Skip to content

Instantly share code, notes, and snippets.

@tbrunz

tbrunz/HOWTO-setup-SSH-in-Win7-10.txt

Last active August 18, 2020 02:15
Show Gist options
  • Save tbrunz/f1c2703e29e3930e6c9e6aeab69c1c3f to your computer and use it in GitHub Desktop.
Save tbrunz/f1c2703e29e3930e6c9e6aeab69c1c3f to your computer and use it in GitHub Desktop.
Download ZIP
HOW TO Set Up an SSH Server in Windows 7/10
Raw
HOWTO-setup-SSH-in-Win7-10.txt
SSH on Windows 7 ("The full awesome implementation")
===============================================================================
http://codeoptimism.net/2010/10/08/SSH-on-Windows-7-the-full-awesome-implementation
http://codeoptimism.net/2010/10/13/SSH-on-Windows-7-continued-charade-ssh-rsync-Unison
22 Dec 2019 Update: Corrected paths for PuTTY; Clarifications for some steps;
11 Dec 2017 Update: Added full paths for Task Manager 'Action' items;
15 Aug 2016 Update: Added .bashrc alias for 'ping';
15 Feb 2016 Update: Added 'ssh-pageant' to Step 1 as Cygwin package to install;
05 Apr 2015 Update: New 'ssh-host-config' mode; Fixed a few typos; Tweaks for
installing as an unprivileged user;
25 May 2014 Update: Fixups for installing 'Cygwin64' & installing on 32-bit Win;
Cleaned up all procedures; Enhanced client keygen section;
09 Mar 2014 Update: Made notations for installing 'Cygwin64';
30 Sep 2013 Update: Replace 'charade' w/ 'ssh-pageant';
30 Jan 2012 Update for added clarity & more options;
02 Sep 2011 Update for clarity & Win XP/7 differences;
16 May 2011 Updated and polished;
08 Oct 2010, 13 Oct 2010 Original;
Configuring Secure Shell on Windows 7 requires a special configuration...
Note that you can do both the server & client procedures on the same machine,
allowing your machine to act as both (usually the most useful configuration).
---------------------------------------------
SSH Server Installation & Configuration
1. Install 'Cygwin'. Be sure to include editors ('vi'/'vim' and/or 'emacs'),
'openssh', all the crypto packages, packages 'rsync' and 'unison', and the
package 'ssh-pageant'. (Suggested Unison version is 2.40.102.)
Note that you can install from the Internet (http://www.Cygwin.com), or from
the repository included with these instructions. (The included repository is
small, containing just enough packages to make the SSH applications work.)
Note that when installing the 64-bit version of Cygwin, it will default its
installation directory to 'C:\Cygwin64\'. You likely want to change this
to 'C:\Cygwin\'; these instructions assume this is the case.
Note that when installing 32-bit apps on 64-bit Windows, installation folders
go in 'C:\Program Files (x86)\' while on 32-bit Windows, the only apps folder
that exists is 'C:\Program Files\'. The following instructions assume you
are installing on a 64-bit system; use whatever is appropriate for your case.
Note that Cygwin installation may return a dialog after installation saying
that the program may not have installed correctly. You can likely disregard
this; it appears to be incorrect/unnecessary.
2. Configure the Cygwin bash shell to run as 'Administrator'.
In the Start menu, right-click the 'Cygwin' icon, then select 'Run as
administrator'.
3. Open Cygwin and run 'ssh-host-config' to generate a set of OpenSSH RSA keys
(do this even if you already have a set of keys you wish to install instead
later). (Note, depending on the version of Cygwin installed, you may not get
all these questions; adjust accordingly.)
Answer 'Yes' to using strict mode.
Answer 'Yes' to privilege separation.
Answer 'Yes' to creating a new local account.
Answer 'No' to installing as a service. (Critical! Explanation follows.)
4. Immediately after, enter the following (be sure to include the '>' symbol):
mkdir .ssh
> ~/.ssh/authorized_keys
Creating this file from the terminal assigns the appropriate permissions.
(Cygwin's 'None' account is granted read access.)
5. If you wish to only use PKI cryptography to log in, edit '/etc/sshd_config':
Copy/paste the line containing 'PasswordAuthentication', then uncomment the
copy & change the setting to 'No'.
6. Close ('exit') Cygwin.
Server Environment Variables Configuration
This will allow us to store certain standalone executables, and omit their full
path when launching them. It will also allow launching the server from outside
of a Cygwin bash shell. (Note that Cygwin's 'bin' directories will appropriately
take precedence, as seen in the file 'C:\Cygwin\etc\profile'.)
1. Create the folder 'C:\Program Files (x86)\PuTTY', which should be created on
installing PuTTY; You may want to install PuTTY at this point... Be sure to
install the 32-bit version, since you will later add Kitty, which is 32-bit.
2. Open the Control Panel (press '<WindowsKey>+<Pause/Break>'), then click (on
the left sidebar) 'Advanced system settings' to open the 'System Properties'
dialog.
3. Click the 'Environment Variables' button; under 'System variables', double-
click the 'Path' variable. (Or single-click and click the 'Edit..' button.)
4. Add the following to the end of the 'Variable value' string, being careful to
include the leading semicolon:
;C:\Program Files (x86)\PuTTY;C:\Cygwin\bin
(You may prefer to put 'C:\Program Files (x86)\PuTTY' part in the 'User PATH'
instead, which is fine.)
5. Click OK, closing the dialogs.
Launching the SSH Daemon on the Server
1. Copy 'hstart.exe' to 'C:\Program Files (x86)\PuTTY'. (This is in the
'put-in-c-progfiles-putty' folder; you can copy all the files in this folder
to 'C:\Program Files (x86)\PuTTY' at this point, if you wish.
Note: 'hstart' will help to hide a console window, but it's also very useful
for de-elevating application launches, as you'll see later.
(See http://www.ntwind.com/software/utilities/hstart.html for more info.)
2. Open 'Task Scheduler' on the server using "Run as Administrator". (Why use
'Task Scheduler'? To bypass the permissions elevation prompt when the apps
start up.) You'll find 'Task Scheduler' in the Start Menu, under 'All
Programs' / 'Accessories' / 'System Tools'.
3. Click 'Task Scheduler Library' (left sidebar), then click 'Create Task..',
located under 'Actions' on the right sidebar. (You may need to enlarge the
window a bit to see everything.)
4. Under the 'General' tab, name the task 'SSHD', optionally set the Description
to "Start the SSH daemon", and check 'Run with highest privileges'. If you
plan to launch the server daemon when the system starts up, then also check
'Run whether user is logged on or not'.
5. Under 'Triggers', click 'New..' & set it to launch when you (or anyone) logs
on. (You can also set it to launch when the machine boots up, which is less
secure but can be more useful, in which case you will want to have 'Run
whether user is logged on or not' checked on the 'General' tab.)
6. Under 'Conditions', uncheck 'Start the task only if the computer is on AC
power' if the server is not a laptop (or if you don't care about power use
issues).
7. Under 'Actions', click 'New..' and accept the default action of 'Start a
program' and enter:
Program/script: "C:\Program Files (x86)\PuTTY\hstart.exe"
Add arguments: /noconsole "C:\Cygwin\usr\sbin\sshd.exe -D"
Start in: [leave blank]
8. Click 'OK' (more than once) to confirm all & close the 'Create task' dialog,
then press <F5> on the Task Manager window to refresh, and then Run the SSH
daemon by right-clicking the item and selecting 'Run'. (Press <F5> again to
refresh & verify that it's running.)
9. Keep the Task Manager open if you're also installing the SSH client apps on
this machine; otherwise close it.
Q: Why did we go to all this trouble instead of allowing 'ssh-host-config' to
install 'SSHD' as a service?
A: We want the daemon to run as a child process of 'Explorer.exe'. Although you
can 'allow a service to interact with the desktop', it won't have the desired
effect. This way we can launch e.g., 'notepad' remotely and have it open in
our user session on the server, as a child of 'Explorer', fully visible and
ready for input.
---------------------------------------------
Client Public-Key Encryption Configuration
1. Install PuTTY on the client machine (you can install the version located in
the 'install-in-windows' folder) and follow the installer's prompts (the
defaults are all good to use).
2. Launch 'PuTTYGen' (from the Start menu, in the 'PuTTY' folder), regardless of
whether you need to make a new set of keys or will import an existing set.
3. If you need to generate a new set of RSA keys ('SSH-2 RSA' type), select a
bit size (1024 or 2048, larger is better), then click 'Generate' and follow
the prompts (otherwise skip to the next step).
1024 bit keys are useful for using SSH from a slow smartphone (or one with a
low signal), as it will negotiate a connection quicker. However, it's more
preferred to use 2048 bits for better security.
4. If you already have a set of RSA keys you wish to use, import them from the
menu 'Conversions' / 'Import Key'.
5. Comment the key to identify it (edit the suggestion in 'Key comment'). One
suggestion: 'User@Server-PC_Date', e.g. 'Chris@MyMachine_2014-0525'. This
comment shows up at the end of the key line in the server's 'authorized_keys'
file, allowing you to easily determine the machine from which it originated.
6. Absolutely give it a passphrase! (Enter one in 'Key passphrase' and again in
'Confirm passphrase'.) This will encrypt the private key (which is why we'll
install 'Pageant' later; it will provide a single logon request to decrypt
your key for use during each session).
7. Click 'Save private key' to save the PuTTY private key to your hard drive.
Suggested location to save it: Since you'll be saving your OpenSSH version of
the keys in 'C:\Cygwin\home\[user]\.ssh\', put all your keys there.
For a key name, you could use something like '[email protected]'. However,
if you are in a mixed-platform environment, you'll likely be better off
following OpenSSH standards. In this case, your keys would be named:
id_rsa.ppk = PuTTY private key
id_rsa.pbk = PuTTY public key
id_rsa = OpenSSH private key
id_rsa.pub = OpenSSH public key
If you need to deal with multiple sets of keys, you might prepend these names
with the name of the owner or platform, e.g., 'chris.id_rsa.ppk', or
'mypc.id_rsa.ppk' for example.
However you decide, be consistent in naming all four of the key files you're
creating.
8. Click 'Save public key' to save the PuTTY public key (naming it, as in our
last example, 'id_rsa.pbk') and save it in the same location.
9. In the 'Conversions' menu, select 'Export OpenSSH key' & save the equivalent
OpenSSH private key as 'id_rsa'. (Note: this file has no extension.) You'll
want this key later for Cygwin to use (or to copy to a Linux or OSX account);
the standard format for private keys is different from what PuTTY uses. Save
this key as 'C:\Cygwin\home\[user]\.ssh\id_rsa'.
10. If you're using the client machine as an SSH server as well, then you'll
already have an 'authorized_keys' file in 'C:\Cygwin\home\[user]\.ssh\'; if
not, then create one now (using the procedure in the 'server' section above
to ensure the file has the desired ownership/premissions). Do this even if
you think you "don't need it" (it won't hurt anything by being present in
any case).
11. Swipe and copy the public key displayed at the top of the 'PuTTYGen' window
and paste it at the end of your 'authorized_keys' file & save it. This key
is your corresponding OpenSSH public key. If/when you decide to use this
machine as an SSH server, you'll want the server to recognize your keys as
valid (i.e., you'll want to authorize yourself).
12. If your OpenSSH public key is the only key in the 'authorized_keys' file,
then you can copy the 'authorized_keys' file and paste it as 'id_rsa.pub',
your OpenSSH public key file. Otherwise, create 'id_rsa.pub' as a new file,
and paste your OpenSSH public key into this file & save it.
13. You can close the 'PuTTYGen' window at this point.
14. Finally, copy the contents of the 'id_rsa.pub' file (located on the client)
into the 'authorized_keys' file (on the server). For a Windows server, this
file is 'C:\Cygwin\home\[user]\.ssh\authorized_keys'. For a Linux server,
this file is 'home/[user]/.ssh/authorized_keys'. A secure Remote Desktop
connection works fine for this, or you can use WinSCP, or just use a thumb
drive. Note that the public key file is not confidential; it's 'public'.
(By the same token, NEVER email an unencrypted private key -- under ANY
circumstances!)
Client Applications - Installation & Configuration
1. On the client system, create the folder 'C:\Program Files (x86)\PuTTY'.
(Better yet, just install PuTTY, which will create this folder for you, and
handle some of the other items below.)
2. Download 'KiTTY.exe' to 'C:\Program Files (x86)\PuTTY' (or use the version
in 'put-in-c-progfiles-putty'). Note that 'KiTTY' is a 32-bit Windows-only
fork of PuTTY whose additional features have considerable advantages.
3. Rename 'putty.exe' to 'putty-orig.exe' (as needed), then copy 'kitty.exe' and
paste it & rename it to 'putty.exe'; this is needed for compatibility with
PuTTY's 'Pageant' application.
4. Create or download 'kitty.ini' to 'C:\Program Files (x86)\PuTTY', and give it
the following entries:
[PuTTY]
keys=load
This will copy KiTTY's configuration to PuTTY's registry keys on each exit,
maintaining compatibility with tools such as 'Plink' and 'Pageant'.
5. The above won't work if the 'HKEY_CURRENT_USER\Software\SimonTatham\PuTTY'
registry key doesn't exist. Assuming you haven't installed PuTTY, the fast
solution is to 'merge' a '.reg' file to create the needed entry.
You can do this by right-clicking the '.reg' file and selecting 'Merge' (or
by opening 'regedit.exe' and under 'File' selecting 'Import..', then finding
the '.reg' file, which does the same thing).
6. Download 'Pageant.exe' to 'C:\Program Files (x86)\PuTTY' (or copy the version
in 'put-in-c-progfiles-putty').
7. Open 'Task Scheduler' on the client. You'll find it in the Start Menu, under
'All Programs' / 'Accessories' / 'System Tools'.
8. Click 'Task Scheduler Library' (left sidebar), then click 'Create Task..',
located under 'Actions' on the right sidebar. (You may need to enlarge the
window a bit to see everything.)
9. On the 'General' tab, name the task 'Pageant', optionally add a Description
"Start Pageant, the PuTTY equivalent of 'ssh-agent'", and be sure NOT to
check 'Run with highest privileges'.
10. Under 'Triggers', click 'New..' & set it to launch when YOU log on (i.e.,
not 'for any user' -- for YOU, specifically).
11. Under 'Conditions', uncheck 'Start the task only if the computer is on AC
power' if the server is not a laptop (or if you don't care about power use
issues).
12. Under 'Actions', click 'New..' and enter (assuming the canonical key name):
Program/script: "C:\Program Files (x86)\PuTTY\Pageant.exe"
Add arguments: C:\Cygwin\home\[user]\.ssh\id_rsa.ppk
Start in: [leave blank]
13. Click 'OK' (more than once) to confirm all & close the 'Create task' dialog,
then press <F5> on the Task Manager window to refresh, and then Run the
Pageant app by right-clicking the item and selecting 'Run'. (Press <F5>
again to refresh & verify that it's running.)
14. Type in your passphrase when prompted by Pageant. You should see either a
dialog box (which might not be on top), or an icon in the task bar...
Note that you may need to edit the system tray properties so that the icon
will be displayed in the system tray. To do this, right-click the task bar
and select 'Properties'; under the 'Taskbar' tab, click "Customize..."; find
"PuTTY SSH authentication agent", pull down the corresponding 'Behaviors'
control, and select "Show icon and notifications". Click "OK", then close
the 'Taskbar and Start Menu Properties' dialog box.
15. Close the Task Scheduler.
Running 'Pageant' & 'KiTTY' to Create an SSH Session
1. You should see 'Pageant' in the System Tray notification area. Right-click
on it and select 'New Session'. (If you don't see this, double-check the
above steps; you may need to enable 'Show icons and notifications' in the
system tray options.)
2. 'Pageant' should open 'KiTTY' (not 'PuTTY'). Add the server's hostname (or
IP number) where indicated at the top of the 'Session' page. (If you want
to use hostnames instead of IP numbers, you should install a custom 'hosts'
file in 'C:\Windows\system32\drivers\etc\'.)
3. Under 'Connection' / 'Data', in the 'Auto-login username' textbox, enter the
username for your account on the server host.
4. Under 'Connection' / 'SSH' / 'Auth', click "Browse" and surf to your PuTTY
private key ('.ppk'), which should be in 'C:\Cygwin\home\[user]\.ssh'.
5. Back under 'Session', in the 'Saved Sessions / New Folder' textbox, type in a
session name of your choice (for example, 'User@ServerHost') & click 'Save'.
6. Click 'Open' to connect to the server...
Now, whenever you boot & log into the client machine, Pageant will prompt for
your passphrase to access your PPK private key (and it will remember it until
you log out). After that, you can launch SSH sessions using Pageant's list of
'Saved Sessions' by right-clicking the Pageant icon in the systray notification
area, and Pageant will automate key verification for you. (This is the Windows
version of 'ssh-agent' operation in OpenSSH.)
File browsing on the Server from the Client
Now install 'WinSCP' (wherever it wishes); you will likely need to install using
"Run as Administrator". Configure nothing. With 'KiTTY' fully connected to the
server, click its top-left icon (in its title bar). Select 'Start WinSCP' (near
the bottom of the list).
There you are: Full SFTP access without even configuring WinSCP! (If it failed
to connect, you may have already had WinSCP installed; try re-installing it,
opting to delete configuration files; this is one solution.)
Launching applications on the Server from the Client
As our SSH daemon runs with administrative privileges on the server machine, we
have full remote system access, which can be a security concern. Often, we will
want to launch an application on the server with non-elevated privileges. To do
this, you can use the command 'hstart.exe /nonelevated'.
An even more convenient way to do this is to create an alias in your '.bashrc'
file on the server, which is located in 'C:\Cygwin\home\[User]\.bashrc'.
Consider adding the following to '.bashrc' (where 'noel' stands for 'No Elevated
Privileges'):
alias noel='hstart.exe /nonelevated '
alias ping='$SYSTEMROOT/System32/ping.exe '
You'll want to then reload the '.bashrc' file using the command '. ~/.bashrc'.
Now you can launch an application using a shell command, e.g., 'noel notepad',
entered on the client, and the app will run on the server with a 'Medium' (i.e.,
non-elevated) authorization level, just as a standard program would.
Configuring Cygwin to Support SSH Sessions
In the above, we established an SSH session with 'KiTTY'. However, to take full
advantage of Cygwin and SSH, it's equally important that your Windows client can
connect with Cygwin's SSH (or SSH on a Linux or Mac machine).
As Pageant handles authentication for KiTTY, so 'ssh-agent' authenticates you
for 'ssh.exe' in Cygwin & Linux. (For more information on this subject, refer
to http://www.ibm.com/developerworks/library/l-keyc2/#1.)
However, we're on Windows! We like KiTTY, and Pageant has a nice interface, so
it should be all we need. There's a solution: 'ssh-pageant' is an ssh-agent for
Cygwin that proxies requests to Pageant. It's a Windows-centric variation on
'keychain' (http://www.ibm.com/developerworks/library/l-keyc2/#2 for more info).
The latest versions of Cygwin now have 'ssh-pageant' available. However, if you
need to get 'ssh-pageant', surf to https://github.com/cuviper/ssh-pageant, or
you can install the appropriate version located in the 'put-in-c-Cygwin-bin'
folder. (The alternative in the original version of this procedure, 'charade',
has known permissions issues, so the preferred agent is 'ssh-pageant' now.)
On the client,
1. Install 'Cygwin' and 'hstart' and configure the environment variables on the
client as was done previously on the server.
2. Download the approriate pre-built binary for 'ssh-pageant' (or use the
version in 'put-in-c-Cygwin-bin', or just have Cygwin install it).
3. If hand-installed, copy 'ssh-pageant.exe' to 'C:\Cygwin\bin\' and make sure
it's executable, then copy its man page, 'ssh-pageant.1', to
'C:\Cygwin\usr\share\man\man1\'.
4. Edit 'C:\Cygwin\home\[User]\.bash_profile' (or '.bashrc') and add the lines
# ssh-pageant
eval $( /usr/bin/ssh-pageant -ra /tmp/.ssh-pageant )
anywhere in the file. (Note that in Linux, the SSH agent will be launched
automatically by Gnome; in Cygwin, we need to launch it explicitly.)
5. Run the Pageant task, launch a local Cygwin shell, & connect to your server:
'ssh [user]@[hostname]' (or 'ssh [hostname]' if the account names match).
You should be able to connect without a password challenge.
Now, with 'ssh-pageant' operational, we can use tools like 'rsync' and 'unison'
through SSH connections.
Remember when we exported our private key in OpenSSH format (to 'id_rsa')?
That's the file that 'ssh.exe' requires.
Using 'unison' to Sync Files Between Hosts
Refer to the 'HOWTO-unison-install-in-win7.txt' file in the 'unison' folder for
details on how to install and configure Unison. Sans the above, Unison is the
only cross-platform file sync'ing tool available currently.
Using 'rsync' to Copy Files Between Hosts
With the above setup in place, we can sync files in cross-platform fashion using
the Linux tool 'rsync' that's provided in Cygwin. Here's an example bash script
used to push files over the network using 'rsync' that can handle spaces in file
names:
---------------------------------------------
#!/bin/bash
receiver=$1
# escape spaces in file paths
# (the escapes won't be visible if you echo... you'd need to triple escape...
# which we don't want)
src=`cygpath $2`
src="echo $src | sed 's/ /\\ /g'"
src=`eval $src`
if [ $# = 2 ]
then
dest=$src
#src=$src/
else
dest=`cygpath $3`
dest="echo $dest | sed 's/ /\\ /g'"
dest=`eval $dest`
fi
source ~/.ssh-agent
# rsync
# -a, archival mode, does:
# -r (recursive)
# -l (copy symlinks as symlinks)
# -p (preserive permissions)
# -t (preserve modification times)
# -g (preserve group)
# -o (preserve owner)
# -D (preserve device & special files)
# -v, verbose
# --delete, delete extraneous files from destination dirs (DANGEROUS)
# --rsh, the remote shell to use
# -z, compress file data during the transfer
# ssh
# -a, disables agent forwarding
# -x, disables x11 forwarding
# -c, set the cipher specification (blowfish being the quickest)
#LAN rsync:
rsync -s -av --delete --rsh="ssh -ax -c blowfish" "$src" $receiver:"$dest"
#WAN rsync:
#rsync -s -avz --delete --rsh="ssh -ax" "$src" $receiver:"$dest"
---------------------------------------------
I call the script from within my text editor like this:
cmd /c bash ~/push.sh Chris-Laptop 'C:\abc\some_source_dir' 'C:\some_dest_dir'
or
cmd /c bash ~/push.sh Chris-Laptop 'C:\abc\source_dir\' 'C:\abc\dest_dir\'
or just
cmd /c bash ~/push.sh Chris-Laptop 'C:\abc\source_dest\'
if the path is equivalent at the destination.
Note: It's rather important to understand the distinction of a trailing slash
on the source folder when using 'rsync' (especially with '--delete' option).
Back up your data before experimenting!
====================================================================================
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment