SSH Service - 3rd Party



important parts:

mkpasswd -l > /etc/passwd ----- this regenerates the password file

third party app:

You can check which application is using which port by running the following command from a command prompt:

    • netstat -an -p tcp -b

Installing Cygwin and OpenSSHD

Run the setup.exe command file on a Windows 2003 (or later) server that you intend to use for the gateway server. For Windows domain users, ensure the operating system is already configured to be a part of the domain.

After running the setup.exe file , select an appropriate mirror download to obtain the Open Source packages. The specific package that is required for TADDM Windows Gateway servers is called:


Also install these optional packages:

    • vim (the vi text editor)

    • util-linux (includes various Linux utilities, such as the more command)

Use the Search window to locate the package name, and click Skip to toggle the package name for installation, as shown in the following screen capture:

Complete the same steps for the vim and util-linux packages (optional). When you are ready, click Next. You are prompted to install required dependent packages. Ensure the check box is selected, as shown in the following screen capture:

After the installer completes, you should have a minimal Cygwin installation. However, you must still configure and start the OpenSSHD server.

Grant local permissions

To allow SSH access to the gateway for domain accounts, the CYGWIN sshd service must be run as an administrative domain user, not as a local user. Regardless of domain or local installation, the account you choose must have the following local permissions defined on the gateway server:

    1. Adjust memory quotas for a process.

    2. Create a token object.

    3. Log on as a service.

    4. Replace a process-level token.

The easiest way to set the permissions is to run the secpol.msc command or navigate to Control Panel --> Administrative Tools --> Local Security Policy.

Use the Local Security Settings window to add the Domain Account to the list for each of the four required permissions. The following screen capture shows how the ITMEXCH\Administrator domain user was added to Adjust memory quotas for a process.

Note: Keep track of any changes you make to the Local Security Settings in case you want to revert back to previous settings.

Configuring Cygwin accounts

Cygwin provides a POSIX-like shell that runs on top of Windows systems. This shell maintains a user account mapping in the /etc/passwd file, and a user group mapping in the /etc/group file. The Cygwin installer automatically creates default versions of these files, but most likely these default versions are not correct for domain-based installations. Use the instructions in the following sections to replace the default files.

Note: If you are modifying an existing Cygwin installation, be sure to back up the /etc/passwd and /etc/group files first. These instructions assume you are completing a new installation, and so the existing files are replaced.

Start a Cygwin shell by clicking the Cygwin icon created on the desktop by the installer, or run the following installer script:


The /etc/passwd file

Create a new /etc/passwd file that contains the local users and the domain account that you will use to complete TADDM discoveries. To do this step, enter the following commands at the command prompt:

$ mkpasswd -l > /etc/passwd $ mkpasswd -u Administrator -D ITMEXCH -S '_' >> /etc/passwd

Note that the commands are case-sensitive: the -l and -d options have different meanings than the -L and -D options.

The first command replaces the /etc/passwd file with the output from the mkpasswd -l command, which generates the user account mappings for all the local users already defined on the system.

The second command appends the one entry for the domain account to the /etc/passwd file. If the -u option is not specified, all the domain users are mapped. The mkpasswd command queries the Windows domain controller during this step. In the preceding example, the domain name is ITMEXCH, and the account name is Administrator. In the /etc/passwd file, the -D and -S options are used to replace the following Windows-style account name:


with this account name:


By using this step, the local user accounts and the domain accounts are kept separate in case user names are shared. In addition, the backslash character is not used, which can be confused with a path separator in directory and folder names. If you prefer to use the backslash character, do not use the -S '_' option. If you prefer not to use the domain name as part of the user name at all, use the -d option instead of the -D option. Enter the man mkpasswd command to view the documentation for this command.

If you review the contents of the /etc/passwd file, the entry for the domain account, created with the second mkpasswd command, is the last entry in the /etc/passwd file, as shown in the following example (your file will be different):

ITMEXCH_Administrator:unused:10500:10513:Administrator,U-ITMEXCH\Administrator, S-1-5-21-3757417154-3552349117-1967062438-500:/home/Administrator:/bin/bash

The /etc/passwd file is a colon-separated list with the following definitions for each of the elements:

    • ITMEXCH_Administrator is the user name as known by Cygwin.

    • unused is legacy and is unused.

    • 10500 is the user ID, where high-number accounts (10000 and up) indicate domain accounts.

    • 10513 is the group ID cross-reference with the entry in /etc/group where high numbers (10000 and up) indicate domain groups.

    • Administrator,U-ITMEXCH\Administrator is a comment field. The mkpasswd command uses U-xxx\yyy to denote the domain and account name.

    • S-1-5-21-3757417154-3552349117-1967062438-500 is the Windows Security Identifier (SID) of the account.

    • /home/Administrator is the name of the user's home directory, which is equivalent to C:\cygwin\home\Administrator. This directory is automatically created on the first login if it does not already exist.

    • /bin/bash is the default shell, which is standard in Linux and UNIX environments. The Windows counterpart is the cmd.exe command.

The important point to note is that the/etc/passwd file maps Windows user accounts to Cygwin user accounts. In the preceding example, the Cygwin account called ITMEXCH_Administrator maps to the ITMEXCH\Administrator Windows domain account. When you are logged in to Cygwin with this account, you are running as the Windows domain account from the operating system point of view.

The /etc/group file

The following two commands generate the local group and domain group mappings, which are saved to the /etc/group file:

$ mkgroup -l > /etc/group $ mkgroup -D -S '_' >> /etc/group

The first mkgroup command with the -l option is used to generate the mapping for the local groups. The second command is used to query the domain controller to define the domain group mappings. You should be able to cross-reference column #4 from the /etc/passwd entry (GroupID: 10513 in the example) to the /etc/group entry for the Domain User group:

$ grep 10513 /etc/group ITMEXCH_Domain Users:S-1-5-21-3757417154-3552349117-1967062438-513:10513:

The group entry, a colon-separated list, is made up of these parts:

    • ITMEXCH_Domain Users is the group name, as known by Cygwin. The Windows mapping is ITMEXCH\Domain Users.

    • S-1-5-21-3757417154-3552349117-1967062438-513 is the Windows Security Identifier (SID) of the group.

    • 10513 is the group ID. High numbers (10000 and up) are domain groups.

Note that in a Cygwin shell, you can always determine which account you are logged in as by running the whoami command, or by running the following two commands:

$ touch test $ ls -aln test -rw-r—r-- 1 10500 10513 0 2010-12-08 03:21 test

where the UID and GID indicate the owner of the test file.

Configuring the OpenSSH daemon

This step is a walk-through for configuring the OpenSSH server. It is assumed that you have already completed the following tasks:

    • Identified the domain account that is going to be running the "CYGWIN sshd" windows service.

    • Granted the four required permissions in the Local Security Policy to the account on the Cygwin computer.

    • Have set up the /etc/passwd and /etc/group files (and verified them for accuracy)

To run the ssh-host-config script, you must be logged in to the gateway as an Administrator account, and have started a Cygwin shell. This script makes the following two changes to the operating system:

    • Creates a local sshd account that is used for privileged separation. The sshd account is disabled, and is used internally within OpenSSHD to provide better security.

    • Creates the Windows service called CYGWIN sshd, which is the OpenSSH daemon.

The ssh-host-config script prompts you for answers to certain questions, including the following primary questions:

    1. Should privilege separation be used? Answer Yes.

    2. New local account 'sshd'? Answer Yes.

    3. Do you want to install sshd as a service? Answer Yes.

    4. Enter the value of CYGWIN for the daemon: Specify ntsec tty

    5. Do you want to use a different user name? Answer Yes.

    6. Enter the new user name? Specify the account name as it appears in the /etc/passwd entry for the domain account (column #1). Open a new Cygwin shell if you want to confirm this entry. This entry should be the domain account, as known by Cygwin. The ITMEXCH_Administrator is used in the example.

    7. Re-enter: Specify the account name again.

    8. Two prompts for that user's password.

See the following full output of the run:

ITMEXCH_Administrator@itmproc1 ~ $ ssh-host-config *** Info: Generating /etc/ssh_host_key *** Info: Generating /etc/ssh_host_rsa_key *** Info: Generating /etc/ssh_host_dsa_key *** Info: Creating default /etc/ssh_config file *** Info: Creating default /etc/sshd_config file *** Info: Privilege separation is set to yes by default since OpenSSH 3.3. *** Info: However, this requires a non-privileged account called 'sshd'. *** Info: For more info on privilege separation read /usr/share/doc/openssh/README.privsep. *** Query: Should privilege separation be used? (yes/no) yes *** Info: Note that creating a new user requires that the current account have *** Info: Administrator privileges. Should this script attempt to create a *** Query: new local account 'sshd'? (yes/no) yes *** Info: Updating /etc/sshd_config file *** Info: Added ssh to C:\WINDOWS\system32\driversc\services *** Warning: The following functions require administrator privileges! *** Query: Do you want to install sshd as a service? *** Query: (Say "no" if it is already installed as a service) (yes/no) yes *** Query: Enter the value of CYGWIN for the daemon: [] ntsec tty *** Info: On Windows Server 2003, Windows Vista, and above, the *** Info: SYSTEM account cannot setuid to other users -- a capability *** Info: sshd requires. You need to have or to create a privileged *** Info: account. This script will help you do so. *** Info: You appear to be running Windows XP 64bit, Windows 2003 Server, *** Info: or later. On these systems, it's not possible to use the LocalSystem *** Info: account for services that can change the user id without an *** Info: explicit password (such as passwordless logins [e.g. public key *** Info: authentication] via sshd). *** Info: If you want to enable that functionality, it's required to create *** Info: a new account with special privileges (unless a similar account *** Info: already exists). This account is then used to run these special *** Info: servers. *** Info: Note that creating a new user requires that the current account *** Info: have Administrator privileges itself. *** Info: No privileged account could be found. *** Info: This script plans to use 'cyg_server'. *** Info: 'cyg_server' will only be used by registered services. *** Query: Do you want to use a different name? (yes/no) yes *** Query: Enter the new user name: ITMEXCH_Administrator *** Query: Reenter: ITMEXCH_Administrator *** Warning: Privileged account 'ITMEXCH_Administrator' was specified, *** Warning: but it does not have the necessary privileges. *** Warning: Continuing, but will probably use a different account. *** Warning: The specified account 'ITMEXCH_Administrator' does not have the *** Warning: required permissions or group memberships. This may *** Warning: cause problems if not corrected; continuing... *** Query: Please enter the password for user 'ITMEXCH_Administrator': <--- enter the password *** Query: Reenter: <--- enter the password *** Info: The sshd service has been installed under the 'ITMEXCH_Administrator' *** Info: account. To start the service now, call `net start sshd' or *** Info: `cygrunsrv -S sshd'. Otherwise, it will start automatically *** Info: after the next reboot. *** Info: Host configuration finished. Have fun! ITMEXCH_Administrator@itmproc1 ~ $

Warning messages might be displayed about missing required privileges. You can ignore these messages if you manually added the privileges as described earlier. Unfortunately, the ssh-host-config command does not specify what other permissions are required. However, the installation will still work. You can run the services.msc command to verify the logon properties for the CYGWIN sshd service that was just created and ensure that it is set up to run as the administrative domain user.

Start the service by using one of the following methods:

$ cygrunsrv -S sshd

or $ net start sshd

or from the services.msc GUI

You should now be able to log in to the system remotely by using the ssh command (or by using the open source PuTTY client), and transfer files by using the scp command (or the open source FileZilla client). You can complete a quick test locally within the Cygwin shell by using the following commands:

ITMEXCH_Administrator@itmproc1 ~ $ ssh ITMEXCH_Administrator@localhost ITMEXCH_Administrator@localhost's password: Last login: Wed Dec 8 03:20:52 2010 from ITMEXCH_Administrator@itmproc1 ~ $

Recovering from a bad installation

Depending on how badly the OpenSSHD installation is configured, you can use the procedures in the following sections.

Changing the user account that the "CYGWIN sshd" service is running under

To manually change the account that the CYGWIN sshd service is running as, complete the following steps:

    1. Ensure the new account is included in the /etc/passwd file.

    2. Ensure the group for the new account' is included in the /etc/group file.

    3. Ensure the new account includes all four of the required Local Security Policy settings granted on the local computer.

    4. Perform these checks as described earlier.

At this point, the new account includes the prerequisite permissions. You must run the following commands while logged in to the console of the computer (remotely by using Remote Desktop is fine).

Note: Do not attempt to complete these steps remotely over the SSH service because the first step stops the SSH service and disconnects you.

$ cygrunsrv --stop sshd $ chown [domain_user] /var/log/sshd.log $ chown -R [domain_user] /var/empty $ chown [domain_user] /etc/ssh*

Substitute <domain_user> with the Cygwin user name, found in column #1 from the /etc/passwd file. These commands change the ownership of the configuration and log files on the OpenSSH Server. The CYGWIN sshd service entry in the services.msc console should now be edited to change the user account that the service is running as.

As a housecleaning step, you might want to remove the four permissions that were granted to the original account by using the secpol.msc GUI interface, or delete the user manually if it is not needed. Do not delete the sshd account because that account is an internally used privilege separation account.

Uninstall the OpenSSH daemon

If you want to uninstall the OpenSSHD daemon and try running the ssh-host-config script again, complete the following steps:

$ cygrunsrv -stop sshd $ cygrunsrv -remove sshd $ rm /etc/ssh* $ rm /var/log/sshd.log

The first command stops the CYGWIN sshd service, the second command removes that service, and the last two commands remove the OpenSSHD configuration and log files.

You should also manually delete the local Windows account called sshd by using the lusrmgr.msc console. Rerun the ssh-host-config script.

Recreate the /etc/passwd and /etc/group files

To recreate the basic /etc/passwd and /etc/group files, run the following commands:

$ mkpasswd -l > /etc/passwd $ mkgroup -l > /etc/group

The files are set up for local accounts only. Follow the earlier steps to add domain users.