Installing OpenSSH on Windows 7

13年前

Today, I was tempted to take control of a Windows machine remotely in console mode as I’m trying to script the launch and use of VLC. A quick Google search reveleaed the existence of the sshwindows project which is a more lightweight solution than a full cygwin installation.

Here are the installation steps :

Download and run the sshwindows installer.

As the setup will tell you, some simple commands will be needed to complete the installation. Launch the windows command line tool (windows key -> type cmd -> press enter) and head to the directory in which you installed open ssh.

1
2
3
cd \
cd "Program Files (x86)"
cd OpenSSH

The steps needed to complete the installation are detailed in the docs folder in two files : quickstart.txt will quickly sum up the steps while the readme.txt is a more detailed setup and troubleshooting guide.

Below is a step by step process on what I had to do to get the server running :

1
2
3
4
5
6
7
8
9
10
11
12
# go to the bin directory of the OpenSSH folder
cd bin
# create the default groups
mkgroup -l >> ..\etc\group
#create the default users
mkpasswd -l >> ..\etc\passwd
# Note: for neither of the above commands did I bother with the domain version documented in the quickstart
# Now, if you look in ..\etc\passwd, you will see entries (one per line) for all your Windows users.

# Start the server in debug mode
cd ..\usr\sbin
sshd -d -d -d

According to the quickstart guide, everything should work at this point but that was not the case for me.
I had permission errors with the rsa and das key files

Below is the message I saw :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
debug1: sshd version OpenSSH_3.8.1p1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/etc/ssh_host_rsa_key' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_rsa_key
Could not load host key: /etc/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/etc/ssh_host_dsa_key' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh_host_dsa_key
Could not load host key: /etc/ssh_host_dsa_key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.

I solved that problem by using chown and chmod available in the bin folder to change the persmission on these files. As I found out trying to run chown, I needed a cygintl-2.dll file which I didn’t have on that computer. I ended up copying it from another computer running an up to date install of cygwin. In this up to date version, cygintl-2 was called cygintl-8, I renamed it. If you need to, download cygintl-2.dll and cygwin1.dll and place them in your OpenSSH\bin directory. Note that you will need to replace the existing cygwin1.dll.

1
2
3
4
5
6
7
8
cd ..\..\etc
..\bin\chown <username> *
..\bin\chmod 600 *
# ls -lsa to confirm that the permissions were changed
# run the server in debug mode again...
cd ..
usr\sbin\sshd -d -d -d
# If prompted, allow the service to accept incoming connections...

That’s it, at this point, the server starts. You can kill it (CTRL+C) and start it as a Windows service by running

1
net start opensshd

Time to test our SSH server with a client. On a different computer, run a SSH client (if the other computer is running Windows, you can use putty).

1
2
3
4
ssh <username>@<ip_windows_machine>
# You will be prompted to accept the authenticity of host, type yes
# You will be prompted for a password
# Enter your windows password

At this point, it worked for me ! Now I can connect to a Windows 7 using SSH and that makes Windows a lot cooler ! Thanks to the developer, Michael Johnson.

Going further, the public key authentication

Since my goal, with all this, was to script the use of VLC from a Unix machine on the Windows one, I could use the public key authentication to bypass the interactive authentication.

The SSH public key authentication system is based on the private and public keys which are expected in the user’s home folder (in a folder called .ssh). So the first step will be to define the user’s home folder on windows.

Since I’m not using cygwin but open ssh for windows, it’s only the declaration of the home folder in openssh that I care for. I edited the file in c:\Program Files (x86)\OpenSSH\etc\passwd and changed the value before last (each value is separated by a ;) . I changed the home folder for my user to /cygdrive/c/Users/<username>. Now I can go in my c:\Users\<username> folder and create a folder called .ssh. I recommend creating this folder using the command window as I don’t think it is possible with the graphical interface.

1
2
cd c:\Users\<username>
mkdir .ssh

At this point, you need a public key which you should generate with the command

1
ssh-keygen -t rsa

Now, the idea is to place my user’s public key in this folder in a file called authorized_keys. Since I’ve already setup my public key, I simply add to place it in that folder and do :

1
2
3
4
5
6
7
cd c:\Users\<username>
cp id_dsa.pub authorized_keys
remove id_dsa.pub
# The public key authentication will not work if the permissions are not set right on this file so
"c:\Program Files (x86)\OpenSSH\bin\chown.exe" -R <username> .
"c:\Program Files (x86)\OpenSSH\bin\chmod.exe" -R 700 .ssh
"c:\Program Files (x86)\OpenSSH\bin\chmod.exe" 600 authorized_keys

Edit your ssh server configuration file and make sure the Public Key authorization is not commented (it was okay for me by default)

From your client computer, connect again using ssh <username>@<windows_ip> and you shouldn’t be prompted for a password anymore.

Now, I can simply launch commands on the windows machine by doing

1
ssh <username>@<ip_windows> <cmd>

Finally, moving on with my project which I’ll describe in this blog upon completion. ’till then, hope this tip helps