LINICKX.com

SSH Server on Windows, the Microsoft Way

Nick Bettison — Tue, 26 Apr 2016 12:32:00 +0100

An SSH server for windows, it's the kind of thing only a Linux/OSX user would ask for. The current defacto standard is Cygwin but if you fancy something a bit more native, something a bit backed by Microsoft then take a look at PowerShell/Win32-OpenSSH on github.

Installation is quite straight forward:

Download the latest release make sure you correctly select 32bit or 64bit
Create a folder, C:\Program Files\OpenSSH-Win32 and extract the contents there.
Start Powershell as Administrator - cd 'C:\Program Files\OpenSSH-Win32'
Setup SSH host keys (this will generate all the 'host' keys that sshd expects when its starts) - .\ssh-keygen.exe -A
Enable key-based auth - .\install-sshlsa.ps1
Reboot (well it is windows!)
Start Powershell as Administrator again - cd 'C:\Program Files\OpenSSH-Win32'
Install and run daemon as NT Service running as Local System - .\install-sshd.ps1
Start the service - Start-Service sshd
Make the service start on boot - Set-Service sshd -StartupType Automatic

If you have a problem running step 5 you might need to run Set-ExecutionPolicy Unrestricted; if you do disable this security, switch it back on when you're finished Set-ExecutionPolicy RemoteSigned (or whatever).

Also, don't forget to allow tcp/22 through any firewalls, either network or host based.

You'll probably want to enable SFTP, the server that is.

Edit C:\Program Files\OpenSSH-Win32\sshd_config in your favorite text editor and replace this:

# override default of no subsystems
#Subsystem  sftp    /usr/libexec/sftp-server
Subsystem   sftp    /win32openssh/bin/sftp-server.exe
Subsystem   scp /win32openssh/bin/scp.exe

with

# override default of no subsystems
#Subsystem  sftp    /usr/libexec/sftp-server
#Subsystem  sftp    /win32openssh/bin/sftp-server.exe
Subsystem   sftp    c:\PROGRA~1\OPENSS~1\sftp-server.exe
#Subsystem  scp /win32openssh/bin/scp.exe

Notice for program files and openssh-win32 I'm using the short path, you can find those using cmd.exe and using dir /x.

Your first login, from a Linux/OSX/nix machine

Ok, so this is where it gets a little odd. For your username you need SamAccountName@fqdndomain, as there is an @ in there you need to use the -l switch on ssh. Which means you have to do something like ssh -l nick.bettison@company.local mypc.company.local with a little luck that'll give you this...

linickx:~ $ ssh -l nick.bettison@company.local mypc.company.local
ssh -l nick.bettison@company.local@mypc.company.local's password: 
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

nick.bettison@company.local@MYPC C:\Users\nick.bettison\Documents>

If your PC is standalone (workgroup) you can use normal ssh syntax, either ssh user@pc.local or ssh -l user pc.local.

Connecting with SFTP

On a domain PC, SFTP probably won't work because there is no -l, as a workaround on my nix machine I added the following to my ~/.ssh/config file:

Host mypc
        Hostname mypc.company.local
        User nick.bettison@company.local

Which should work like this...

linickx:~ $ sftp mypc
nick.bettison@company.local@mypc.company.local's password: 
Connected to mypc.
sftp> pwd
Remote working directory: /C:/Users/nick.bettison/Documents
sftp>

To enable public key authentication

Edit C:\Program Files\OpenSSH-Win32\sshd_config in your favorite text editor (again) and replace this...

#RSAAuthentication yes
#PubkeyAuthentication yes

with

RSAAuthentication yes
PubkeyAuthentication yes

NOTE: Public key auth doesn't seem to work with domain PCs.

I tested on a standalone (non-domain) windows7 PC and it worked fine, but on a domain PC at work it fails with the following server side error message.

Cannot logon using LSA package (err = 1300, ntStat = c0000041).

Github Issue 87 seems to imply that this is group policy related, if it is, as yet I haven't figured out which one. The other reason this might not work is username interpretation, local users are "username" where as domains are "username@domain" so I wonder if the LSA .DLL is looking in the wrong place; I will update here if I find a solution.

checking if python is running via ssh

Nick Bettison — Mon, 30 Nov 2015 16:19:00 +0000

Sometimes it's nice when something is much easier than you expected. I have a few cobbled together python scripts for speeding things up, one in particular I have on my home pc which I wanted to work out if am I running it locally or if I have SSH'd in... below is the surprising simple example!

#!/usr/bin/env python

import os

try:
    os.environ["SSH_TTY"]
    print("SSH Connection Detected")
except:
    print("Running Locally")

You could also test the SSH_CLIENT variable as well, but this was good enough for me.

Enjoy!

password-less ssh login to JunOS

nick — Tue, 17 Jan 2012 13:35:00 +0000

Juniper (JunOS) SRX's support ssh public key authentication.

nick> show configuration system login | display set 
set system login user nick uid 2001
set system login user nick class super-user
set system login user nick authentication ssh-rsa "PASTE_KEY"
nick>

No-one likes to type passwords!

DenyHosts - Protecting against SSH Brute Force Attacks

nick — Thu, 12 Apr 2007 18:12:00 +0100

If you look after a remote linux box, the chances are you use SSH, in order to connect to it you may even have to leave PORT 22 open to the whole Internet !

There are some basic security steps that you can do to protect SSH, such as block the root user from logging in, and force users to use STRONG authentication.

Even after you've done all you can, logwatch will report that people are still wasting your time & resource by trying to break in ! This is where DenyHosts step in, it's a small script (daemon) that keeps an eye on your SSH log file, if it spots someone trying to Brute Force Attack your SSH accounts, it adds them to hosts.deny (it's like a firewall for some applications) and stops them from being able to connect.

I'm using redhat, so a pre-built rpm is available, if you already have DAG setup, you can use...

yum install denyhosts

I then had to run through the following steps (as root).

mkdir /usr/share/denyhosts
mkdir /usr/share/denyhosts/data/
echo '127.0.0.1' > /usr/share/denyhosts/data/allowed-hosts
cd /usr/share/denyhosts
cp /usr/share/doc/denyhosts-2.6/denyhosts.cfg-dist ./denyhosts.cfg
cp /usr/share/doc/denyhosts-2.6/daemon-control-dist ./daemon-control
chmod 700 /usr/share/denyhosts/daemon-control
ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts
ln -s /usr/share/denyhosts/denyhosts.cfg /etc/denyhosts.cfg
/sbin/chkconfig denyhosts on

once you've charged through that marathon, in /etc/denyhosts.cfg you may want to take a look (and change) the following settings (Variables)

PURGE_DENY =
ADMIN_EMAIL =
SMTP_FROM = DenyHosts <nobody@localhost>

finally once you're happy, start the DenyHosts service

/etc/init.d/denyhosts start

Now you're logwatch report will show how may tries they had, and then Denied !

Refused incoming connections: 1.2.3.4  (some.name.com ): 2 Time(s)

Of course one option commonly suggested is to change the SSH port number from 22 to something else, where as this will reduce the amount of attacks on the service, it does absolutely nothing to protect it; of course you could do both, it's all a matter of choice :)