Cygwin - SSHD Configuration

Written: 08/19/12

Last Updated: 01/08/15

NOTE 1 – With the environment variables “ntsec” and “tty” no longer being supported, this article has been completely updated to show how to create the server using the new settings. If you wish to see the legacy version, it can be found here.

NOTE 2 – This article was originally written with the intent of using a single user. This procedure has been tested and verified to work. It is still secure; however, it is more secure if you use two users, as it allows you to perform proper privilege separation. At the time, I do not have detailed directions on how to do that; however, I provided a high-level description as a response to Roc White’s comment (thanks again for catching this). Please read through this tutorial and that comment before continuing.

This guide is the second part of my Cygwin SSH server series and assumes that Cygwin was installed according to the first guide. If you did not read the first part it can be found here. This article will focus on how to configure sshd, the ssh daemon, in Cygwin. My knowledge on this subject was obtained through painful experimentation and time spent searching online. Over two years have passed since that initial installation and I have still found Cygwin to be the best solution to my needs. I have also found some tweaks that I find make the setup easier and more secure. Those techniques will be shown in these guides as well as any known limitations.

Now that Cygwin has been installed, we need to make a Windows environment variable, create a new administrator account, install the daemon, and start the server. First, click on your start menu and type “advanced system settings”. Then click on the item in the Control Panel titled “View advanced system settings”.

cygwin-sshd-configuration-1
The “System Properties” window should now be open. In the “Advanced” tab click on “Environment Variables…”.
cygwin-sshd-configuration-2
Here we will set the environment for Cygwin. By adding in this environment variable, it will allow you to use any of the Cygwin commands without having to type in the full path to the executable. For example, you will be able to open up a terminal and type in “ls” to get a list of the directory contents, instead of having to type “/bin/ls.exe”. To set this variable, we need to edit the “Path” system variable. Click on “Path” under the “System variables” section (not under the “User variables” section) and click “Edit…”.
cygwin-sshd-configuration-3
Traverse to the end of the string in the variable value field. Making sure that the string is not selected type “;c:\cygwin\bin” at the end of the string (or whatever the path to your /bin directory is). Make sure to include the semicolon and not to include any spaces. Click “OK”.
cygwin-sshd-configuration-4
Click “OK”.
cygwin-sshd-configuration-5
Click “OK”.
cygwin-sshd-configuration-6

The sshd service that we will be creating must be run under a user. Do NOT use your current user. This is very important, because if you ever wish to delete the server you will need to delete the user. This username will also become the name of a service, so choose your name wisely. I like to use the name “sshd” as it explains exactly what the user is for. You can name it whatever you wish, just make sure to keep all of your names straight. Since I will be using sshd, you will need to exchange that name for whatever you pick throughout the rest of these guides.

To make a new user, click on the start menu and type “user accounts” in the search field. Click on “Add or remove user accounts”.

cygwin-sshd-configuration-7
Click on “Create a new account” in the manage accounts screen.
cygwin-sshd-configuration-8
Type in the name you wish to use for the user, select “Administrator”, and then click on “Create Account”.
cygwin-sshd-configuration-9
Click on your newly created user’s account to edit it.
cygwin-sshd-configuration-10
Click on “Create a password”.
cygwin-sshd-configuration-11
Create a secure password. You should use mixed case (upper and lower case letters) and numbers at the very least. It is also a good idea to make it contain symbols and it should be longer than 7 characters. The security of this password is vital as the world will have access to try to break in and this could be your only defense. I will address security issues and show how to “lock down” the server in a later article. Windows requires that you create a password hint. I dislike this and do not wish to give anyone a hint. A trick to avoid giving a hint is to put a single space in the password hint field. Make sure you have this password handy as it will be used in the near future. Click “Create Password” once you are satisfied with the strength of your password.
cygwin-sshd-configuration-12
We are now done with all of the Windows pre-setup and will proceed to the Cygwin configuration. Open up a Cygwin terminal. If you did not make an icon or a start menu entry you can find one by clicking on the start menu and typing “cygwin” in the search field.
cygwin-sshd-configuration-13
Type the commands shown below in the terminal. These commands are used as permission workarounds to fix any permission errors that may occur.

chmod +r /etc/passwd
chmod u+w /etc/passwd
chmod +r /etc/group
chmod u+w /etc/group
chmod 755 /var
touch /var/log/sshd.log
chmod 664 /var/log/sshd.log
editrights -l -u sshd
editrights -a SeAssignPrimaryTokenPrivilege -u sshd
editrights -a SeCreateTokenPrivilege -u sshd
editrights -a SeTcbPrivilege -u sshd
editrights -a SeServiceLogonRight -u sshd
editrights -l -u sshd

The “chmod” command stands for change file mode bits. It is used to change the permissions on files and directories. The first four lines change the permissions on the files “passwd” and “group” to give us write access to them. The “passwd” file will contain all of the Windows users’ security information set by Windows; likewise, the “group” file will contain all of the Windows groups’ security information. The files do not contain any password information, as that portion is managed by Windows. These two files are critical as they will contain all of the user info needed for the ssh server.

The next three lines change the permissions for the log file so that logging may occur correctly. The “touch” command is used to change the timestamps on files. In this case we are updating the modification time to be the current time. To use the log file, the permissions on the “var” directory must be changed. The log file that we are changing permissions to is designed to log the actions of the ssh server. There are much better logging tools available and in a later tutorial I will go over how to use them, but for the meantime it’s important to set this up.

The last six commands are used to change Windows user rights and privileges. It is important that when issuing these commands you use the username you picked for the server in the place of “sshd”. The command in lines eight and 13 are used to display the permissions given to the user. There should not be any permissions set the first time the command is given, and afterwards the user should have all of the permissions assigned in lines nine through 12. These advanced privileges are necessary for the service to run correctly. More details can be found as to what each privilege is by doing a search at Microsoft’s TechNet Library.

cygwin-sshd-configuration-14

Now that we have a user and that the permissions are all configured correctly, it is time to install the service. Start the script by typing the command “ssh-host-config”. The answer to give to all of the questions is shown below. Once again where I use “sshd” make sure you use the correct name given earlier. The last two lines will be the password that you assigned the user earlier.

ssh-host-config
yes
yes

yes
sshd
sshd
PASSWORD
PASSWORD

cygwin-sshd-configuration-15

To setup Local Security Authority (LSA) authentication, run the script by issuing the command “cyglsa-config”. LSA authentication will allow for the sshd service to run under the SYSTEM account, among other things. Here is a good explanation as to everything that it entails. Answer “yes” to all of the questions. This will automatically reboot your system so make sure you are ready to reboot before running the script. You have the option to delay the reboot, but it is a good idea to go ahead and reboot right after this command is issued.

cygwin-sshd-configuration-16

Cygwin should now be correctly configured with sshd. When you reboot your computer you should see the service sshd (or whatever you called it) running. At this point, only the most basic setup has been completed. Security and firewall settings, among other things, still need to be configured. Click here to go to the next topic in the series.

Discussion (31)

There are 31 responses to “Cygwin – SSHD Configuration”.

  1. SshDemon responded:

    · Reply

    Excellent instructions, but a few comments:
    (1) You may need to revise these instructions to reflect installing latest Cygwin/SSH on Windows 8.1. Things seem quite different now. Also, the default ssh-host-config is generating TWO new user accounts. One called “cyg_server” and the other “sshd” (defaults). This is very confusing since it seem that you should not use either one for SSH login purposes. In your instructions it seem that you replace the former with the latter.
    (2) I’m not sure you need the “cyglsa-config” anymore. In fact it is very unclear why you need it. Please explain better or check up on it.
    Thanks for your effort.
    (3) You instructions for creating Windows User Groups doesn’t work for non-professional editions of Windows 8/8.1 and others. This is very disappointing and confusing. It may still be possible by command line.

    • Thank you for your input. To address your points:
      (1) I assumed things would be different on Windows 8.1; however, I haven’t had the time to look into it. It sounds like they have updated the script; back when I wrote this tutorial it did not create a cyg_server user. I used the sshd account to keep things separate. The account technically has SSH permissions; however, I view it as more of a “root” account and simply keep it locked down. It should be possible to link sshd to any other account, but I have not personally tested this.
      (2) Please refer to the link for more information about that particular script. The script was needed back when I wrote this tutorial (things may have changed…). It gave the SSH server LSA authentication, which is needed in Windows to allow users to log onto the system. You can read more about LSA authentication, here.
      (3) That is quite upsetting, thanks for pointing that out. It appears that the “Local Users and Groups Manager” (lusrmgr.msc) is not included in the home editions. A workaround would be to use the “net localgroup” command, which should work fine for Windows 7/8 non-pro editions. You can use it via the following syntax “net localgroup [groupname] [username] /add”

  2. SPalato responded:

    · Reply

    I had problems getting “ssh-host-config” to work without warning using cygwin64 on Window 8. /etc/passwd/ wasn’t getting updated by windows, and chown couldn’t find the user. That can be fixed using “mkpasswd -cl > /etc/passwd”.

    Thanks for the good tutorial!

  3. anil responded:

    · Reply

    Thank you very much for details instructions. I have tried this on Windows-2012 R2 x64 with latest Cygwin. Worked perfectly.

  4. Roc White responded:

    · Reply

    Regarding ssh-host-config script creating two user accounts: If you look at your second to last screenshot, to the question “Do you want to use a different name” you answered yes, and chose “sshd” (instead of the default “cyg_server”) as the name for the privileged user. Note that the first non-privileged user is also called “sshd” (two lines above the question “Should privilege separation be used”). My guess is that by using the same account for both there would be no separation of privileges.

    • Good catch. I should have made a separate privileged user. With Cygwin, only the pre-authentication phase is supported. My guess is that by setting the user to be the same it will still do the separation; however, it would effectively be the same thing as using the same user with some added overheads.

      To properly fix this, two users would need to be created, one with the root privileges as previously shown and one without those privileges. Both users should be configured in Windows to make it such that they are not allowed to login, especially with regards to remote connections from the privileged user.

      In Cygwin, both users should contain a “nologin” or invalid shell. As a preparation step, the following should be done:

      mkdir /var/empty
      chown root:sys /var/empty
      chmod 755 /var/empty
      groupadd sshd
      chmod 755 /var
      useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd

      Additionally, when I show the editrights steps, all of those should be done for your new privileged user not sshd.

      I’ll make sure to point this information out in my article. Thanks again for your comment. I apologize for glancing over these steps; hopefully, these new steps will fix things.

  5. Yick Lam responded:

    · Reply

    Thanks so much for the instruction.
    I was asked to automatically backup the photo of my grandpa’s phone to a PC.
    I installed “rsync backup for android”.
    One big hurdle to use it is the requirement of installing rsync over ssh (with automatic login feature) in my PC.
    I followed cygwin ssh sever setup instructions for a number of websites. I could login to the ssh server with the keyboard interactive password, but when come to automatic login (using rsa key pair), the ssh program closed itself:

    Offering public key: /root/.ssh/id_rsa
    Connection closed by SERVER

    I figured a way to check what’s wrong on the server side, using “event log viewer” in windows. The error I saw was like:

    sshd: PID 7840: fatal: seteuid 1002: Operation not permitted

    Then I got stuck on this for almost 2 weeks……
    I am not an expert in Linux environment!

    Finally I came your instruction. I think the key difference of your instruction is the creation of the login “ssh”. After setting it, the automatic login works like a charm!

  6. mstaffa81 responded:

    · Reply

    Hi there, So I’m having a wee bit of trouble with the chmod commands that edit /etc/passwd and /etc/group. It’s insisting that the file/directory doesn’t exist, which I figured might have been from the PATH variable being wrong, but when I checked it it was assigned correctly. I can’t seem to proceed without this issue being resolved.

    • mstaffa81 and I have been talking offline. His problems should now be resolved. For those of you with the above problem:

      This error occurs when those two files are missing. This shouldn’t happen, but if for some reason they don’t get created, then you can create them manually by doing the following:

      mkpasswd --local > /etc/passwd
      mkgroup --local > /etc/group
      

      Also, when using “editrights” if you get this error “Error in openPolicy (LsaOpenPolicy returned 0xc0000022=unknown status code)!” try again using an elevated Cygwin session, i.e. right click on your Cygwin shortcut and then click on “Run as administrator”.

      • sigfrido responded:

        · Reply

        Hi, I have the same problem. After the installation of cygwin passwd and group are missing. In the section “create-and-add-users” is explained the security problem with those command
        mkpasswd –local > /etc/passwd
        mkgroup –local > /etc/group
        I changed them in:
        mkpasswd –current > /etc/passwd
        mkgroup –current > /etc/group
        this add only my current user to passwd and group, of course I have to add every account I want to give access to ssh server,
        but is it ok to not add sshd in these files?
        thank you

        • If you do not add the sshd user then that user will not be able to SSH in. I believe that should be OK, but I have not tested this to verify. The sshd user is the user used for the service. If you do try this, please let us know how it plays out. Thanks!

          • clanmills responded:

            I’m offering the following comment, although it might be off the mark. I got it to work with the account ‘sshd’ by following Jame’s instructions. I subsequently used the Services Panel to Access ‘CYGWIN/ssh Properties’ and changed the ‘This account’ to my own account. This caused sshd to run with my credentials and permissions. For sure you need a little determination to get sshd working.

  7. Senthil Kumar responded:

    · Reply

    i followed all your setps but still getting permission denied error. could you please help, king of struck for a week now 🙁

    $ ssh -v localhost
    OpenSSH_7.1p1, OpenSSL 1.0.2d 9 Jul 2015
    debug1: Reading configuration data /etc/ssh_config
    debug1: Connecting to localhost [127.0.0.1] port 22.
    debug1: Connection established.
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/sshdadmin/.ssh/id_rsa type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/sshdadmin/.ssh/id_rsa-cert type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/sshdadmin/.ssh/id_dsa type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/sshdadmin/.ssh/id_dsa-cert type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/sshdadmin/.ssh/id_ecdsa type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/sshdadmin/.ssh/id_ecdsa-cert type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/sshdadmin/.ssh/id_ed25519 type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/sshdadmin/.ssh/id_ed25519-cert type -1
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_7.1
    debug1: Remote protocol version 2.0, remote software version WeOnlyDo 2.4.3
    debug1: no match: WeOnlyDo 2.4.3
    debug1: Authenticating to localhost:22 as ‘WNT2012TEMP+sshdadmin’
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-sha2-256 none
    debug1: kex: client->server aes128-ctr hmac-sha2-256 none
    debug1: sending SSH2_MSG_KEX_ECDH_INIT
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: Server host key: ssh-rsa SHA256:gVnFKz/ebnNhr/7EzxRzZRjRPfwNTW8roLqfD7aOI0U
    The authenticity of host ‘localhost (127.0.0.1)’ can’t be established.
    RSA key fingerprint is SHA256:gVnFKz/ebnNhr/7EzxRzZRjRPfwNTW8roLqfD7aOI0U.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added ‘localhost’ (RSA) to the list of known hosts.
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: Roaming not allowed by server
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: password,gssapi-with-mic,publickey
    debug1: Next authentication method: publickey
    debug1: Trying private key: /home/sshdadmin/.ssh/id_rsa
    debug1: Trying private key: /home/sshdadmin/.ssh/id_dsa
    debug1: Trying private key: /home/sshdadmin/.ssh/id_ecdsa
    debug1: Trying private key: /home/sshdadmin/.ssh/id_ed25519
    debug1: Next authentication method: password
    [email protected]’s password:
    debug1: Authentications that can continue: password,gssapi-with-mic,publickey
    Permission denied, please try again.
    [email protected]’s password:
    debug1: Authentications that can continue: password,gssapi-with-mic,publickey
    Permission denied, please try again.
    [email protected]’s password:
    Received disconnect from .127..0.1: 2: Too many attempts.
    Disconnected from 127.0.0.1

    [email protected] ~
    $

    • Based off your output you are able to connect to the server, so that’s good at least. It also tells me that you have it up and running, but that you are having credential issues. I’m assuming that when you tried your password, you typed it in correctly. With that assumption it sounds like you have an issue with adding the credentials to the server. I would try redoing the mkpasswd and mkgroup commands. Then reboot and try again. If that doesn’t work, make sure you can actually log into your Windows box with the user that you are trying to connect to. All Cygwin users will also be valid Windows users. Once you are set in Windows, issuing those above two commands (as outlined in the article), should update the credentials for the server.

      If that fails, check your config. You might have accidentally set some security setting that is giving you a hard time. If it doubt, you can just use the default settings, initially.

  8. Senthil Kumar responded:

    · Reply

    I am only having issues connecting to windows while Linux connections are working fine!. Any help would be deeply appreciated!.

  9. Senthil Kumar responded:

    · Reply

    Let me try that.
    thank you very much.

  10. This article is a life-saver. Thank you very much. Everytime I have to get sshd to run on cygwin, my heart sinks. I endure this misery about once a year. However, thanks to you, I think I have a one stop shop for help.

    • Senthil kumar responded:

      · Reply

      I checked many websites before seeing this one which explained very clearly and finally able to make a successful sftp connection. Step by step explanation was great!!!

      Thank you so much James !!!

  11. sigfrido responded:

    · Reply

    Hi! Thank you for the reply. In the end I added just my account and it works great. I’d like just to add this: creating an account for sshd manually, it will appear at logon screen; I remember from my last installation, that leaving cygwin create it, it won’t appear (but then I don’t know if all the command about permission will work the same). So I just used a little regestry trick to hide sshd from logon.
    Bye

  12. Mike Potter responded:

    · Reply

    My use case is strictly localhost for a work Java project. Unfortunately I work for a Fortune 100 company with no auth to create admin accounts on my work PC. These instructions warned do want a separate account. So don’t see that can adapt instructions given my login account type.

    Is so cool though almost tempted to do on my home PC. However I have a Linux based home NAS for my AV system that can provide SFTP server functionality among many others. Thus would be an academic exercise to do this although interesting.

    • If you were to do something like this at work, I would recommend talking to your IT department first. If your account has the proper privileges you could register the service under that account, but you should probably still consult IT.

  13. clanmills responded:

    · Reply

    Mike: I am very happy to be retired and away from the Corporate World in which many people are employed to throttle your productivity and (even worse) your enthusiasm. I’d like to share with you however the getting this stuff to work is painfully interesting! Having a Windows/Cygwin PC running on the same network as Linux enables you to play with SSH in a more meaningful way than only localhost. Incidentally, there are other free ssh servers for Windows which you may wish to try. Have fun with this stuff.

  14. ajinkya sagane responded:

    · Reply

    $ chmod +r /etc/passwd
    chmod: changing permissions of ‘/etc/passwd’: Permission denied
    what can i do now plzz explain

    • Make sure you are executing these from a prompt that has been launched with administrative privileges.

  15. Robert responded:

    · Reply

    ebug1: SSH2_MSG_SERVICE_ACCEPT received
    debug2: key: [email protected] (0x7f36f4c4ed80)
    debug2: key: [email protected] (0x7f36f4c4ecc0)
    debug2: key: /root/.ssh/identity ((nil))
    debug2: key: /root/.ssh/id_rsa (0x7f36f4c4bae0)
    debug2: key: /root/.ssh/id_dsa ((nil))
    debug2: key: /root/.ssh/id_ecdsa ((nil))
    debug1: Authentications that can continue: publickey,password,keyboard-interactive
    debug1: Next authentication method: publickey
    debug1: Offering public key: [email protected]
    debug2: we sent a publickey packet, wait for reply
    Connection closed by *.*.*.*
    Connection not possible when using ssh key and it’s closed immediately.

    The log shows:
    sshd: PID 7676: fatal: seteuid 197611: Operation not permitted

    Does anyone know what is the problem ?
    Thank you!

    • It looks like your SSH keys may not be setup properly. Please ensure that you have setup your keys properly. It may be best to first try with a password, to make sure the basic setup works.

  16. yarecki responded:

    · Reply

    I’m having a problem where I can connect to my server via WinSCP yet when I try ssh from a Linux host with the same account the server closes the connection and I looking in the event log I see chown(dev/pty1, some numbers ) failed: Permission denied. What could be causing the problem?

    • Try SSHing as root. This shouldn’t be necessary, but it may be an easy fix.

  17. Mark responded:

    · Reply

    Hi, Thank you for your post. I would like to add a couple of additional things to your post. In my setup i’m using Windows 10, Public Key Authentication and needing to access network shares.

    cyg_server and sshd both exist on the machine running the ssh server.
    I found I had to apply the rights mentioned above to both users (not 100% certain if this was necessary)
    I then had to configure cyglsa-config
    Finally I had to store the password using cyglsa for the users in question. This requires administrative privileges since my ssh server is running using cyg_server instead of SYSTEM account. I found an admin could set the password using the command passwd -R USERNAME then enter passwords.
    After doing this the user could access the network shares whilst logging in using Public Key Authentication.

    I found the information contained here extremely useful.:
    https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview

    Thanks for your help!

  18. THANK YOU SO VERY MUCH! I don’t CAPSHOUT very often, but when I do, it is with good reason. Your post helped me fix the bloody annoying sshd “Operation not permitted” error, that appeared today, out of thin air, after weeks of trouble-free usage.The ‘editrights’ lines were what fixes this issue. I’m guessing my company laptop underwent something like a background GPO update, destroying my working config. Actually, like so many people that have the same problem, I don’t have a clue what caused this. But thank you again. I owe you a beer, or maybe two.

Leave a Reply