1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
|
This package is the actual port of OpenSSH to Cygwin 1.3.
===========================================================================
Important change since 3.4p1-2:
This version adds privilege separation as default setting, see
/usr/doc/openssh/README.privsep. According to that document the
privsep feature requires a non-privileged account called 'sshd'.
The new ssh-host-config file which is part of this version asks
to create 'sshd' as local user if you want to use privilege
separation. If you confirm, it creates that NT user and adds
the necessary entry to /etc/passwd.
On 9x/Me systems the script just sets UsePrivilegeSeparation to "no"
since that feature doesn't make any sense on a system which doesn't
differ between privileged and unprivileged users.
The new ssh-host-config script also adds the /var/empty directory
needed by privilege separation. When creating the /var/empty directory
by yourself, please note that in contrast to the README.privsep document
the owner sshould not be "root" but the user which is running sshd. So,
in the standard configuration this is SYSTEM. The ssh-host-config script
chowns /var/empty accordingly.
===========================================================================
===========================================================================
Important change since 3.0.1p1-2:
This version introduces the ability to register sshd as service on
Windows 9x/Me systems. This is done only when the options -D and/or
-d are not given.
===========================================================================
===========================================================================
Important change since 2.9p2:
Since Cygwin is able to switch user context without password beginning
with version 1.3.2, OpenSSH now allows to do so when it's running under
a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to
allow that feature.
===========================================================================
===========================================================================
Important change since 2.3.0p1:
When using `ntea' or `ntsec' you now have to care for the ownership
and permission bits of your host key files and your private key files.
The host key files have to be owned by the NT account which starts
sshd. The user key files have to be owned by the user. The permission
bits of the private key files (host and user) have to be at least
rw------- (0600)!
Note that this is forced under `ntsec' only if the files are on a NTFS
filesystem (which is recommended) due to the lack of any basic security
features of the FAT/FAT32 filesystems.
===========================================================================
If you are installing OpenSSH the first time, you can generate global config
files and server keys by running
/usr/bin/ssh-host-config
Note that this binary archive doesn't contain default config files in /etc.
That files are only created if ssh-host-config is started.
If you are updating your installation you may run the above ssh-host-config
as well to move your configuration files to the new location and to
erase the files at the old location.
To support testing and unattended installation ssh-host-config got
some options:
usage: ssh-host-config [OPTION]...
Options:
--debug -d Enable shell's debug output.
--yes -y Answer all questions with "yes" automatically.
--no -n Answer all questions with "no" automatically.
--port -p <n> sshd listens on port n.
Additionally ssh-host-config now asks if it should install sshd as a
service when running under NT/W2K. This requires cygrunsrv installed.
You can create the private and public keys for a user now by running
/usr/bin/ssh-user-config
under the users account.
To support testing and unattended installation ssh-user-config got
some options as well:
usage: ssh-user-config [OPTION]...
Options:
--debug -d Enable shell's debug output.
--yes -y Answer all questions with "yes" automatically.
--no -n Answer all questions with "no" automatically.
--passphrase -p word Use "word" as passphrase automatically.
Install sshd as daemon via cygrunsrv.exe (recommended on NT/W2K), via inetd
(results in very slow deamon startup!) or from the command line (recommended
on 9X/ME).
If you start sshd as deamon via cygrunsrv.exe you MUST give the
"-D" option to sshd. Otherwise the service can't get started at all.
If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the
following line to your inetd.conf file:
ssh stream tcp nowait root /usr/sbin/in.sshd sshd -i
Moreover you'll have to add the following line to your
${SYSTEMROOT}/system32/drivers/etc/services file:
ssh 22/tcp #SSH daemon
===========================================================================
The following restrictions only apply to Cygwin versions up to 1.3.1
===========================================================================
Authentication to sshd is possible in one of two ways.
You'll have to decide before starting sshd!
- If you want to authenticate via RSA and you want to login to that
machine to exactly one user account you can do so by running sshd
under that user account. You must change /etc/sshd_config
to contain the following:
RSAAuthentication yes
Moreover it's possible to use rhosts and/or rhosts with
RSA authentication by setting the following in sshd_config:
RhostsAuthentication yes
RhostsRSAAuthentication yes
- If you want to be able to login to different user accounts you'll
have to start sshd under system account or any other account that
is able to switch user context. Note that administrators are _not_
able to do that by default! You'll have to give the following
special user rights to the user:
"Act as part of the operating system"
"Replace process level token"
"Increase quotas"
and if used via service manager
"Logon as a service".
The system account does of course own that user rights by default.
Unfortunately, if you choose that way, you can only logon with
NT password authentification and you should change
/etc/sshd_config to contain the following:
PasswordAuthentication yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication no
However you can login to the user which has started sshd with
RSA authentication anyway. If you want that, change the RSA
authentication setting back to "yes":
RSAAuthentication yes
Please note that OpenSSH does never use the value of $HOME to
search for the users configuration files! It always uses the
value of the pw_dir field in /etc/passwd as the home directory.
If no home diretory is set in /etc/passwd, the root directory
is used instead!
You may use all features of the CYGWIN=ntsec setting the same
way as they are used by the `login' port on sources.redhat.com:
The pw_gecos field may contain an additional field, that begins
with (upper case!) "U-", followed by the domain and the username
separated by a backslash.
CAUTION: The SID _must_ remain the _last_ field in pw_gecos!
BTW: The field separator in pw_gecos is the comma.
The username in pw_name itself may be any nice name:
domuser::1104:513:John Doe,U-domain\user,S-1-5-21-...
Now you may use `domuser' as your login name with telnet!
This is possible additionally for local users, if you don't like
your NT login name ;-) You only have to leave out the domain:
locuser::1104:513:John Doe,U-user,S-1-5-21-...
SSH2 server and user keys are generated by the `ssh-*-config' scripts
as well.
If you want to build from source, the following options to
configure are used for the Cygwin binary distribution:
--prefix=/usr \
--sysconfdir=/etc \
--libexecdir='${exec_prefix}/sbin'
You must have installed the zlib and openssl packages to be able to
build OpenSSH!
Please send requests, error reports etc. to cygwin@cygwin.com.
Have fun,
Corinna Vinschen <vinschen@redhat.com>
Cygwin Developer
Red Hat Inc.
|