An SSH server can be handy on a Windows machine, too. Cygwin comes with OpenSSH, and provides a lot of useful tools which you can use over the SSH connection. Here’s how to install Cygwin and OpenSSH server on a Windows machine.
Install Cygwin. Make sure you also install OpenSSH under the Net category. You can download the installer from here:
http://www.cygwin.com/setup.exe
To successfully run OpenSSH on a Windows 2003 Server, you must create a new user account for it. This is because the SYSTEM account, which is the default when installing OpenSSH as a service, does not have the “Create a token object” right, which is needed for public key authentication. Luckily, the ssh-host-config command will create a user for you, if you wish. Just remember to select “yes” in the following prompts.
In fact, two user accounts are created in the script below. The other one is for privilege separation, which will make your installation a bit more secure. There’s no reason not to enable it.
If you are installing OpenSSH on an Active Directory domain controller, the user accounts will be created in Active Directory. This is because a domain controller does not have a separate local user database, but the local user database is a copy of AD itself. Remember this if you are going to install OpenSSH on more than one DC. On the second installation, the user accounts are already created!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 |
administrator@server ~ $ <b>ssh-host-config</b> Generating /etc/ssh_host_key Generating /etc/ssh_host_rsa_key Generating /etc/ssh_host_dsa_key Generating /etc/ssh_config file Privilege separation is set to yes by default since OpenSSH 3.3. However, this requires a non-privileged account called 'sshd'. For more info on privilege separation read /usr/share/doc/openssh/README.privsep. Should privilege separation be used? (yes/no) <b>yes</b> Warning: The following function requires administrator privileges! Should this script create a local user 'sshd' on this machine? (yes/no) <b>yes</b> Generating /etc/sshd_config file Warning: The following functions require administrator privileges! Do you want to install sshd as service? (Say "no" if it's already installed as service) (yes/no) <b>yes</b> You appear to be running Windows 2003 Server or later. On 2003 and later systems, it's not possible to use the LocalSystem account if sshd should allow passwordless logon (e. g. public key authentication). If you want to enable that functionality, it's required to create a new account 'sshd_server' with special privileges, which is then used to run the sshd service under. Should this script create a new local account 'sshd_server' which has the required privileges? (yes/no) <b>yes</b> Please enter a password for new user 'sshd_server'. Please be sure that this password matches the password rules given on your system. Entering no password will exit the configuration. PASSWORD=<b>SECRET</b> User 'sshd_server' has been created with password 'SECRET'. If you change the password, please keep in mind to change the password for the sshd service, too. Also keep in mind that the user sshd_server needs read permissions on all users' .ssh/authorized_keys file to allow public key authentication for these users!. (Re-)running ssh-user-config for each user will set the required permissions correctly. Which value should the environment variable CYGWIN have when sshd starts? It's recommended to set at least "ntsec" to be able to change user context without password. Default is "ntsec". CYGWIN=<b>binmode ntsec tty</b> The service has been installed under sshd_server account. To start the service, call `net start sshd' or `cygrunsrv -S sshd'. Host configuration finished. Have fun! |
You should now have a new service, called “CYGWIN sshd”, installed. It doesn’t start automatically, so you must start it either from the Windows Services MMC Console or from the command line with the command “net start sshd”.