Tuesday, January 6, 2015

Security: OpenSSH on Windows using Cygwin

In this entry, I will be discussing how to configure the OpenSSH server on Windows using the Cygwin provided binaries.  This information was originally in my Road Warrior article, until I found a simpler way to configure OpenSSH.  This is really here simply for historical purposes - or if you have a really strong reason for preferring the Cygwin packaged version of OpenSSH

Setting up the OpenSSH server using public key authentication:

OpenSSH is normally a Linux program that provides an encrypted connection between two machines.  OpenSSH also has the attributes of being open source, well studied, generally considered to be secure, provides public/private key authentication and port tunneling.

Those last 2 attributes are very important to increasing the security of this solution.  By using public/private key authentication, it is significantly more difficult for someone to access our system or capture and decrypt our traffic at a later time.  The port tunneling feature will allow us to route our VNC connection through the SSH connection, gaining the strength and protection of the SSH encryption.  This is the reason that we didn't need TightVNC to open a Windows Firewall rule and we only allowed VNC connections from localhost.  The TightVNC server will believe that we are connecting locally, even though we are really at the other end of the SSH connection.  By allowing only loopback connections, we basically have closed off the possibility of someone directly accessing the TightVNC server and avoiding the SSH session.

For this solution, I have chosen to the the OpenSSH server provided by the Cygwin project.  The Cygwin project ports standard Linux applications to run on a Windows environment.  This is the most "pure" implementation of OpenSSH on Windows that I am aware of - and all of the source code is available for the public to evaluate.

Enough on the background, let's get to installing software:
1) Go to and download the latest installer for your operating system.  You probably have a 64-bit Operating System, so make sure you choose that.
2) Start the installer

2) Click Next

3) Leave the default setting of "Install from Internet" and click Next

4) Leave the default setting (in this case, C:\cygwin64) and hit Next

5) Leave the default setting and hit Next

6) In most cases, "Direct Connection" (the default) is the right choice - but enter whatever information you need to connect to the Internet and hit Next.

7) Scan down the list and see if you recognize any sites near you because they will probably be faster.  I have also had better luck with http instead of ftp, so pay close attention to the URL.  Pick your favorite site (they all have the same content) and hit Next.

8) This step is important, please pay close attention.  In the search box at the top of the screen, enter "openssh", then expand the "Net" section.  You will see that the version number is set to "Skip"  Click on the circular icon to the left of the "Skip" once until you see a version number.  This means that you will be installing OpenSSH

9) Repeat the same steps to select the package "cygrunsrv" - the program that will automatically start OpenSSH when your system boots

10) Press Next

11) Press Next

12) Wait while the installation proceeds

13) Press Finish

Now that both OpenSSh and cygrunsrv have been installed we do need to some configuration.
1) Go to the Start Menu
2) Go to All Programs
3) Look for the Cygwin group
4) Right click on Cygwin64 Terminal and choose "Run as Administrator" - this is important, certain steps will fail without appropriate permissions
5) Now don't get scared - a text-based terminal will appear.

6) Type "ssh-host-config" (without the quotes) and hit Enter

7) When asked if you want to enable StrictModes, type "no" and hit Enter

8) When asked if you want to enable Privilege Separation, type "no" and hit Enter

9) When asked if you want to run the SSH server as a service, type "yes" and hit Enter.

10) When asked "Enter the value of CYGWIN for the daemon", type "ntsec" (without the quotes) and hit Enter

11) The script will then attempt to create a privileged account to run the service under.  You can leave the default name, so respond with "no" and hit Enter.

12) Accept the default username by responding "yes" and hit Enter

13) You will be prompted for a password for the new privileged user.  Type one and press Enter.  NOTE:  You will not see any characters being entered

14) You will see a warning about some missing groups and will be asked if you want to proceed.  Respond with "yes" and hit Enter.

15) The installation will finish.  Don't worry about some of the error messages you see.

16) Verify the SSH server is working by typing "net start sshd" and looking for a message stating that the service has been successfully started.

17) Now, stop the SSH server by typing "net stop sshd" and hitting Enter

Depending on the version of Windows, you may encounter some file permission problems.  The files that we are going to edit are:
1) c:\cygwin64\etc\sshd_config
2) c:\cygwin64\etc\passwd
3) c:\cygwin64\home\<username>\.ssh\authorized_keys (notice the period in front of the ssh again)

If you encounter access denied messages, you can simply "take ownership" of these files.  To take ownership of files in Windows:
1) Start Explorer

2) Find the file and right-click on it

3) Choose Properties

4) Switch to the Security Tab

5) Click Advanced

6) Change to the Owner tab

7) Press the Edit button

8) Highlight your name and select Apply

9) Close all of the popups that you opened
10) When you are back in the Explorer, right click on the file again and choose Properties
11) Change to the Security tab
12) This time, press the Edit Button
13) Press the Add button
14) Enter your Windows username and press Apply
15) Make sure you give yourself read and write permission

16) Click Apply and OK until all popups have disappeared

Now you will have the ability to edit these files with Wordpad - or your favorite text editor - outside of the Cygwin environment.  Just remember that if you change the sshd_config file, you will need to "net stop sshd" and "net start sshd" from within a Cygwin64 Terminal or Command Prompt with administrator permissions.

Editing the SSH Server configuration files
We need to make a few changes to the SSHD configuration file, which is located in c:\Cygwin64\etc\sshd_config (WARNING:  There is also a file called ssh_config - notice the missing D - which indicates you have the wrong file)

The settings that we want to check are:
Port xxxxx
PubkeyAuthentication yes
AuthorizedKeyFiles .ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
Subsystem sftp internal-sftp
The only setting that you need to make a decision about is the Port setting.  This is the remote port that will be used to connect to your system.  The default port is 22 - but most ISPs block that port for incoming connections.  It is safest to pick something over 1024.

Adding your digital certificate
Before you take this step, some programs on mobile devices will do some of this for you.  For example, I am using a program called Remoter Pro on my iPad that will make SSH keypairs and send you the public portion to put on your server (see the screenshots below for an example).  Other programs may have similar functions.

You have to create an SSH public/private keypair.  To create the keypair:
1) Open a Cygwin64 Terminal
2) Type the following (or copy and paste from below) - accept all of the defaults for ssh-keygen:
cd ~/.ssh
cat >> authorized_keys
The public portion of the keypair needs to be stored in c:\Cygwin64\home\<username>\.ssh\authorized_keys (please notice there is a period before the letters ssh)  By using the cat line with the double greater than signs, we are basically appending the contents of our newly generated key to the existing keys.  If there are currently no keys, this will create the authorized_keys file.

You need to get the private portion of this key on any device that you want to be able to connect.  In this case, the private key will be named id_rsa

The public portion will be a single really long line of text.  It should look something like this:
ssh-rsa AAA__BUNCH OF CHARACTERS REMOVED____ADAQECy/ dmorlitz@Win7-clean
Restricting the shell
This is simply an added security measure - to make sure that no commands can be entered over the remote connection that will affect your Windows system.  You will still be able to have remote control access and transfer files back and forth but remote commands will be blocked

1) Open the Cygwin64 Terminal in Administrator mode - as we did above
2) Enter the following two commands:
     cd /bin
     cp bash.exe rbash.exe
3) Open Wordpad and load c:\Cygwin64\etc\passwd
4) Look for the line with your Windows username
5) At the end of the line, change /bin/bash to /bin/rbash
6) Save the changes to this file and close the editor