first_page the funky knowledge base
personal notes from way, _way_ back and maybe today

Windows Server 2003: Installing OpenSSH

These notes are a "remixed" version of "OpenSSH for Windows 2003 Server" by Stephen Pillinger of the University of Birmingham here:

http://www.cs.bham.ac.uk/%7Esmp/projects/ssh-windows/

You should look at this reference for issues related to host-based authentication and public key authentication.

There are two known ways to install a free ssh server on Windows Server 2003. The first way is to install the full Cygwin distribution with a package manager. This process in described by Kevin Scully of University of Waterloo here:

http://ist.uwaterloo.ca/%7Ekscully/CygwinSSHD_W2K3.html

The other method is installing OpenSSH that uses a subset of Cygwin. This process described by Stephen Pillinger (see above) requires Windows Server 2003 Resource Kit Tools, now available here:

http://www.microsoft.com/downloads/
    details.aspx?FamilyID=
        9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en

Open SSH is available here:

http://sshwindows.sourceforge.net/

The default installation directory is this:

%ProgramFiles%\\OpenSSH\\

Edit this file:

%ProgramFiles%\\OpenSSH\\etc\\sshd_config

to make this line:

UsePrivilegeSeparation yes

Now to the command line:

mkdir %ProgramFiles%\\OpenSSH\\var\\empty\\

Note that the \\var\\empty\\ is a path that is required by default.

net user sshd yourPassword
    /add /fullname:"User for OpenSSH Service"
    /homedir:"%ProgramFiles%\\OpenSSH\\var\\empty\\"

sc config OpenSSHd obj= .\\sshd password= yourPassword

Note that you cannot use the %ProgramFiles% syntax used above for the /homedir option.

net localgroup Administrators sshd /add

ntrights +r SeAssignPrimaryTokenPrivilege -u sshd
ntrights +r SeCreateTokenPrivilege -u sshd
ntrights +r SeDenyInteractiveLogonRight -u sshd
ntrights +r SeDenyNetworkLogonRight -u sshd
ntrights +r SeDenyRemoteInteractiveLogonRight -u sshd
ntrights +r SeIncreaseQuotaPrivilege -u sshd
ntrights +r SeServiceLogonRight -u sshd

Note that ntrights.exe is part of the Windows Server 2003 Resource Kit Tools.

cacls "%ProgramFiles%\\OpenSSH" /E /T /G sshd:R
cacls "%ProgramFiles%\\OpenSSH\\var" /E /T /G sshd:F

subinacl /subdirectories "%ProgramFiles%\\OpenSSH\\var\\*.*" /setowner="sshd"

Note that in order for the above SUBINACL.EXE command to work you have to install an update from Microsoft here:

http://www.microsoft.com/downloads/
    details.aspx?FamilyID
        =e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en

cd %ProgramFiles%\\OpenSSH\\bin\\
mkgroup -l > ..\\etc\\group
mkpasswd -l > ..\\etc\\passwd

Note that you should delete any unnecessary groups and users from %ProgramFiles%\\OpenSSH\\etc\\group and %ProgramFiles%\\OpenSSH\\etc\\passwd respectively.

Also you might want to comment out the Banner message under "# default banner path" in %ProgramFiles%\\OpenSSH\\etc\\sshd_config.

mod date: 2007-04-18T04:12:14.000Z