1 This package is the actual port of OpenSSH to Cygwin 1.3.
3 ===========================================================================
4 Important change since 3.4p1-2:
6 This version adds privilege separation as default setting, see
7 /usr/doc/openssh/README.privsep. According to that document the
8 privsep feature requires a non-privileged account called 'sshd'.
10 The new ssh-host-config file which is part of this version asks
11 to create 'sshd' as local user if you want to use privilege
12 separation. If you confirm, it creates that NT user and adds
13 the necessary entry to /etc/passwd.
15 On 9x/Me systems the script just sets UsePrivilegeSeparation to "no"
16 since that feature doesn't make any sense on a system which doesn't
17 differ between privileged and unprivileged users.
19 The new ssh-host-config script also adds the /var/empty directory
20 needed by privilege separation. When creating the /var/empty directory
21 by yourself, please note that in contrast to the README.privsep document
22 the owner sshould not be "root" but the user which is running sshd. So,
23 in the standard configuration this is SYSTEM. The ssh-host-config script
24 chowns /var/empty accordingly.
25 ===========================================================================
27 ===========================================================================
28 Important change since 3.0.1p1-2:
30 This version introduces the ability to register sshd as service on
31 Windows 9x/Me systems. This is done only when the options -D and/or
33 ===========================================================================
35 ===========================================================================
36 Important change since 2.9p2:
38 Since Cygwin is able to switch user context without password beginning
39 with version 1.3.2, OpenSSH now allows to do so when it's running under
40 a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to
42 ===========================================================================
44 ===========================================================================
45 Important change since 2.3.0p1:
47 When using `ntea' or `ntsec' you now have to care for the ownership
48 and permission bits of your host key files and your private key files.
49 The host key files have to be owned by the NT account which starts
50 sshd. The user key files have to be owned by the user. The permission
51 bits of the private key files (host and user) have to be at least
54 Note that this is forced under `ntsec' only if the files are on a NTFS
55 filesystem (which is recommended) due to the lack of any basic security
56 features of the FAT/FAT32 filesystems.
57 ===========================================================================
59 If you are installing OpenSSH the first time, you can generate global config
60 files and server keys by running
62 /usr/bin/ssh-host-config
64 Note that this binary archive doesn't contain default config files in /etc.
65 That files are only created if ssh-host-config is started.
67 If you are updating your installation you may run the above ssh-host-config
68 as well to move your configuration files to the new location and to
69 erase the files at the old location.
71 To support testing and unattended installation ssh-host-config got
74 usage: ssh-host-config [OPTION]...
76 --debug -d Enable shell's debug output.
77 --yes -y Answer all questions with "yes" automatically.
78 --no -n Answer all questions with "no" automatically.
79 --port -p <n> sshd listens on port n.
81 Additionally ssh-host-config now asks if it should install sshd as a
82 service when running under NT/W2K. This requires cygrunsrv installed.
84 You can create the private and public keys for a user now by running
86 /usr/bin/ssh-user-config
88 under the users account.
90 To support testing and unattended installation ssh-user-config got
93 usage: ssh-user-config [OPTION]...
95 --debug -d Enable shell's debug output.
96 --yes -y Answer all questions with "yes" automatically.
97 --no -n Answer all questions with "no" automatically.
98 --passphrase -p word Use "word" as passphrase automatically.
100 Install sshd as daemon via cygrunsrv.exe (recommended on NT/W2K), via inetd
101 (results in very slow deamon startup!) or from the command line (recommended
104 If you start sshd as deamon via cygrunsrv.exe you MUST give the
105 "-D" option to sshd. Otherwise the service can't get started at all.
107 If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the
108 following line to your inetd.conf file:
110 ssh stream tcp nowait root /usr/sbin/in.sshd sshd -i
112 Moreover you'll have to add the following line to your
113 ${SYSTEMROOT}/system32/drivers/etc/services file:
115 ssh 22/tcp #SSH daemon
117 ===========================================================================
118 The following restrictions only apply to Cygwin versions up to 1.3.1
119 ===========================================================================
121 Authentication to sshd is possible in one of two ways.
122 You'll have to decide before starting sshd!
124 - If you want to authenticate via RSA and you want to login to that
125 machine to exactly one user account you can do so by running sshd
126 under that user account. You must change /etc/sshd_config
127 to contain the following:
129 RSAAuthentication yes
131 Moreover it's possible to use rhosts and/or rhosts with
132 RSA authentication by setting the following in sshd_config:
134 RhostsAuthentication yes
135 RhostsRSAAuthentication yes
137 - If you want to be able to login to different user accounts you'll
138 have to start sshd under system account or any other account that
139 is able to switch user context. Note that administrators are _not_
140 able to do that by default! You'll have to give the following
141 special user rights to the user:
142 "Act as part of the operating system"
143 "Replace process level token"
145 and if used via service manager
146 "Logon as a service".
148 The system account does of course own that user rights by default.
150 Unfortunately, if you choose that way, you can only logon with
151 NT password authentification and you should change
152 /etc/sshd_config to contain the following:
154 PasswordAuthentication yes
155 RhostsAuthentication no
156 RhostsRSAAuthentication no
159 However you can login to the user which has started sshd with
160 RSA authentication anyway. If you want that, change the RSA
161 authentication setting back to "yes":
163 RSAAuthentication yes
165 Please note that OpenSSH does never use the value of $HOME to
166 search for the users configuration files! It always uses the
167 value of the pw_dir field in /etc/passwd as the home directory.
168 If no home diretory is set in /etc/passwd, the root directory
171 You may use all features of the CYGWIN=ntsec setting the same
172 way as they are used by the `login' port on sources.redhat.com:
174 The pw_gecos field may contain an additional field, that begins
175 with (upper case!) "U-", followed by the domain and the username
176 separated by a backslash.
177 CAUTION: The SID _must_ remain the _last_ field in pw_gecos!
178 BTW: The field separator in pw_gecos is the comma.
179 The username in pw_name itself may be any nice name:
181 domuser::1104:513:John Doe,U-domain\user,S-1-5-21-...
183 Now you may use `domuser' as your login name with telnet!
184 This is possible additionally for local users, if you don't like
185 your NT login name ;-) You only have to leave out the domain:
187 locuser::1104:513:John Doe,U-user,S-1-5-21-...
189 SSH2 server and user keys are generated by the `ssh-*-config' scripts
192 If you want to build from source, the following options to
193 configure are used for the Cygwin binary distribution:
197 --libexecdir='${exec_prefix}/sbin'
199 You must have installed the zlib and openssl packages to be able to
202 Please send requests, error reports etc. to cygwin@cygwin.com.
206 Corinna Vinschen <vinschen@redhat.com>