Cygwin - SSHD Configuration - Legacy

Written: 12/27/11

Last Updated: 06/15/13

NOTE – This article has been replaced by a newer one. Click here to go to the newer article.

This guide is the second part of my Cygwin SSH server series and assumes that Cygwin was installed according to the first guide. If you did not read the first part it can be found here. This article will focus on how to configure sshd, the ssh daemon, in Cygwin. My knowledge on this subject was obtained through painful experimentation and time spent searching online. Over two years have passed since that initial installation and I have still found Cygwin to be the best solution to my needs. I have also found some tweaks that I find make the setup easier and more secure. Those techniques will be shown in these guides as well as any known limitations.

Now that Cygwin has been installed we need to make some Windows environment variables, create a new administrator account, install the daemon, and start the server. First right-click on “Computer” and click on “Properties”. The “Computer” shortcut can usually be found on your desktop, and if not in your start menu. If for whatever reason you do not see it there click on your start menu and type in the word “Computer” in the search field, as shown below.

cygwin-sshd-configuration-legacy-1

In the new window that opens, click on “Advanced system settings.”

cygwin-sshd-configuration-legacy-2

The “System Properties” window should now be open. In the “Advanced” tab click on “Environment Variables…”.

cygwin-sshd-configuration-legacy-3

Here we will set the environment variables. Environment variables are values that are used to affect the behavior of running processes on a computer. In Windows there are two types, user and system. Our setup will require setting both types. Let’s start by setting the user variable. This can be done by clicking on “New…” underneath the user variable section.

cygwin-sshd-configuration-legacy-4

For the variable name, type “CYGWIN” and for the variable value, type “ntsec tty”. Click “OK”. You should now see your newly added variable in the user variables section.

cygwin-sshd-configuration-legacy-5

Select the “Path” variable under the system variables and click on “Edit…”.

cygwin-sshd-configuration-legacy-6

Traverse to the end of the string in the variable value field. Making sure that the string is not selected type “;c:\cygwin\bin” at the end of the string. Make sure to include the semicolon and not to include any spaces. Click “OK”.

cygwin-sshd-configuration-legacy-7

Click “OK”.

cygwin-sshd-configuration-legacy-8

Click “OK”.

cygwin-sshd-configuration-legacy-9

The sshd service that we will be creating must be run under a user. Do NOT use your current user. This is very important, because if you ever wish to delete the server you will need to delete the user. This username will also become the name of a service, so choose your name wisely. I like to use the name “sshd” as it explains exactly what the user is for. You can name it whatever you wish, just make sure to keep all of your names straight. Since I will be using sshd you will need to exchange that name for whatever you pick throughout the rest of these guides.

To make a new user, click on the start menu and type “user accounts” in the search field. Click on “Add or remove user accounts”.

cygwin-sshd-configuration-legacy-10

Click on “Create a new account” in the manage accounts screen.

cygwin-sshd-configuration-legacy-11

Type in the name you wish to use for the user, select “Administrator”, and then click on “Create Account”.

cygwin-sshd-configuration-legacy-12

Click on your newly created user’s account to edit it.

cygwin-sshd-configuration-legacy-13

Click on “Create a password”.

cygwin-sshd-configuration-legacy-14

Create a secure password. You should use mixed case (upper and lower case letters) and numbers at the very least. It is also a good idea to make it contain symbols and it should be longer than 7 characters. The security of this password is vital as the world will have access to try to break in and this could be your only defense. I will address security issues and show how to “lock down” the server in a later article. Windows requires that you create a password hint. I dislike this and do not wish to give anyone a hint. A trick to avoid giving a hint is to put a single space in the password hint field. Make sure you have this password handy as it will be used in the near future. Click “Create Password” once you are satisfied with the strength of your password.

cygwin-sshd-configuration-legacy-15

We are now done with all of the Windows pre-setup and will proceed to the Cygwin configuration. Open up a Cygwin terminal. If you did not make an icon or a start menu entry you can find one by clicking on the start menu and typing “cygwin” in the search field.

cygwin-sshd-configuration-legacy-16

Type the commands shown below in the terminal. These commands are used as permission workarounds to fix any permission errors that may occur.

chmod +r /etc/passwd
chmod u+w /etc/passwd
chmod +r /etc/group
chmod u+w /etc/group
chmod 755 /var
touch /var/log/sshd.log
chmod 664 /var/log/sshd.log
editrights -l -u sshd
editrights -a SeAssignPrimaryTokenPrivilege -u sshd
editrights -a SeCreateTokenPrivilege -u sshd
editrights -a SeTcbPrivilege -u sshd
editrights -a SeServiceLogonRight -u sshd
editrights -l -u sshd

The “chmod” command stands for change file mode bits. It is used to change the permissions on files and directories. The first four lines change the permissions on the files “passwd” and “group” to give us write access to them. The “passwd” file will contain all of the Windows users’ security information set by Windows; likewise, the “group” file will contain all of the Windows groups’ security information. The files do not contain any password information, as that portion is managed by Windows. These two files are critical as they will contain all of the user info needed for the ssh server.

The next three lines change the permissions for the log file so that logging may occur correctly. The “touch” command is used to change the timestamps on files. In this case we are updating the modification time to be the current time. To use the log file, the permissions on the “var” directory must be changed. The log file that we are changing permissions to is designed to log the actions of the ssh server. There are much better logging tools available and in a later tutorial I will go over how to use them, but for the meantime it’s important to set this up.

The last six commands are used to change Windows user rights and privileges. It is important that when issuing these commands you use the username you picked for the server in the place of “sshd”. The command in lines eight and 13 are used to display the permissions given to the user. There should not be any permissions set the first time the command is given, and afterwards the user should have all of the permissions assigned in lines nine through 12. These advanced privileges are necessary for the service to run correctly. More details can be found as to what each privilege is by doing a search at Microsoft’s TechNet Library.

cygwin-sshd-configuration-legacy-17

Now that we have a user and that the permissions are all configured correctly, it is time to install the service. Start the script by typing the command “ssh-host-config”. The answer to give to all of the questions is shown below. Once again where I use “sshd” make sure you use the correct name given earlier. The last two lines will be the password that you assigned the user earlier.

ssh-host-config
yes
yes

yes
sshd
sshd
PASSWORD
PASSWORD

cygwin-sshd-configuration-legacy-18

To setup Local Security Authority (LSA) authentication, run the script by issuing the command “cyglsa-config”. LSA authentication will allow for the sshd service to run under the SYSTEM account, among other things. Here is a good explanation as to everything that it entails. Answer “yes” to all of the questions. This will automatically reboot your system so make sure you are ready to reboot before running the script. You have the option to delay the reboot, but it is a good idea to go ahead and reboot right after this command is issued.

cygwin-sshd-configuration-legacy-19

Cygwin should now be correctly configured with sshd. When you reboot your computer you should see the service sshd (or whatever you called it) running. At this point, only the most basic setup has been completed. Security and firewall settings, among other things, still need to be configured. Click here to go to the next topic in the series.

Leave a Reply