| This package is the actual port of OpenSSH to Cygwin 1.1. |
| |
| =========================================================================== |
| Important change since 2.3.0p1: |
| |
| When using `ntea' or `ntsec' you now have to care for the ownership |
| and permission bits of your host key files and your private key files. |
| The host key files have to be owned by the NT account which starts |
| sshd. The user key files have to be owned by the user. The permission |
| bits of the private key files (host and user) have to be at least |
| rw------- (0600)! |
| |
| Note that this is forced under `ntsec' only if the files are on a NTFS |
| filesystem (which is recommended) due to the lack of any basic security |
| features of the FAT/FAT32 filesystems. |
| =========================================================================== |
| |
| If you are installing OpenSSH the first time, you can generate global config |
| files and server keys by running |
| |
| /usr/bin/ssh-host-config |
| |
| Note that this binary archive doesn't contain default config files in /etc. |
| That files are only created if ssh-host-config is started. |
| |
| If you are updating your installation you may run the above ssh-host-config |
| as well to move your configuration files to the new location and to |
| erase the files at the old location. |
| |
| To support testing and unattended installation ssh-host-config got |
| some options: |
| |
| usage: ssh-host-config [OPTION]... |
| Options: |
| --debug -d Enable shell's debug output. |
| --yes -y Answer all questions with "yes" automatically. |
| --no -n Answer all questions with "no" automatically. |
| --port -p <n> sshd listens on port n. |
| |
| You can create the private and public keys for a user now by running |
| |
| /usr/bin/ssh-user-config |
| |
| under the users account. |
| |
| To support testing and unattended installation ssh-user-config got |
| some options as well: |
| |
| usage: ssh-user-config [OPTION]... |
| Options: |
| --debug -d Enable shell's debug output. |
| --yes -y Answer all questions with "yes" automatically. |
| --no -n Answer all questions with "no" automatically. |
| --passphrase -p word Use "word" as passphrase automatically. |
| |
| Install sshd as daemon via SRVANY.EXE (recommended on NT/W2K), via inetd |
| (results in very slow deamon startup!) or from the command line (recommended |
| on 9X/ME). |
| |
| If you start sshd as deamon via SRVANY.EXE you will see two |
| sshd processes in the process list unless you give the "-D" |
| option to sshd. That will avoid that sshd detaches from the |
| controlling terminal and it will remain under process control |
| of SRVANY.EXE. That allows easy killing of the service by |
| using the `net stop <servicename>' command. |
| |
| If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the |
| following line to your inetd.conf file: |
| |
| sshd stream tcp nowait root /usr/sbin/in.sshd sshd -i |
| |
| Moreover you'll have to add the following line to your |
| ${SYSTEMROOT}/system32/drivers/etc/services file: |
| |
| sshd 22/tcp #SSH daemon |
| |
| Authentication to sshd is possible in one of two ways. |
| You'll have to decide before starting sshd! |
| |
| - If you want to authenticate via RSA and you want to login to that |
| machine to exactly one user account you can do so by running sshd |
| under that user account. You must change /etc/sshd_config |
| to contain the following: |
| |
| RSAAuthentication yes |
| |
| Moreover it's possible to use rhosts and/or rhosts with |
| RSA authentication by setting the following in sshd_config: |
| |
| RhostsAuthentication yes |
| RhostsRSAAuthentication yes |
| |
| - If you want to be able to login to different user accounts you'll |
| have to start sshd under system account or any other account that |
| is able to switch user context. Note that administrators are _not_ |
| able to do that by default! You'll have to give the following |
| special user rights to the user: |
| "Act as part of the operating system" |
| "Replace process level token" |
| "Increase quotas" |
| and if used via service manager |
| "Logon as a service". |
| |
| The system account does of course own that user rights by default. |
| |
| Unfortunately, if you choose that way, you can only logon with |
| NT password authentification and you should change |
| /etc/sshd_config to contain the following: |
| |
| PasswordAuthentication yes |
| RhostsAuthentication no |
| RhostsRSAAuthentication no |
| RSAAuthentication no |
| |
| However you can login to the user which has started sshd with |
| RSA authentication anyway. If you want that, change the RSA |
| authentication setting back to "yes": |
| |
| RSAAuthentication yes |
| |
| Please note that OpenSSH does never use the value of $HOME to |
| search for the users configuration files! It always uses the |
| value of the pw_dir field in /etc/passwd as the home directory. |
| If no home diretory is set in /etc/passwd, the root directory |
| is used instead! |
| |
| You may use all features of the CYGWIN=ntsec setting the same |
| way as they are used by the `login' port on sources.redhat.com: |
| |
| The pw_gecos field may contain an additional field, that begins |
| with (upper case!) "U-", followed by the domain and the username |
| separated by a backslash. |
| CAUTION: The SID _must_ remain the _last_ field in pw_gecos! |
| BTW: The field separator in pw_gecos is the comma. |
| The username in pw_name itself may be any nice name: |
| |
| domuser::1104:513:John Doe,U-domain\user,S-1-5-21-... |
| |
| Now you may use `domuser' as your login name with telnet! |
| This is possible additionally for local users, if you don't like |
| your NT login name ;-) You only have to leave out the domain: |
| |
| locuser::1104:513:John Doe,U-user,S-1-5-21-... |
| |
| SSH2 server and user keys are generated by the `ssh-*-config' scripts |
| as well. |
| |
| SSH2 authentication similar to SSH1: |
| Add keys to ~/.ssh/authorized_keys2 |
| Interop. w/ ssh.com dsa-keys: |
| ssh-keygen -f /key/from/ssh.com -X >> ~/.ssh/authorized_keys2 |
| and vice versa: |
| ssh-keygen -f /privatekey/from/openssh -x > ~/.ssh2/mykey.pub |
| echo Key mykey.pub >> ~/.ssh2/authorization |
| |
| If you want to build from source, the following options to |
| configure are used for the Cygwin binary distribution: |
| |
| --prefix=/usr --sysconfdir=/etc --libexecdir='${exec_prefix}/sbin |
| |
| You must have installed the zlib, openssl and regex packages to |
| be able to build OpenSSH! |
| |
| Please send requests, error reports etc. to cygwin@sources.redhat.com. |
| |
| Have fun, |
| |
| Corinna Vinschen <vinschen@cygnus.com> |
| Cygwin Developer |
| Red Hat Inc. |