Re: Certificate placement in OpenSSH for Windows

Ugh, the wind storm here in Seattle knocked this server offline so that link probably didn't work. Here's the content of the file:

(These notes use SSHWindows as an example but the same concept should apply to other Cygwin-based SSH builds. File names/paths used below should be changed accordingly.)

After installing SSHWindows, changes are required to enable public key authentication. The following steps must be completed:

* Change ownership of OpenSSH folder/subfolders to Administrators using Windows Explorer (client and server.)

* Grant Administrators full control of the OpenSSH folder. From a command prompt, type "cacls c:\program files\openssh /t /e /c /g Administrators:F" (client and server.)

* On server, edit sshd_config file and set StrictModes to "no".

* Under the user's profile, grant Administrators (and only Administrators) full control of the .ssh folder and files. If this folder does not exist, it can be created by establishing an SSH connection to another box (client and server.)

* On clients, copy the private RSA key to the local .ssh folder and name it "id_rsa". Copy the client's public RSA key to the desired server(s) by adding it to an "authorized_keys" text file located under the server's .ssh folder.

* To use publickey authentication, use the SSH command line switch "-o PreferredAuthentications=publickey". Alternately, you can modify the ssh_config file to make this the default.

Important note for Windows 2003 Server users:
---------------------------------------------

2003 Server has a funny new feature. When starting services under SYSTEM account, these services have nearly all user rights which SYSTEM holds... except for the "Create a token object" right, which is needed to allow public key authentication :-(

There's no way around this, except for creating a substitute account which has the appropriate privileges. Basically, this account should be member of the Administrators group, plus it should have the following user rights (some of these should already be assigned to Administrators):

[Run gpedit.msc]

    Create a token object
    Replace a process level token
    Logon as a service
    Adjust memory quotas for a process

The ssh-host-config script asks you, if it should create such an account, called "sshd_server". If you say "no" here, you're on your own. Please follow the instruction in ssh-host-config exactly if possible. Note that ssh-user-config sets the permissions on 2003 Server machines dependent of whether a sshd_server account exists or not.

* Restart sshd service.

Mike <diskcrasher@yahoo.com> wrote: These were the steps I took (and documented) to enable public key authentication on Windows 2003:
http://shootingstarbbs.kicks-ass.net/files/reports/SSH.txt

Al Sparks <data345@yahoo.com> wrote: I'm trying to use scp to copy files from a SCO box to a Windows 2003
box running OpenSSH.

I generated a key on the SCO box and transferred the id_rsa.pub file
over to the OpenSSH box. I created a directory ".ssh" on what I think
is the home directory of the userid I'm sending to.

I know that OpenSSH on Windows works, because when I am prompted for a
password on the SCO box, and enter it correctly, the file gets
transferred. Since I don't specify an absolute path on the target
Windows box, I'm guessing that where the file ends up is the home
directory, and the information in Windows OpenSSH's etc\passwd file
seems to back that up.

If I were to troubleshoot this on a LUnix box, I'd interactively start
sshd in debug mode on the target machine, and look at the output after
a transfer or login attempt.

As it is, I don't even see any log information in OpenSSH's
var\log\OpenSSHD.log. The file is empty.

So, is there a debug mode in OpenSSH for Windows? Is there a way to
get logging turned on?
    === Al

--
List Info:      http://erdelynet.com/ssh-l/
List Archives:  http://erdelynet.com/archive/ssh-l/
To Unsubscribe: Mail mailto:ssh+unsubscribe@erdelynet.com
   
---------------------------------
Check out the all-new Yahoo! Mail beta - Fire up a more powerful email and get things done faster.
 __________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
--
List Info:      http://erdelynet.com/ssh-l/
List Archives:  http://erdelynet.com/archive/ssh-l/
To Unsubscribe: Mail mailto:ssh+unsubscribe@erdelynet.com