Windows ssh server setup and configuration

For one of our projects we had requirement of accessing windows machines from linux environments to run few scripts for deployment. After little search we settled for openssh server for ssh connections and cygwin for script run in windows with public key authentication to have passwordless authentication. Below are the steps needs to be followed to achieve the same.

1. Download latest OpenSSH for your windows server from Windows SSH server Download
2. We have used currently latest setupssh-6.8p1-1 version for this tutorial.
3. Double click on the setupssh-6.8p1-1.exe file and click on next button.

4. Click on Next button and accept the license agreements.

5.  Choose all the components and click on Next button.

 

6. Click on Next button keeping the location default.

7. Click on Next button .

8. Choose Run as SSHD_SERVER option and click on next after providing some password. (This option is required for password less authentication) .

Note: Keep the password provided by you in some notepad as this needs to be used while authenticating for the first time before configuring the password less authentication mechanism.

9. Choose SSHD privilege seperation – Yes

10. Keep the default port as 22 and click on Next button.

11. Keep the default key generation bits and click on Next button.

12. According to your requirement choose local or domain users option.

 

13.  Wait for the installation to complete. You might see some flash command prompts during the installation.

14. Click on Finish button to complete the installation.

15. This completes the installation of OpenSSH server. Make sure you have the new openSSH service created in services.msc panel. Make sure you are able to start the service successfully.

For password less authentication or public key authentication configuration follow below steps:

1. Stop the SSHD service from services.msc console.
2. cd to C:\Program Files\OpenSSH\etc and open sshd_conf file in any text editor. Modify/Add below details.

PermitRootLogin yes
StrictModes no
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
IgnoreUserKnownHosts yes

3. cd to C:\Program Files\OpenSSH\etc and open ssh_config file in any text editor. modify/Add below details.

RhostsRSAAuthentication yes
RSAAuthentication yes
PasswordAuthentication yes

4. Restart the SSHD server either using the command prompt in administrative mode or using the services.msc console to make the changes take effect.

5. Once Restart completes successfully. Use putty or similar software to login to the Linux machine from where you want password less authentication or public key authentication setup.

– Try logging in to the windows host using the password to make sure connection is getting established.

ssh windows_user@windows_host_name

6. Generate the RSA keys like below:

[root@MyLinuxMachine ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
74:4a:71:b9:ab:cb:96:cc:68:77:c7:0e:19:bd:3b:ef root@MyLinuxMachine

7. Now execute below command to copy the keys to the windows machine for password less authentication.

ssh-copy-id windowsusername@mywindowsmachine

 

if you get below error and ssh-copy-id fails to copy to your windows machine then follow below steps to manually copy the keys.

246 [main] cat (61540) D:\cygwin64\bin\cat.exe: *** fatal error - cygheap base mismatch detected - 0x1802F1408/0x1802FA400.
This problem is probably due to using incompatible versions of the cygwin DLL.
Search for cygwin1.dll using the Windows Start->Find/Search facility
and delete all but the most recent version. The most recent version *should*
reside in x:\cygwin\bin, where 'x' is the drive on which you have
installed the cygwin distribution. Rebooting is also suggested if you
are unable to find another cygwin DLL.
/bin/sh: line 1: 60464 Segmentation fault cat >> .ssh/authorized_keys
Now try logging into the machine, with "ssh 'windowsusername@windows_machine_name'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

– Create a .ssh folder under C:\Program Files\OpenSSH\home\WINDOWS_USERNAME folder. Example: winrmuser under we have created a folder .ssh like below screenshot.

– Create a file called authorized_keys in notepad and add below output from the public key generated at the Linux Host.

[root@My_Linux_Machine ~]# cat /root/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyvWG3GMENjaoUxJtDgVe2D1mTcxJG4r70Jmf6NPXf0mlfLXmwmCRceflpXvMmor7B2OAZEUskuv2WNiyyjB0+sqIN4sRvJvxNEJVxKM8C/eNTOxBHIabAR+KM1Gyw2M8P+NdEEx70gi5kKn8jqO51uWnaerBgiIdrIoDeLhzS932SEiyooAlfxGvQwh1hLzYckJUX9XI8lIUZmXqHY2OTzoYE2ZsZbKeznJ8tc3h9R9+lp0A+n2ZvIHwqe5zsJiLk8eQ5pllBrIeGYbPujreb9XjQoKJjGPMSdlBPNKEOgiLPVXUbf1QIWjjSZxXQ5JMlmaClxeM4QR7tDlQS9zufQ== root@My_Linux_Machine

– Save the file.

8. Now try to login from the linux host using the same username and windows hostname. It will not ask for username and password and will directly login to your windows host.

ssh windows_user@windows_host_name

Troubleshooting:

Incase the service fails to install or fails to start after install then follow below steps to fix it.

Note: You might need cygwin utilities installed incase below commands are not available

Make sure below config is there in PATH in sysdm.cpl if not add it.

%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft\Web Platform Installer\;

Go to the OPENSSH Home folder and run below command

chmod 700 /var/empty

run below command to check the local users available:

mkpasswd -l

Search for the sshd_server username and execute the command like below to change the ownership.

chown WINDOWS_HOSTNAME+sshd_server /var/empty

Now try to start the service and check the logs if does not start: cat /var/log/sshd.log

you can run below command to check if the service has started listening on port number 22.

netstat -an | find “22”

 

 

In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.