' port on sources.redhat.com: | |||
| 186 | 183 | ||
| 187 | locuser::1104:513:John Doe,U-user,S-1-5-21-... | 184 | locuser::1104:513:John Doe,U-user,S-1-5-21-... |
| 188 | 185 | ||
| 186 | Note that the CYGWIN=ntsec setting is required for public key authentication. | ||
| 187 | |||
| 189 | SSH2 server and user keys are generated by the `ssh-*-config' scripts | 188 | SSH2 server and user keys are generated by the `ssh-*-config' scripts |
| 190 | as well. | 189 | as well. |
| 191 | 190 | ||
| @@ -194,15 +193,30 @@ configure are used for the Cygwin binary distribution: | |||
| 194 | 193 | ||
| 195 | --prefix=/usr \ | 194 | --prefix=/usr \ |
| 196 | --sysconfdir=/etc \ | 195 | --sysconfdir=/etc \ |
| 197 | --libexecdir='${exec_prefix}/sbin' | 196 | --libexecdir='$(sbindir)' \ |
| 198 | 197 | --localstatedir=/var \ | |
| 199 | You must have installed the zlib and openssl packages to be able to | 198 | --datadir='$(prefix)/share' \ |
| 199 | --mandir='$(datadir)/man' \ | ||
| 200 | --with-tcp-wrappers | ||
| 201 | |||
| 202 | If you want to create a Cygwin package, equivalent to the one | ||
| 203 | in the Cygwin binary distribution, install like this: | ||
| 204 | |||
| 205 | mkdir /tmp/cygwin-ssh | ||
| 206 | cd $(builddir) | ||
| 207 | make install DESTDIR=/tmp/cygwin-ssh | ||
| 208 | cd $(srcdir)/contrib/cygwin | ||
| 209 | make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh | ||
| 210 | cd /tmp/cygwin-ssh | ||
| 211 | find * \! -type d | tar cvjfT my-openssh.tar.bz2 - | ||
| 212 | |||
| 213 | You must have installed the zlib and openssl-devel packages to be able to | ||
| 200 | build OpenSSH! | 214 | build OpenSSH! |
| 201 | 215 | ||
| 202 | Please send requests, error reports etc. to cygwin@cygwin.com. | 216 | Please send requests, error reports etc. to cygwin@cygwin.com. |
| 203 | 217 | ||
| 204 | Have fun, | 218 | Have fun, |
| 205 | 219 | ||
| 206 | Corinna Vinschen <vinschen@redhat.com> | 220 | Corinna Vinschen |
| 207 | Cygwin Developer | 221 | Cygwin Developer |
| 208 | Red Hat Inc. | 222 | Red Hat Inc. |