SSH o Secure Shell, es un protocolo de red que permite el intercambio de información usando un canal seguro entre el cliente y el servidor. SSH se usa comunmente para accesar de manera remota y ejecutar comandos, sin embargo, permite también crear túneles, rutear puertos TCP y conexiones X11, además de poder transferir archivos usando los protocolos SFTP y SCP. Usado principalmente en sistemas Unix y Linux, SSH fue diseñado como reemplazo de Telnet y otros shells remotos no confiables los cuales transfieren información -como contraseñas- en texto plano pudiendo ser interceptados por una tercera persona.
Aquí trataré de explicar como instalar este servicio en Windows 2003 Server usando Cygwin y OpenSSH.
Primero, te descargas el instalador de Cygwin:
lo ejecutas y sigues el asistente para descargar OpenSSH junto con las utilerías necesarias, ajustando por supuesto los parámetros que consideres necesario
Edita el archivo c:\cygwin\Cygwin.bat y añade lo siguiente
Abre una sesión de Cygwin -doble click al ícono creado en tu escritorio de Windows- ó desde una sesión de línea de comandos de Windows (cmd) ejecuta el archivo c:\cygwin\Cygwin.bat
ejecuta el siguiente comando para cambiar el prefijo de montaje de "/cygdrive" a "/". Cierras esta sesión y abres una nueva para resetear la variable de ambiente PATH.
crea el archivo de usuarios
el archivo de grupos
asigna privilegio de lectura sobre ambos
asigna los siguientes privilegios sobre el directorio /var
si no existe el directorio /home es recomendable que lo crees ya que ahí se guardarán los archivos de los usuarios, la ubicación por default es el directorio "Documents and Settings". Al crear el directorio /home usando la opción -p hará que cuando se cree un usuario su directorio de trabajo estará dentro del directorio c:\cygwin.
Hasta aquí tienes configurado tu ambiente, lo siguiente es instalar el servicio de ssh ejecutando el comando ssh-host-config el cual genera los archivos llave de ssh del host dentro de /etc. Nota que se crean dos usuarios, uno llamado sshd para manejar la separación de privilegios y otro llamado sshd_server requerido por Windows 2003 para correr el servicio y proveer de autenticación por llave pública. Tu salida debe ser algo parecida a esta
para levantarlo desde línea de comando ejecutas
ó
o desde "Control Panel -> Administrative Tools -> Services" el servicio llamado "CYGWIN sshd".
Nunca está de más una prueba antes de avisar que ya lo configuraste. La salida debería parecerse a la siguiente:
Fuente
http://ist.uwaterloo.ca/~kscully/CygwinSSHD_W2K3.html
Fuente con tips de solución a problemas en XP
http://pigtail.net/LRP/printsrv/cygwin-sshd.html
Aquí trataré de explicar como instalar este servicio en Windows 2003 Server usando Cygwin y OpenSSH.
Primero, te descargas el instalador de Cygwin:
lo ejecutas y sigues el asistente para descargar OpenSSH junto con las utilerías necesarias, ajustando por supuesto los parámetros que consideres necesario
Edita el archivo c:\cygwin\Cygwin.bat y añade lo siguiente
Abre una sesión de Cygwin -doble click al ícono creado en tu escritorio de Windows- ó desde una sesión de línea de comandos de Windows (cmd) ejecuta el archivo c:\cygwin\Cygwin.bat
ejecuta el siguiente comando para cambiar el prefijo de montaje de "/cygdrive" a "/". Cierras esta sesión y abres una nueva para resetear la variable de ambiente PATH.
$ mount -s --change-cygdrive-prefix /
crea el archivo de usuarios
$ mkpasswd -l > /etc/passwd
el archivo de grupos
$ mkgroup -l > /etc/group
asigna privilegio de lectura sobre ambos
$ chmod +r /etc/passwd
$ chmod +r /etc/group
$ chmod +r /etc/group
asigna los siguientes privilegios sobre el directorio /var
$ chmod 755 /var
si no existe el directorio /home es recomendable que lo crees ya que ahí se guardarán los archivos de los usuarios, la ubicación por default es el directorio "Documents and Settings". Al crear el directorio /home usando la opción -p hará que cuando se cree un usuario su directorio de trabajo estará dentro del directorio c:\cygwin.
$ mkdir -p /home
$ mkdir /home/Administrator
$ cd
$ mkdir /home/Administrator
$ cd
Hasta aquí tienes configurado tu ambiente, lo siguiente es instalar el servicio de ssh ejecutando el comando ssh-host-config el cual genera los archivos llave de ssh del host dentro de /etc. Nota que se crean dos usuarios, uno llamado sshd para manejar la separación de privilegios y otro llamado sshd_server requerido por Windows 2003 para correr el servicio y proveer de autenticación por llave pública. Tu salida debe ser algo parecida a esta
$ ssh-host-config
*** Info: Generating /etc/ssh_host_key
*** Info: Generating /etc/ssh_host_rsa_key
*** Info: Generating /etc/ssh_host_dsa_key
*** Info: Creating default /etc/ssh_config file
*** Info: Creating default /etc/sshd_config file
*** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
*** Info: However, this requires a non-privileged account called 'sshd'.
*** Info: For more info on privilege separation read /usr/share/doc/openssh/README.privsep.
*** Query: Should privilege separation be used? (yes/no) yes
*** Info: Note that creating a new user requires that the current account have
*** Info: Administrator privileges. Should this script attempt to create a
*** Query: new local account 'sshd'? (yes/no) yes
*** Info: Updating /etc/sshd_config file
*** Warning: The following functions require administrator privileges!
*** Query: Do you want to install sshd as a service?
*** Query: (Say "no" if it is already installed as a service) (yes/no) yes
*** Info: Note that the CYGWIN variable must contain at least "ntsec"
*** Info: for sshd to be able to change user context without password.
*** Query: Enter the value of CYGWIN for the daemon: [ntsec] ntsec
*** Info: On Windows Server 2003, Windows Vista, and above, the
*** Info: SYSTEM account cannot setuid to other users -- a capability
*** Info: sshd requires. You need to have or to create a privileged
*** Info: account. This script will help you do so.
*** Info: You appear to be running Windows 2003 Server or later. On 2003
*** Info: and later systems, it's not possible to use the LocalSystem
*** Info: account for services that can change the user id without an
*** Info: explicit password (such as passwordless logins [e.g. public key
*** Info: authentication] via sshd).
*** Info: If you want to enable that functionality, it's required to create
*** Info: a new account with special privileges (unless a similar account
*** Info: already exists). This account is then used to run these special
*** Info: servers.
*** Info: Note that creating a new user requires that the current account
*** Info: have Administrator privileges itself.
*** Info: No privileged account could be found.
*** Info: This script plans to use 'cyg_server'.
*** Info: 'cyg_server' will only be used by registered services.
*** Query: Do you want to use a different name? (yes/no) yes
*** Query: Enter the new user name: sshd_server
*** Query: Reenter: sshd_server
*** Query: Create new privileged user account 'sshd_server'? (yes/no) yes
*** Info: Please enter a password for new user sshd_server. Please be sure
*** Info: that this password matches the password rules given on your system.
*** Info: Entering no password will exit the configuration.
*** Query: Please enter the password:
*** Query: Reenter:
*** Info: User 'sshd_server' has been created with password 'welcome'.
*** Info: If you change the password, please remember also to change the
*** Info: password for the installed services which use (or will soon use)
*** Info: the 'sshd_server' account.
*** Info: Also keep in mind that the user 'sshd_server' needs read permissions
*** Info: on all users' relevant files for the services running as 'sshd_server'
.
*** Info: In particular, for the sshd server all users' .ssh/authorized_keys
*** Info: files must have appropriate permissions to allow public key
*** Info: authentication. (Re-)running ssh-user-config for each user will set
*** Info: these permissions corrently. [Similary restrictions apply, for
*** Info: instance, for .rhosts files if the rshd server is running, etc].
*** Info: The sshd service has been installed under the 'sshd_server'
*** Info: account. To start the service now, call `net start sshd' or
*** Info: `cygrunsrv -S sshd'. Otherwise, it will start automatically
*** Info: after the next reboot.
*** Info: Host configuration finished. Have fun!
*** Info: Generating /etc/ssh_host_key
*** Info: Generating /etc/ssh_host_rsa_key
*** Info: Generating /etc/ssh_host_dsa_key
*** Info: Creating default /etc/ssh_config file
*** Info: Creating default /etc/sshd_config file
*** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
*** Info: However, this requires a non-privileged account called 'sshd'.
*** Info: For more info on privilege separation read /usr/share/doc/openssh/README.privsep.
*** Query: Should privilege separation be used? (yes/no) yes
*** Info: Note that creating a new user requires that the current account have
*** Info: Administrator privileges. Should this script attempt to create a
*** Query: new local account 'sshd'? (yes/no) yes
*** Info: Updating /etc/sshd_config file
*** Warning: The following functions require administrator privileges!
*** Query: Do you want to install sshd as a service?
*** Query: (Say "no" if it is already installed as a service) (yes/no) yes
*** Info: Note that the CYGWIN variable must contain at least "ntsec"
*** Info: for sshd to be able to change user context without password.
*** Query: Enter the value of CYGWIN for the daemon: [ntsec] ntsec
*** Info: On Windows Server 2003, Windows Vista, and above, the
*** Info: SYSTEM account cannot setuid to other users -- a capability
*** Info: sshd requires. You need to have or to create a privileged
*** Info: account. This script will help you do so.
*** Info: You appear to be running Windows 2003 Server or later. On 2003
*** Info: and later systems, it's not possible to use the LocalSystem
*** Info: account for services that can change the user id without an
*** Info: explicit password (such as passwordless logins [e.g. public key
*** Info: authentication] via sshd).
*** Info: If you want to enable that functionality, it's required to create
*** Info: a new account with special privileges (unless a similar account
*** Info: already exists). This account is then used to run these special
*** Info: servers.
*** Info: Note that creating a new user requires that the current account
*** Info: have Administrator privileges itself.
*** Info: No privileged account could be found.
*** Info: This script plans to use 'cyg_server'.
*** Info: 'cyg_server' will only be used by registered services.
*** Query: Do you want to use a different name? (yes/no) yes
*** Query: Enter the new user name: sshd_server
*** Query: Reenter: sshd_server
*** Query: Create new privileged user account 'sshd_server'? (yes/no) yes
*** Info: Please enter a password for new user sshd_server. Please be sure
*** Info: that this password matches the password rules given on your system.
*** Info: Entering no password will exit the configuration.
*** Query: Please enter the password:
*** Query: Reenter:
*** Info: User 'sshd_server' has been created with password 'welcome'.
*** Info: If you change the password, please remember also to change the
*** Info: password for the installed services which use (or will soon use)
*** Info: the 'sshd_server' account.
*** Info: Also keep in mind that the user 'sshd_server' needs read permissions
*** Info: on all users' relevant files for the services running as 'sshd_server'
.
*** Info: In particular, for the sshd server all users' .ssh/authorized_keys
*** Info: files must have appropriate permissions to allow public key
*** Info: authentication. (Re-)running ssh-user-config for each user will set
*** Info: these permissions corrently. [Similary restrictions apply, for
*** Info: instance, for .rhosts files if the rshd server is running, etc].
*** Info: The sshd service has been installed under the 'sshd_server'
*** Info: account. To start the service now, call `net start sshd' or
*** Info: `cygrunsrv -S sshd'. Otherwise, it will start automatically
*** Info: after the next reboot.
*** Info: Host configuration finished. Have fun!
para levantarlo desde línea de comando ejecutas
$ net start sshd
ó
$ cygrunsrv -S sshd
o desde "Control Panel -> Administrative Tools -> Services" el servicio llamado "CYGWIN sshd".
Nunca está de más una prueba antes de avisar que ya lo configuraste. La salida debería parecerse a la siguiente:
$ ssh -v localhost
OpenSSH_5.1p1, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/Administrator/.ssh/identity type -1
debug1: identity file /home/Administrator/.ssh/id_rsa type -1
debug1: identity file /home/Administrator/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: Next authentication method: publickey
debug1: Trying private key: /home/Administrator/.ssh/identity
debug1: Trying private key: /home/Administrator/.ssh/id_rsa
debug1: Trying private key: /home/Administrator/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: Next authentication method: password
Administrator@localhost's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
Administrator@testserver ~
$
OpenSSH_5.1p1, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/Administrator/.ssh/identity type -1
debug1: identity file /home/Administrator/.ssh/id_rsa type -1
debug1: identity file /home/Administrator/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: Next authentication method: publickey
debug1: Trying private key: /home/Administrator/.ssh/identity
debug1: Trying private key: /home/Administrator/.ssh/id_rsa
debug1: Trying private key: /home/Administrator/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: Next authentication method: password
Administrator@localhost's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
Administrator@testserver ~
$
Fuente
http://ist.uwaterloo.ca/~kscully/CygwinSSHD_W2K3.html
Fuente con tips de solución a problemas en XP
http://pigtail.net/LRP/printsrv/cygwin-sshd.html
Comments for this post
