| 3c0ef626 |
1 | This package is the actual port of OpenSSH to Cygwin 1.3. |
| 2 | |
| 3 | =========================================================================== |
| 4 | Important change since 2.9p2: |
| 5 | |
| 6 | Since Cygwin is able to switch user context without password beginning |
| 7 | with version 1.3.2, OpenSSH now allows to do so when it's running under |
| 8 | a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to |
| 9 | allow that feature. |
| 10 | =========================================================================== |
| 11 | |
| 12 | =========================================================================== |
| 13 | Important change since 2.3.0p1: |
| 14 | |
| 15 | When using `ntea' or `ntsec' you now have to care for the ownership |
| 16 | and permission bits of your host key files and your private key files. |
| 17 | The host key files have to be owned by the NT account which starts |
| 18 | sshd. The user key files have to be owned by the user. The permission |
| 19 | bits of the private key files (host and user) have to be at least |
| 20 | rw------- (0600)! |
| 21 | |
| 22 | Note that this is forced under `ntsec' only if the files are on a NTFS |
| 23 | filesystem (which is recommended) due to the lack of any basic security |
| 24 | features of the FAT/FAT32 filesystems. |
| 25 | =========================================================================== |
| 26 | |
| 27 | If you are installing OpenSSH the first time, you can generate global config |
| 28 | files and server keys by running |
| 29 | |
| 30 | /usr/bin/ssh-host-config |
| 31 | |
| 32 | Note that this binary archive doesn't contain default config files in /etc. |
| 33 | That files are only created if ssh-host-config is started. |
| 34 | |
| 35 | If you are updating your installation you may run the above ssh-host-config |
| 36 | as well to move your configuration files to the new location and to |
| 37 | erase the files at the old location. |
| 38 | |
| 39 | To support testing and unattended installation ssh-host-config got |
| 40 | some options: |
| 41 | |
| 42 | usage: ssh-host-config [OPTION]... |
| 43 | Options: |
| 44 | --debug -d Enable shell's debug output. |
| 45 | --yes -y Answer all questions with "yes" automatically. |
| 46 | --no -n Answer all questions with "no" automatically. |
| 47 | --port -p <n> sshd listens on port n. |
| 48 | |
| 49 | Additionally ssh-host-config now asks if it should install sshd as a |
| 50 | service when running under NT/W2K. This requires cygrunsrv installed. |
| 51 | |
| 52 | You can create the private and public keys for a user now by running |
| 53 | |
| 54 | /usr/bin/ssh-user-config |
| 55 | |
| 56 | under the users account. |
| 57 | |
| 58 | To support testing and unattended installation ssh-user-config got |
| 59 | some options as well: |
| 60 | |
| 61 | usage: ssh-user-config [OPTION]... |
| 62 | Options: |
| 63 | --debug -d Enable shell's debug output. |
| 64 | --yes -y Answer all questions with "yes" automatically. |
| 65 | --no -n Answer all questions with "no" automatically. |
| 66 | --passphrase -p word Use "word" as passphrase automatically. |
| 67 | |
| 68 | Install sshd as daemon via cygrunsrv.exe (recommended on NT/W2K), via inetd |
| 69 | (results in very slow deamon startup!) or from the command line (recommended |
| 70 | on 9X/ME). |
| 71 | |
| 72 | If you start sshd as deamon via cygrunsrv.exe you MUST give the |
| 73 | "-D" option to sshd. Otherwise the service can't get started at all. |
| 74 | |
| 75 | If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the |
| 76 | following line to your inetd.conf file: |
| 77 | |
| 78 | sshd stream tcp nowait root /usr/sbin/in.sshd sshd -i |
| 79 | |
| 80 | Moreover you'll have to add the following line to your |
| 81 | ${SYSTEMROOT}/system32/drivers/etc/services file: |
| 82 | |
| 83 | sshd 22/tcp #SSH daemon |
| 84 | |
| 85 | =========================================================================== |
| 86 | The following restrictions only apply to Cygwin versions up to 1.3.1 |
| 87 | =========================================================================== |
| 88 | |
| 89 | Authentication to sshd is possible in one of two ways. |
| 90 | You'll have to decide before starting sshd! |
| 91 | |
| 92 | - If you want to authenticate via RSA and you want to login to that |
| 93 | machine to exactly one user account you can do so by running sshd |
| 94 | under that user account. You must change /etc/sshd_config |
| 95 | to contain the following: |
| 96 | |
| 97 | RSAAuthentication yes |
| 98 | |
| 99 | Moreover it's possible to use rhosts and/or rhosts with |
| 100 | RSA authentication by setting the following in sshd_config: |
| 101 | |
| 102 | RhostsAuthentication yes |
| 103 | RhostsRSAAuthentication yes |
| 104 | |
| 105 | - If you want to be able to login to different user accounts you'll |
| 106 | have to start sshd under system account or any other account that |
| 107 | is able to switch user context. Note that administrators are _not_ |
| 108 | able to do that by default! You'll have to give the following |
| 109 | special user rights to the user: |
| 110 | "Act as part of the operating system" |
| 111 | "Replace process level token" |
| 112 | "Increase quotas" |
| 113 | and if used via service manager |
| 114 | "Logon as a service". |
| 115 | |
| 116 | The system account does of course own that user rights by default. |
| 117 | |
| 118 | Unfortunately, if you choose that way, you can only logon with |
| 119 | NT password authentification and you should change |
| 120 | /etc/sshd_config to contain the following: |
| 121 | |
| 122 | PasswordAuthentication yes |
| 123 | RhostsAuthentication no |
| 124 | RhostsRSAAuthentication no |
| 125 | RSAAuthentication no |
| 126 | |
| 127 | However you can login to the user which has started sshd with |
| 128 | RSA authentication anyway. If you want that, change the RSA |
| 129 | authentication setting back to "yes": |
| 130 | |
| 131 | RSAAuthentication yes |
| 132 | |
| 133 | Please note that OpenSSH does never use the value of $HOME to |
| 134 | search for the users configuration files! It always uses the |
| 135 | value of the pw_dir field in /etc/passwd as the home directory. |
| 136 | If no home diretory is set in /etc/passwd, the root directory |
| 137 | is used instead! |
| 138 | |
| 139 | You may use all features of the CYGWIN=ntsec setting the same |
| 140 | way as they are used by the `login' port on sources.redhat.com: |
| 141 | |
| 142 | The pw_gecos field may contain an additional field, that begins |
| 143 | with (upper case!) "U-", followed by the domain and the username |
| 144 | separated by a backslash. |
| 145 | CAUTION: The SID _must_ remain the _last_ field in pw_gecos! |
| 146 | BTW: The field separator in pw_gecos is the comma. |
| 147 | The username in pw_name itself may be any nice name: |
| 148 | |
| 149 | domuser::1104:513:John Doe,U-domain\user,S-1-5-21-... |
| 150 | |
| 151 | Now you may use `domuser' as your login name with telnet! |
| 152 | This is possible additionally for local users, if you don't like |
| 153 | your NT login name ;-) You only have to leave out the domain: |
| 154 | |
| 155 | locuser::1104:513:John Doe,U-user,S-1-5-21-... |
| 156 | |
| 157 | SSH2 server and user keys are generated by the `ssh-*-config' scripts |
| 158 | as well. |
| 159 | |
| 160 | If you want to build from source, the following options to |
| 161 | configure are used for the Cygwin binary distribution: |
| 162 | |
| 163 | --prefix=/usr \ |
| 164 | --sysconfdir=/etc \ |
| 165 | --libexecdir='${exec_prefix}/sbin \ |
| 166 | --with-pcre |
| 167 | |
| 168 | You must have installed the zlib, openssl and regex packages to |
| 169 | be able to build OpenSSH! The `--with-pcre' option requires |
| 170 | the installation of the pcre package. |
| 171 | |
| 172 | Please send requests, error reports etc. to cygwin@cygwin.com. |
| 173 | |
| 174 | Have fun, |
| 175 | |
| 176 | Corinna Vinschen <vinschen@redhat.com> |
| 177 | Cygwin Developer |
| 178 | Red Hat Inc. |
andersk / gssapi-openssh.git / blame