I recently acquired a new second hand Asus laptop from my work,
that will be performing a handful of responsibilities on one of my networks.
This is the process I took to set up OpenSSH on Cygwin running on the Windows 7 box.
I won’t be going over the steps to tunnel RDP as I’ve already done this in another post
- Windows Firewall -> Allowed Programs -> checked Remote Desktop.
- System Properties -> Remote tab -> turn radio button on to at least “Allow connections from computers running any version of Remote Desktop”
If you like, this can be turned off once SSH is set-up, or you can just turn the firewall rule off that lets RDP in.
CopSSH which I used on my last set of Linux to Windows RDP via SSH set-ups is no longer free.
So I’m not paying for something I can get for free, but with a little extra work involved.
So I looked at some other Windows SSH offerings
- freeSSHd which looked like a simple set-up, but it didn’t appear to be currently maintained.
- OpenSSH the current latest version of 5.9 released September 6, 2011
A while back OpenSSH wasn’t being maintained. Looks like that’s changed.
OpenSSH is part of Cygwin, so you need to create a
c:\cygwin directory and download setup.exe into it.
- Right click on c:\cygwin\setup.exe and select “Run as Administrator”.
- If Install from Internet is not checked, check it. Then click Next.
- Accept the default “Root Directory” of C:\cygwin. Accept the default for “Install For” as All Users.
- Accept the default “Local Package Directory” of C:\cygwin.
- Accept the default “Select Your Internet Connection” of “Direct Connection”. Click Next.
- Select the closest mirror to you. Click Next.
- You can expand the list by clicking the View button, or just expand the Net node.
- Find openssh and click the Skip text, so that the Bin check box for the item is on.
- Find tcp_wrappers and click the Skip text, so that the Bin check box for the item is on.
If you selected tcp_wrappers and get the “ssh-exchange-identification: Connection closed by remote host” error,
you’ll need to edit /etc/hosts.allow and add the following two lines before the PARANOID line.
ALL: 127.0.0.1/32 : allow ALL: [::1]/128: allow
These lines were already in the /etc/hosts.allow
(optional) find the package “diffutils”, click on the word “skip” so that an x appears in Column B,
find the package “zlib”, click on the word “skip” (it should be already selected) so that an x appears in Column B.
Click Next to start the install.
Click Next again to… Resolving Dependencies, keep default “Select required packages…” checked.
At the end of the install, I got the “Program compatibility Assistant” stating… This program might not have installed correctly.
I clicked This program installed correctly.
Add an environment variable to your Systems Path variable.
Edit the Path and append ;c:\cygwin\bin
Right click the new Cygwin Terminal shortcut and Run as administrator.
Make sure the following files have the correct permissions.
Create a sshd.log file in /var/log/
touch /var/log/sshd.log chmod 664 /var/log/sshd.log
- Cygwin will then ask Should privilege separation be used? Answer Yes
- Cygwin will then ask Should this script create a local user ‘sshd’ on this machine? Answer Yes
- Cygwin will then ask Do you want to install sshd as service? Answer Yes
- Cygwin will then ask for the value of CYGWIN for the daemon: ? Answer ntsec tty
- Cygwin will then ask Do you want to use a different name? Answer no
- Cygwin will then ask Please enter a password for new user cyg_server? Enter a password twice and remember it.
replicate your Windows user credentials with cygwin
mkpasswd -cl > /etc/passwd mkgroup --local > /etc/group
I think (although I haven’t tried it yet) when you change your user password, which you should do regularly,
you should be able to run the above 2 commands again to update your password.
As I haven’t done this yet, I would take a backup of these files before I ran the commands.
to start the service, type the following:
net start sshd
When you make changes to the /etc/sshd_config,
because it’s owned by cyg_server, you’ll need to make any changes as the owner.
I added the following line to the end of the file:
As it sounds like Blowfish runs faster than the default AES-128
There are also a collection of changes to be made to the /etc/sshd_config
- Change the LoginGraceTime to as small as possible number.
- PermitRootLogin no
- Set PasswordAuthentication to no once you get key pair auth set-up.
- PermitEmptyPasswords no
- You can also setup AllowUsers and DenyUsers.
Open firewalls TCP port 22 and close the RDP port once SSH is working.
As my blog post says:
I already had a key pair with pass phrase, so I used that.
Now we should be able to ssh without being prompted for a password, but instead using key pair auth.