Cygwin - SSHD Configuration
Last Updated: 01/08/15
NOTE 1 – With the environment variables “ntsec” and “tty” no longer being supported, this article has been completely updated to show how to create the server using the new settings. If you wish to see the legacy version, it can be found here.
NOTE 2 – This article was originally written with the intent of using a single user. This procedure has been tested and verified to work. It is still secure; however, it is more secure if you use two users, as it allows you to perform proper privilege separation. At the time, I do not have detailed directions on how to do that; however, I provided a high-level description as a response to Roc White’s comment (thanks again for catching this). Please read through this tutorial and that comment before continuing.
This guide is the second part of my Cygwin SSH server series and assumes that Cygwin was installed according to the first guide. If you did not read the first part it can be found here. This article will focus on how to configure sshd, the ssh daemon, in Cygwin. My knowledge on this subject was obtained through painful experimentation and time spent searching online. Over two years have passed since that initial installation and I have still found Cygwin to be the best solution to my needs. I have also found some tweaks that I find make the setup easier and more secure. Those techniques will be shown in these guides as well as any known limitations.
Now that Cygwin has been installed, we need to make a Windows environment variable, create a new administrator account, install the daemon, and start the server. First, click on your start menu and type “advanced system settings”. Then click on the item in the Control Panel titled “View advanced system settings”.
The sshd service that we will be creating must be run under a user. Do NOT use your current user. This is very important, because if you ever wish to delete the server you will need to delete the user. This username will also become the name of a service, so choose your name wisely. I like to use the name “sshd” as it explains exactly what the user is for. You can name it whatever you wish, just make sure to keep all of your names straight. Since I will be using sshd, you will need to exchange that name for whatever you pick throughout the rest of these guides.
To make a new user, click on the start menu and type “user accounts” in the search field. Click on “Add or remove user accounts”.
chmod +r /etc/passwd chmod u+w /etc/passwd chmod +r /etc/group chmod u+w /etc/group chmod 755 /var touch /var/log/sshd.log chmod 664 /var/log/sshd.log editrights -l -u sshd editrights -a SeAssignPrimaryTokenPrivilege -u sshd editrights -a SeCreateTokenPrivilege -u sshd editrights -a SeTcbPrivilege -u sshd editrights -a SeServiceLogonRight -u sshd editrights -l -u sshd
The “chmod” command stands for change file mode bits. It is used to change the permissions on files and directories. The first four lines change the permissions on the files “passwd” and “group” to give us write access to them. The “passwd” file will contain all of the Windows users’ security information set by Windows; likewise, the “group” file will contain all of the Windows groups’ security information. The files do not contain any password information, as that portion is managed by Windows. These two files are critical as they will contain all of the user info needed for the ssh server.
The next three lines change the permissions for the log file so that logging may occur correctly. The “touch” command is used to change the timestamps on files. In this case we are updating the modification time to be the current time. To use the log file, the permissions on the “var” directory must be changed. The log file that we are changing permissions to is designed to log the actions of the ssh server. There are much better logging tools available and in a later tutorial I will go over how to use them, but for the meantime it’s important to set this up.
The last six commands are used to change Windows user rights and privileges. It is important that when issuing these commands you use the username you picked for the server in the place of “sshd”. The command in lines eight and 13 are used to display the permissions given to the user. There should not be any permissions set the first time the command is given, and afterwards the user should have all of the permissions assigned in lines nine through 12. These advanced privileges are necessary for the service to run correctly. More details can be found as to what each privilege is by doing a search at Microsoft’s TechNet Library.
Now that we have a user and that the permissions are all configured correctly, it is time to install the service. Start the script by typing the command “ssh-host-config”. The answer to give to all of the questions is shown below. Once again where I use “sshd” make sure you use the correct name given earlier. The last two lines will be the password that you assigned the user earlier.
ssh-host-config yes yes yes sshd sshd PASSWORD PASSWORD
To setup Local Security Authority (LSA) authentication, run the script by issuing the command “cyglsa-config”. LSA authentication will allow for the sshd service to run under the SYSTEM account, among other things. Here is a good explanation as to everything that it entails. Answer “yes” to all of the questions. This will automatically reboot your system so make sure you are ready to reboot before running the script. You have the option to delay the reboot, but it is a good idea to go ahead and reboot right after this command is issued.
Cygwin should now be correctly configured with sshd. When you reboot your computer you should see the service sshd (or whatever you called it) running. At this point, only the most basic setup has been completed. Security and firewall settings, among other things, still need to be configured. Click here to go to the next topic in the series.