summaryrefslogtreecommitdiff
path: root/contrib/cygwin/README
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/cygwin/README')
-rw-r--r--contrib/cygwin/README212
1 files changed, 33 insertions, 179 deletions
diff --git a/contrib/cygwin/README b/contrib/cygwin/README
index 5f911e924..2562b6186 100644
--- a/contrib/cygwin/README
+++ b/contrib/cygwin/README
@@ -4,115 +4,18 @@ The binary package is usually built for recent Cygwin versions and might
4not run on older versions. Please check http://cygwin.com/ for information 4not run on older versions. Please check http://cygwin.com/ for information
5about current Cygwin releases. 5about current Cygwin releases.
6 6
7Build instructions are at the end of the file. 7==================
8 8Host configuration
9=========================================================================== 9==================
10Important change since 3.7.1p2-2:
11
12The ssh-host-config file doesn't create the /etc/ssh_config and
13/etc/sshd_config files from builtin here-scripts anymore, but it uses
14skeleton files installed in /etc/defaults/etc.
15
16Also it now tries hard to create appropriate permissions on files.
17Same applies for ssh-user-config.
18
19After creating the sshd service with ssh-host-config, it's advisable to
20call ssh-user-config for all affected users, also already exising user
21configurations. In the latter case, file and directory permissions are
22checked and changed, if requireed to match the host configuration.
23
24Important note for Windows 2003 Server users:
25---------------------------------------------
26
272003 Server has a funny new feature. When starting services under SYSTEM
28account, these services have nearly all user rights which SYSTEM holds...
29except for the "Create a token object" right, which is needed to allow
30public key authentication :-(
31
32There's no way around this, except for creating a substitute account which
33has the appropriate privileges. Basically, this account should be member
34of the administrators group, plus it should have the following user rights:
35
36 Create a token object
37 Logon as a service
38 Replace a process level token
39 Increase Quota
40
41The ssh-host-config script asks you, if it should create such an account,
42called "sshd_server". If you say "no" here, you're on your own. Please
43follow the instruction in ssh-host-config exactly if possible. Note that
44ssh-user-config sets the permissions on 2003 Server machines dependent of
45whether a sshd_server account exists or not.
46===========================================================================
47
48===========================================================================
49Important change since 3.4p1-2:
50
51This version adds privilege separation as default setting, see
52/usr/doc/openssh/README.privsep. According to that document the
53privsep feature requires a non-privileged account called 'sshd'.
54
55The new ssh-host-config file which is part of this version asks
56to create 'sshd' as local user if you want to use privilege
57separation. If you confirm, it creates that NT user and adds
58the necessary entry to /etc/passwd.
59
60On 9x/Me systems the script just sets UsePrivilegeSeparation to "no"
61since that feature doesn't make any sense on a system which doesn't
62differ between privileged and unprivileged users.
63
64The new ssh-host-config script also adds the /var/empty directory
65needed by privilege separation. When creating the /var/empty directory
66by yourself, please note that in contrast to the README.privsep document
67the owner sshould not be "root" but the user which is running sshd. So,
68in the standard configuration this is SYSTEM. The ssh-host-config script
69chowns /var/empty accordingly.
70===========================================================================
71
72===========================================================================
73Important change since 3.0.1p1-2:
74
75This version introduces the ability to register sshd as service on
76Windows 9x/Me systems. This is done only when the options -D and/or
77-d are not given.
78===========================================================================
79
80===========================================================================
81Important change since 2.9p2:
82
83Since Cygwin is able to switch user context without password beginning
84with version 1.3.2, OpenSSH now allows to do so when it's running under
85a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to
86allow that feature.
87===========================================================================
88
89===========================================================================
90Important change since 2.3.0p1:
91
92When using `ntea' or `ntsec' you now have to care for the ownership
93and permission bits of your host key files and your private key files.
94The host key files have to be owned by the NT account which starts
95sshd. The user key files have to be owned by the user. The permission
96bits of the private key files (host and user) have to be at least
97rw------- (0600)!
98
99Note that this is forced under `ntsec' only if the files are on a NTFS
100filesystem (which is recommended) due to the lack of any basic security
101features of the FAT/FAT32 filesystems.
102===========================================================================
103 10
104If you are installing OpenSSH the first time, you can generate global config 11If you are installing OpenSSH the first time, you can generate global config
105files and server keys by running 12files and server keys, as well as installing sshd as a service, by running
106 13
107 /usr/bin/ssh-host-config 14 /usr/bin/ssh-host-config
108 15
109Note that this binary archive doesn't contain default config files in /etc. 16Note that this binary archive doesn't contain default config files in /etc.
110That files are only created if ssh-host-config is started. 17That files are only created if ssh-host-config is started.
111 18
112If you are updating your installation you may run the above ssh-host-config
113as well to move your configuration files to the new location and to
114erase the files at the old location.
115
116To support testing and unattended installation ssh-host-config got 19To support testing and unattended installation ssh-host-config got
117some options: 20some options:
118 21
@@ -123,16 +26,25 @@ Options:
123 --no -n Answer all questions with "no" automatically. 26 --no -n Answer all questions with "no" automatically.
124 --cygwin -c <options> Use "options" as value for CYGWIN environment var. 27 --cygwin -c <options> Use "options" as value for CYGWIN environment var.
125 --port -p <n> sshd listens on port n. 28 --port -p <n> sshd listens on port n.
126 --pwd -w <passwd> Use "pwd" as password for user 'sshd_server'. 29 --user -u <account> privileged user for service, default 'cyg_server'.
30 --pwd -w <passwd> Use "pwd" as password for privileged user.
31 --privileged On Windows XP, require privileged user
32 instead of LocalSystem for sshd service.
127 33
128Additionally ssh-host-config now asks if it should install sshd as a 34Installing sshd as daemon via ssh-host-config is recommended.
129service when running under NT/W2K. This requires cygrunsrv installed.
130 35
131You can create the private and public keys for a user now by running 36Alternatively you can start sshd via inetd, if you have the inetutils
37package installed. Just run ssh-host-config, but answer "no" when asked
38to install sshd as service. The ssh-host-config script also adds the
39required lines to /etc/inetd.conf and /etc/services.
132 40
133 /usr/bin/ssh-user-config 41==================
42User configuration
43==================
44
45Any user can simplify creating the own private and public keys by running
134 46
135under the users account. 47 /usr/bin/ssh-user-config
136 48
137To support testing and unattended installation ssh-user-config got 49To support testing and unattended installation ssh-user-config got
138some options as well: 50some options as well:
@@ -144,88 +56,30 @@ Options:
144 --no -n Answer all questions with "no" automatically. 56 --no -n Answer all questions with "no" automatically.
145 --passphrase -p word Use "word" as passphrase automatically. 57 --passphrase -p word Use "word" as passphrase automatically.
146 58
147Install sshd as daemon via cygrunsrv.exe (recommended on NT/W2K), via inetd
148(results in very slow deamon startup!) or from the command line (recommended
149on 9X/ME).
150
151If you start sshd as deamon via cygrunsrv.exe you MUST give the
152"-D" option to sshd. Otherwise the service can't get started at all.
153
154If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the
155following line to your inetd.conf file:
156
157ssh stream tcp nowait root /usr/sbin/in.sshd sshd -i
158
159Moreover you'll have to add the following line to your
160${SYSTEMROOT}/system32/drivers/etc/services file:
161
162 ssh 22/tcp #SSH daemon
163
164Please note that OpenSSH does never use the value of $HOME to 59Please note that OpenSSH does never use the value of $HOME to
165search for the users configuration files! It always uses the 60search for the users configuration files! It always uses the
166value of the pw_dir field in /etc/passwd as the home directory. 61value of the pw_dir field in /etc/passwd as the home directory.
167If no home diretory is set in /etc/passwd, the root directory 62If no home diretory is set in /etc/passwd, the root directory
168is used instead! 63is used instead!
169 64
170You may use all features of the CYGWIN=ntsec setting the same 65================
171way as they are used by Cygwin's login(1) port: 66Building OpenSSH
172 67================
173 The pw_gecos field may contain an additional field, that begins
174 with (upper case!) "U-", followed by the domain and the username
175 separated by a backslash.
176 CAUTION: The SID _must_ remain the _last_ field in pw_gecos!
177 BTW: The field separator in pw_gecos is the comma.
178 The username in pw_name itself may be any nice name:
179
180 domuser::1104:513:John Doe,U-domain\user,S-1-5-21-...
181
182 Now you may use `domuser' as your login name with telnet!
183 This is possible additionally for local users, if you don't like
184 your NT login name ;-) You only have to leave out the domain:
185
186 locuser::1104:513:John Doe,U-user,S-1-5-21-...
187
188Note that the CYGWIN=ntsec setting is required for public key authentication.
189
190SSH2 server and user keys are generated by the `ssh-*-config' scripts
191as well.
192
193If you want to build from source, the following options to
194configure are used for the Cygwin binary distribution:
195
196 --prefix=/usr \
197 --sysconfdir=/etc \
198 --libexecdir='${sbindir}' \
199 --localstatedir=/var \
200 --datadir='${prefix}/share' \
201 --mandir='${datadir}/man' \
202 --infodir='${datadir}/info'
203 --with-tcp-wrappers
204 --with-libedit
205
206If you want to create a Cygwin package, equivalent to the one
207in the Cygwin binary distribution, install like this:
208
209 mkdir /tmp/cygwin-ssh
210 cd ${builddir}
211 make install DESTDIR=/tmp/cygwin-ssh
212 cd ${srcdir}/contrib/cygwin
213 make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh
214 cd /tmp/cygwin-ssh
215 find * \! -type d | tar cvjfT my-openssh.tar.bz2 -
216
217You must have installed the following packages to be able to build OpenSSH:
218
219- zlib
220- openssl-devel
221 68
222If you want to build with --with-tcp-wrappers, you also need the package 69Building from source is easy. Just unpack the source archive, cd to that
70directory, and call cygport:
223 71
224- tcp_wrappers 72 cygport openssh.cygport almostall
225 73
226If you want to build with --with-libedit, you also need the package 74You must have installed the following packages to be able to build OpenSSH
75with the aforementioned cygport script:
227 76
228- libedit-devel 77 zlib
78 crypt
79 openssl-devel
80 libwrap-devel
81 libedit-devel
82 libkrb5-devel
229 83
230Please send requests, error reports etc. to cygwin@cygwin.com. 84Please send requests, error reports etc. to cygwin@cygwin.com.
231 85