本來這個blog是記錄開發輸入法的點滴的,後來越來越雜,現在什麼都記錄了。

2015年1月18日 星期日

How to install cygwin ssh server and ensure auto login (using RSA public key)

How to install cygwin ssh server and ensure auto login (using RSA public key)

(based on http://techtorials.me/cygwin/sshd-configuration/)
  1. In case you want to uninstall a previously installed CYGWIN ssh server:
    (based on http://superuser.com/questions/110726/how-to-uninstall-reinstall-cygwin-to-use-the-sshd)
    In a Cygwin terminal, type the following:  
    # Remove sshd service
    cygrunsrv --stop sshd
    cygrunsrv --remove sshd
    # Delete any sshd or related users (such as cyg_server) from /etc/passwd
    # (use your favorite editor)
    # Delete any sshd or relaged users (such as cyg_server) from the system
    net user sshd /delete
    net user cyg_server /delete
  2. Make sure your windows has a administrator login. Example used is "ylam".
  3. Install CYGWIN or reinstall CYGWIN to have openssh and rsync.
  4. Run Cygwin Terminal
  5. Change the account settings of "ylam" for CYGWIN:
    chmod +r /etc/passwd
    chmod u+w /etc/passwd
    chmod +r /etc/group
    chmod u+w /etc/group
    chmod 755 /var
    touch /var/log/sshd.log
    chmod 664 /var/log/sshd.log
    editrights -l -u ylam
    editrights -a SeAssignPrimaryTokenPrivilege -u ylam
    editrights -a SeCreateTokenPrivilege -u ylam
    editrights -a SeTcbPrivilege -u ylam
    editrights -a SeServiceLogonRight -u ylam
    editrights -l -u ylam

  6. Run ssh-host-config. Type the parts in red below.  
    $ ssh-host-config

    *** Info: Generating missing SSH host keys
    *** Info: Creating default /etc/ssh_config file
    *** Info: Creating default /etc/sshd_config file

    *** Info: StrictModes is set to 'yes' by default.
    *** Info: This is the recommended setting, but it requires that the POSIX
    *** Info: permissions of the user's home directory, the user's .ssh
    *** Info: directory, and the user's ssh key files are tight so that
    *** Info: only the user has write permissions.
    *** Info: On the other hand, StrictModes don't work well with default
    *** Info: Windows permissions of a home directory mounted with the
    *** Info: 'noacl' option, and they don't work at all if the home
    *** Info: directory is on a FAT or FAT32 partition.
    *** Query: Should StrictModes be used? (yes/no)
    yes

    *** Info: Privilege separation is set to 'sandbox' by default since
    *** Info: OpenSSH 6.1. This is unsupported by Cygwin and has to be set
    *** Info: to 'yes' or 'no'.
    *** Info: However, using privilege separation requires a non-privileged account
    *** Info: called 'sshd'.
    *** Info: For more info on privilege separation read /usr/share/doc/openssh/READ
    ME.privsep.
    *** Query: Should privilege separation be used? (yes/no)
    yes
    *** Info: Updating /etc/sshd_config file

    *** Query: Do you want to install sshd as a service?
    *** Query: (Say "no" if it is already installed as a service) (yes/no)
    yes
    *** Query: Enter the value of CYGWIN for the daemon: []
    (Press Enter)
    *** Info: On Windows Server 2003, Windows Vista, and above, the
    *** Info: SYSTEM account cannot setuid to other users -- a capability
    *** Info: sshd requires. You need to have or to create a privileged
    *** Info: account. This script will help you do so.

    *** Info: It's not possible to use the LocalSystem account for services
    *** Info: that can change the user id without an explicit password
    *** Info: (such as passwordless logins [e.g. public key authentication]
    *** Info: via sshd) when having to create the user token from scratch.
    *** Info: For more information on this requirement, see
    *** Info: https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1

    *** Info: If you want to enable that functionality, it's required to create
    *** Info: a new account with special privileges (unless such an account
    *** Info: already exists). This account is then used to run these special
    *** Info: servers.

    *** Info: Note that creating a new user requires that the current account
    *** Info: have Administrator privileges itself.

    *** Info: No privileged account could be found.

    *** Info: This script plans to use 'cyg_server'.
    *** Info: 'cyg_server' will only be used by registered services.
    *** Query: Do you want to use a different name? (yes/no)
    yes
    *** Query: Enter the new user name:
    ylam
    *** Query: Reenter:
    ylam

    *** Query: Please enter the password for user 'ylam':
    ylam's Window's password
    *** Query: Reenter:
    renter


    *** Info: The sshd service has been installed under the 'sshd'
    *** Info: account. To start the service now, call `net start sshd' or
    *** Info: `cygrunsrv -S sshd'. Otherwise, it will start automatically
    *** Info: after the next reboot.

    *** Info: Host configuration finished. Have fun!

  7. Start the ssh server by:
    net start sshd
     
  8. Modify Windows firewall to allow port 22 traffic.
    (http://diddy.boot-land.net/ssh/files/firewall.htm)

    Control Panel -> Windows Firewall -> Advanced settings -> Inbound Rules (right click) -> New rule
    ...
    Select TCP and enter 22 ....
     
  9. Test the connection:
    ssh -v ylam@localhost
    (Note: "ylam" should be replaced with your login. And a password is prompted)
     
  10. For login without password, at the remote site (For testing, use local site should also be fine), type:
    a) ssh-keygen -t rsa (press enter for everything)
    b) ssh-copy-id -i ~/.ssh/id_rsa.pub abc@localhost
    c) try login again: ssh abc@localhost. You will not need any password.