lunes, 15 de junio de 2009

Instalando SSH en Windows 2003 Server

SSH o Secure Shell, es un protocolo de red que permite el intercambio de información usando un canal seguro entre el cliente y el servidor. SSH se usa comunmente para accesar de manera remota y ejecutar comandos, sin embargo, permite también crear túneles, rutear puertos TCP y conexiones X11, además de poder transferir archivos usando los protocolos SFTP y SCP. Usado principalmente en sistemas Unix y Linux, SSH fue diseñado como reemplazo de Telnet y otros shells remotos no confiables los cuales transfieren información -como contraseñas- en texto plano pudiendo ser interceptados por una tercera persona.

Aquí trataré de explicar como instalar este servicio en Windows 2003 Server usando Cygwin y OpenSSH.

Primero, te descargas el instalador de Cygwin:


lo ejecutas y sigues el asistente para descargar OpenSSH junto con las utilerías necesarias, ajustando por supuesto los parámetros que consideres necesario













Edita el archivo c:\cygwin\Cygwin.bat y añade lo siguiente


Abre una sesión de Cygwin -doble click al ícono creado en tu escritorio de Windows- ó desde una sesión de línea de comandos de Windows (cmd) ejecuta el archivo c:\cygwin\Cygwin.bat


ejecuta el siguiente comando para cambiar el prefijo de montaje de "/cygdrive" a "/". Cierras esta sesión y abres una nueva para resetear la variable de ambiente PATH.
$ mount -s --change-cygdrive-prefix /

crea el archivo de usuarios
$ mkpasswd -l > /etc/passwd

el archivo de grupos
$ mkgroup -l > /etc/group

asigna privilegio de lectura sobre ambos
$ chmod +r /etc/passwd
$ chmod +r /etc/group

asigna los siguientes privilegios sobre el directorio /var
$ chmod 755 /var

si no existe el directorio /home es recomendable que lo crees ya que ahí se guardarán los archivos de los usuarios, la ubicación por default es el directorio "Documents and Settings". Al crear el directorio /home usando la opción -p hará que cuando se cree un usuario su directorio de trabajo estará dentro del directorio c:\cygwin.
$ mkdir -p /home
$ mkdir /home/Administrator
$ cd

Hasta aquí tienes configurado tu ambiente, lo siguiente es instalar el servicio de ssh ejecutando el comando ssh-host-config el cual genera los archivos llave de ssh del host dentro de /etc. Nota que se crean dos usuarios, uno llamado sshd para manejar la separación de privilegios y otro llamado sshd_server requerido por Windows 2003 para correr el servicio y proveer de autenticación por llave pública. Tu salida debe ser algo parecida a esta
$ ssh-host-config
*** Info: Generating /etc/ssh_host_key
*** Info: Generating /etc/ssh_host_rsa_key
*** Info: Generating /etc/ssh_host_dsa_key
*** Info: Creating default /etc/ssh_config file
*** Info: Creating default /etc/sshd_config file
*** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
*** Info: However, this requires a non-privileged account called 'sshd'.
*** Info: For more info on privilege separation read /usr/share/doc/openssh/README.privsep.
*** Query: Should privilege separation be used? (yes/no) yes
*** Info: Note that creating a new user requires that the current account have
*** Info: Administrator privileges. Should this script attempt to create a
*** Query: new local account 'sshd'? (yes/no) yes
*** Info: Updating /etc/sshd_config file


*** Warning: The following functions require administrator privileges!

*** Query: Do you want to install sshd as a service?
*** Query: (Say "no" if it is already installed as a service) (yes/no) yes
*** Info: Note that the CYGWIN variable must contain at least "ntsec"
*** Info: for sshd to be able to change user context without password.
*** Query: Enter the value of CYGWIN for the daemon: [ntsec] ntsec
*** Info: On Windows Server 2003, Windows Vista, and above, the
*** Info: SYSTEM account cannot setuid to other users -- a capability
*** Info: sshd requires. You need to have or to create a privileged
*** Info: account. This script will help you do so.

*** Info: You appear to be running Windows 2003 Server or later. On 2003
*** Info: and later systems, it's not possible to use the LocalSystem
*** Info: account for services that can change the user id without an
*** Info: explicit password (such as passwordless logins [e.g. public key
*** Info: authentication] via sshd).

*** Info: If you want to enable that functionality, it's required to create
*** Info: a new account with special privileges (unless a similar account
*** Info: already exists). This account is then used to run these special
*** Info: servers.

*** Info: Note that creating a new user requires that the current account
*** Info: have Administrator privileges itself.

*** Info: No privileged account could be found.

*** Info: This script plans to use 'cyg_server'.
*** Info: 'cyg_server' will only be used by registered services.
*** Query: Do you want to use a different name? (yes/no) yes
*** Query: Enter the new user name: sshd_server
*** Query: Reenter: sshd_server

*** Query: Create new privileged user account 'sshd_server'? (yes/no) yes
*** Info: Please enter a password for new user sshd_server. Please be sure
*** Info: that this password matches the password rules given on your system.
*** Info: Entering no password will exit the configuration.
*** Query: Please enter the password:
*** Query: Reenter:

*** Info: User 'sshd_server' has been created with password 'welcome'.
*** Info: If you change the password, please remember also to change the
*** Info: password for the installed services which use (or will soon use)
*** Info: the 'sshd_server' account.

*** Info: Also keep in mind that the user 'sshd_server' needs read permissions
*** Info: on all users' relevant files for the services running as 'sshd_server'
.
*** Info: In particular, for the sshd server all users' .ssh/authorized_keys
*** Info: files must have appropriate permissions to allow public key
*** Info: authentication. (Re-)running ssh-user-config for each user will set
*** Info: these permissions corrently. [Similary restrictions apply, for
*** Info: instance, for .rhosts files if the rshd server is running, etc].


*** Info: The sshd service has been installed under the 'sshd_server'
*** Info: account. To start the service now, call `net start sshd' or
*** Info: `cygrunsrv -S sshd'. Otherwise, it will start automatically
*** Info: after the next reboot.

*** Info: Host configuration finished. Have fun!

para levantarlo desde línea de comando ejecutas
$ net start sshd

ó
$ cygrunsrv -S sshd

o desde "Control Panel -> Administrative Tools -> Services" el servicio llamado "CYGWIN sshd".

Nunca está de más una prueba antes de avisar que ya lo configuraste. La salida debería parecerse a la siguiente:
$ ssh -v localhost
OpenSSH_5.1p1, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/Administrator/.ssh/identity type -1
debug1: identity file /home/Administrator/.ssh/id_rsa type -1
debug1: identity file /home/Administrator/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: Next authentication method: publickey
debug1: Trying private key: /home/Administrator/.ssh/identity
debug1: Trying private key: /home/Administrator/.ssh/id_rsa
debug1: Trying private key: /home/Administrator/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: Next authentication method: password
Administrator@localhost's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.

Administrator@testserver ~
$


Fuente
http://ist.uwaterloo.ca/~kscully/CygwinSSHD_W2K3.html

Fuente con tips de solución a problemas en XP
http://pigtail.net/LRP/printsrv/cygwin-sshd.html

0 Comentario(s):

Publicar un comentario en la entrada