[openssh.git] / contrib / cygwin / README

This package is the actual port of OpenSSH to Cygwin 1.3.

===========================================================================
Important change since 3.0.1p1-2:

This version introduces the ability to register sshd as service on
Windows 9x/Me systems.  This is done only when the options -D and/or
-d are not given.
===========================================================================

===========================================================================
Important change since 2.9p2:

Since Cygwin is able to switch user context without password beginning
with version 1.3.2, OpenSSH now allows to do so when it's running under
a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to
allow that feature.
===========================================================================

===========================================================================
Important change since 2.3.0p1:

When using `ntea' or `ntsec' you now have to care for the ownership
and permission bits of your host key files and your private key files.
The host key files have to be owned by the NT account which starts
sshd. The user key files have to be owned by the user. The permission
bits of the private key files (host and user) have to be at least
rw------- (0600)!

Note that this is forced under `ntsec' only if the files are on a NTFS
filesystem (which is recommended) due to the lack of any basic security
features of the FAT/FAT32 filesystems.
===========================================================================

If you are installing OpenSSH the first time, you can generate global config
files and server keys by running
   
   /usr/bin/ssh-host-config

Note that this binary archive doesn't contain default config files in /etc.
That files are only created if ssh-host-config is started.

If you are updating your installation you may run the above ssh-host-config
as well to move your configuration files to the new location and to
erase the files at the old location.

To support testing and unattended installation ssh-host-config got
some options:

usage: ssh-host-config [OPTION]...
Options:
    --debug      -d        Enable shell's debug output.
    --yes        -y        Answer all questions with "yes" automatically.
    --no         -n        Answer all questions with "no" automatically.
    --port       -p <n>    sshd listens on port n.

Additionally ssh-host-config now asks if it should install sshd as a
service when running under NT/W2K. This requires cygrunsrv installed.

You can create the private and public keys for a user now by running

  /usr/bin/ssh-user-config

under the users account.

To support testing and unattended installation ssh-user-config got
some options as well:

usage: ssh-user-config [OPTION]...
Options:
    --debug      -d        Enable shell's debug output.
    --yes        -y        Answer all questions with "yes" automatically.
    --no         -n        Answer all questions with "no" automatically.
    --passphrase -p word   Use "word" as passphrase automatically.

Install sshd as daemon via cygrunsrv.exe (recommended on NT/W2K), via inetd
(results in very slow deamon startup!) or from the command line (recommended
on 9X/ME).

If you start sshd as deamon via cygrunsrv.exe you MUST give the
"-D" option to sshd. Otherwise the service can't get started at all.

If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the
following line to your inetd.conf file:

ssh stream tcp nowait root /usr/sbin/in.sshd sshd -i

Moreover you'll have to add the following line to your
${SYSTEMROOT}/system32/drivers/etc/services file:

   ssh         22/tcp          #SSH daemon

===========================================================================
The following restrictions only apply to Cygwin versions up to 1.3.1
===========================================================================

Authentication to sshd is possible in one of two ways.
You'll have to decide before starting sshd!

- If you want to authenticate via RSA and you want to login to that
  machine to exactly one user account you can do so by running sshd
  under that user account. You must change /etc/sshd_config
  to contain the following:

  RSAAuthentication yes

  Moreover it's possible to use rhosts and/or rhosts with
  RSA authentication by setting the following in sshd_config:

  RhostsAuthentication yes
  RhostsRSAAuthentication yes

- If you want to be able to login to different user accounts you'll
  have to start sshd under system account or any other account that
  is able to switch user context. Note that administrators are _not_
  able to do that by default! You'll have to give the following
  special user rights to the user:
  "Act as part of the operating system"
  "Replace process level token"
  "Increase quotas"
  and if used via service manager
  "Logon as a service".

  The system account does of course own that user rights by default.

  Unfortunately, if you choose that way, you can only logon with
  NT password authentification and you should change
  /etc/sshd_config to contain the following:

    PasswordAuthentication yes
    RhostsAuthentication no
    RhostsRSAAuthentication no
    RSAAuthentication no

  However you can login to the user which has started sshd with
  RSA authentication anyway. If you want that, change the RSA
  authentication setting back to "yes":
     
    RSAAuthentication yes

Please note that OpenSSH does never use the value of $HOME to
search for the users configuration files! It always uses the
value of the pw_dir field in /etc/passwd as the home directory.
If no home diretory is set in /etc/passwd, the root directory
is used instead!

You may use all features of the CYGWIN=ntsec setting the same
way as they are used by the `login' port on sources.redhat.com:

  The pw_gecos field may contain an additional field, that begins
  with (upper case!) "U-", followed by the domain and the username
  separated by a backslash.
  CAUTION: The SID _must_ remain the _last_ field in pw_gecos!
  BTW: The field separator in pw_gecos is the comma.
  The username in pw_name itself may be any nice name:

    domuser::1104:513:John Doe,U-domain\user,S-1-5-21-...

  Now you may use `domuser' as your login name with telnet!
  This is possible additionally for local users, if you don't like
  your NT login name ;-) You only have to leave out the domain:

    locuser::1104:513:John Doe,U-user,S-1-5-21-...

SSH2 server and user keys are generated by the `ssh-*-config' scripts
as well.

If you want to build from source, the following options to
configure are used for the Cygwin binary distribution:

	--prefix=/usr \
	--sysconfdir=/etc \
	--libexecdir='${exec_prefix}/sbin'

You must have installed the zlib, openssl and regex packages to
be able to build OpenSSH!

Please send requests, error reports etc. to cygwin@cygwin.com.

Have fun,

Corinna Vinschen <vinschen@redhat.com>
Cygwin Developer
Red Hat Inc.
Commit	Line	Data
41fcc457	1	This package is the actual port of OpenSSH to Cygwin 1.3.
41fcc457	2
ffb8d130	3	===========================================================================
	4	Important change since 3.0.1p1-2:
	5
	6	This version introduces the ability to register sshd as service on
	7	Windows 9x/Me systems. This is done only when the options -D and/or
	8	-d are not given.
	9	===========================================================================
	10
41fcc457	11	===========================================================================
	12	Important change since 2.9p2:
	13
	14	Since Cygwin is able to switch user context without password beginning
	15	with version 1.3.2, OpenSSH now allows to do so when it's running under
	16	a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to
	17	allow that feature.
	18	===========================================================================
95273555	19
	20	===========================================================================
	21	Important change since 2.3.0p1:
	22
	23	When using `ntea' or `ntsec' you now have to care for the ownership
	24	and permission bits of your host key files and your private key files.
	25	The host key files have to be owned by the NT account which starts
	26	sshd. The user key files have to be owned by the user. The permission
	27	bits of the private key files (host and user) have to be at least
	28	rw------- (0600)!
	29
	30	Note that this is forced under `ntsec' only if the files are on a NTFS
	31	filesystem (which is recommended) due to the lack of any basic security
	32	features of the FAT/FAT32 filesystems.
	33	===========================================================================
	34
f52798a4	35	If you are installing OpenSSH the first time, you can generate global config
f52798a4	36	files and server keys by running
95273555	37
f4ebf0e8	38	/usr/bin/ssh-host-config
95273555	39
f4ebf0e8	40	Note that this binary archive doesn't contain default config files in /etc.
	41	That files are only created if ssh-host-config is started.
	42
	43	If you are updating your installation you may run the above ssh-host-config
95273555	44	as well to move your configuration files to the new location and to
	45	erase the files at the old location.
	46
f4ebf0e8	47	To support testing and unattended installation ssh-host-config got
f4ebf0e8	48	some options:
95273555	49
f4ebf0e8	50	usage: ssh-host-config [OPTION]...
	51	Options:
	52	--debug -d Enable shell's debug output.
	53	--yes -y Answer all questions with "yes" automatically.
	54	--no -n Answer all questions with "no" automatically.
f52798a4	55	--port -p <n> sshd listens on port n.
f4ebf0e8	56
41fcc457	57	Additionally ssh-host-config now asks if it should install sshd as a
	58	service when running under NT/W2K. This requires cygrunsrv installed.
	59
f4ebf0e8	60	You can create the private and public keys for a user now by running
	61
	62	/usr/bin/ssh-user-config
	63
	64	under the users account.
	65
	66	To support testing and unattended installation ssh-user-config got
	67	some options as well:
	68
	69	usage: ssh-user-config [OPTION]...
	70	Options:
	71	--debug -d Enable shell's debug output.
	72	--yes -y Answer all questions with "yes" automatically.
	73	--no -n Answer all questions with "no" automatically.
	74	--passphrase -p word Use "word" as passphrase automatically.
95273555	75
41fcc457	76	Install sshd as daemon via cygrunsrv.exe (recommended on NT/W2K), via inetd
95273555	77	(results in very slow deamon startup!) or from the command line (recommended
	78	on 9X/ME).
	79
41fcc457	80	If you start sshd as deamon via cygrunsrv.exe you MUST give the
41fcc457	81	"-D" option to sshd. Otherwise the service can't get started at all.
044aa419	82
95273555	83	If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the
	84	following line to your inetd.conf file:
	85
929fb284	86	ssh stream tcp nowait root /usr/sbin/in.sshd sshd -i
95273555	87
	88	Moreover you'll have to add the following line to your
	89	${SYSTEMROOT}/system32/drivers/etc/services file:
	90
929fb284	91	ssh 22/tcp #SSH daemon
95273555	92
41fcc457	93	===========================================================================
	94	The following restrictions only apply to Cygwin versions up to 1.3.1
	95	===========================================================================
	96
95273555	97	Authentication to sshd is possible in one of two ways.
	98	You'll have to decide before starting sshd!
	99
	100	- If you want to authenticate via RSA and you want to login to that
	101	machine to exactly one user account you can do so by running sshd
	102	under that user account. You must change /etc/sshd_config
	103	to contain the following:
	104
	105	RSAAuthentication yes
	106
	107	Moreover it's possible to use rhosts and/or rhosts with
	108	RSA authentication by setting the following in sshd_config:
	109
	110	RhostsAuthentication yes
	111	RhostsRSAAuthentication yes
	112
	113	- If you want to be able to login to different user accounts you'll
	114	have to start sshd under system account or any other account that
	115	is able to switch user context. Note that administrators are _not_
	116	able to do that by default! You'll have to give the following
	117	special user rights to the user:
	118	"Act as part of the operating system"
	119	"Replace process level token"
	120	"Increase quotas"
	121	and if used via service manager
	122	"Logon as a service".
	123
	124	The system account does of course own that user rights by default.
	125
	126	Unfortunately, if you choose that way, you can only logon with
	127	NT password authentification and you should change
	128	/etc/sshd_config to contain the following:
	129
	130	PasswordAuthentication yes
	131	RhostsAuthentication no
	132	RhostsRSAAuthentication no
	133	RSAAuthentication no
	134
	135	However you can login to the user which has started sshd with
	136	RSA authentication anyway. If you want that, change the RSA
	137	authentication setting back to "yes":
	138
	139	RSAAuthentication yes
	140
9a00bfce	141	Please note that OpenSSH does never use the value of $HOME to
	142	search for the users configuration files! It always uses the
	143	value of the pw_dir field in /etc/passwd as the home directory.
	144	If no home diretory is set in /etc/passwd, the root directory
	145	is used instead!
	146
95273555	147	You may use all features of the CYGWIN=ntsec setting the same
	148	way as they are used by the `login' port on sources.redhat.com:
	149
	150	The pw_gecos field may contain an additional field, that begins
	151	with (upper case!) "U-", followed by the domain and the username
	152	separated by a backslash.
	153	CAUTION: The SID _must_ remain the _last_ field in pw_gecos!
	154	BTW: The field separator in pw_gecos is the comma.
	155	The username in pw_name itself may be any nice name:
	156
	157	domuser::1104:513:John Doe,U-domain\user,S-1-5-21-...
	158
	159	Now you may use `domuser' as your login name with telnet!
	160	This is possible additionally for local users, if you don't like
	161	your NT login name ;-) You only have to leave out the domain:
	162
	163	locuser::1104:513:John Doe,U-user,S-1-5-21-...
	164
9a00bfce	165	SSH2 server and user keys are generated by the `ssh-*-config' scripts
9a00bfce	166	as well.
95273555	167
95273555	168	If you want to build from source, the following options to
	169	configure are used for the Cygwin binary distribution:
	170
41fcc457	171	--prefix=/usr \
41fcc457	172	--sysconfdir=/etc \
ffb8d130	173	--libexecdir='${exec_prefix}/sbin'
95273555	174
95273555	175	You must have installed the zlib, openssl and regex packages to
ffb8d130	176	be able to build OpenSSH!
95273555	177
41fcc457	178	Please send requests, error reports etc. to cygwin@cygwin.com.
95273555	179
	180	Have fun,
	181
41fcc457	182	Corinna Vinschen <vinschen@redhat.com>
95273555	183	Cygwin Developer
95273555	184	Red Hat Inc.