]>
Commit | Line | Data |
---|---|---|
95273555 | 1 | This package is the actual port of OpenSSH to Cygwin 1.1. |
2 | ||
3 | =========================================================================== | |
4 | Important change since 2.3.0p1: | |
5 | ||
6 | When using `ntea' or `ntsec' you now have to care for the ownership | |
7 | and permission bits of your host key files and your private key files. | |
8 | The host key files have to be owned by the NT account which starts | |
9 | sshd. The user key files have to be owned by the user. The permission | |
10 | bits of the private key files (host and user) have to be at least | |
11 | rw------- (0600)! | |
12 | ||
13 | Note that this is forced under `ntsec' only if the files are on a NTFS | |
14 | filesystem (which is recommended) due to the lack of any basic security | |
15 | features of the FAT/FAT32 filesystems. | |
16 | =========================================================================== | |
17 | ||
f52798a4 | 18 | If you are installing OpenSSH the first time, you can generate global config |
19 | files and server keys by running | |
95273555 | 20 | |
f4ebf0e8 | 21 | /usr/bin/ssh-host-config |
95273555 | 22 | |
f4ebf0e8 | 23 | Note that this binary archive doesn't contain default config files in /etc. |
24 | That files are only created if ssh-host-config is started. | |
25 | ||
26 | If you are updating your installation you may run the above ssh-host-config | |
95273555 | 27 | as well to move your configuration files to the new location and to |
28 | erase the files at the old location. | |
29 | ||
f4ebf0e8 | 30 | To support testing and unattended installation ssh-host-config got |
31 | some options: | |
95273555 | 32 | |
f4ebf0e8 | 33 | usage: ssh-host-config [OPTION]... |
34 | Options: | |
35 | --debug -d Enable shell's debug output. | |
36 | --yes -y Answer all questions with "yes" automatically. | |
37 | --no -n Answer all questions with "no" automatically. | |
f52798a4 | 38 | --port -p <n> sshd listens on port n. |
f4ebf0e8 | 39 | |
40 | You can create the private and public keys for a user now by running | |
41 | ||
42 | /usr/bin/ssh-user-config | |
43 | ||
44 | under the users account. | |
45 | ||
46 | To support testing and unattended installation ssh-user-config got | |
47 | some options as well: | |
48 | ||
49 | usage: ssh-user-config [OPTION]... | |
50 | Options: | |
51 | --debug -d Enable shell's debug output. | |
52 | --yes -y Answer all questions with "yes" automatically. | |
53 | --no -n Answer all questions with "no" automatically. | |
54 | --passphrase -p word Use "word" as passphrase automatically. | |
95273555 | 55 | |
56 | Install sshd as daemon via SRVANY.EXE (recommended on NT/W2K), via inetd | |
57 | (results in very slow deamon startup!) or from the command line (recommended | |
58 | on 9X/ME). | |
59 | ||
60 | If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the | |
61 | following line to your inetd.conf file: | |
62 | ||
63 | sshd stream tcp nowait root /usr/sbin/in.sshd sshd -i | |
64 | ||
65 | Moreover you'll have to add the following line to your | |
66 | ${SYSTEMROOT}/system32/drivers/etc/services file: | |
67 | ||
68 | sshd 22/tcp #SSH daemon | |
69 | ||
70 | Authentication to sshd is possible in one of two ways. | |
71 | You'll have to decide before starting sshd! | |
72 | ||
73 | - If you want to authenticate via RSA and you want to login to that | |
74 | machine to exactly one user account you can do so by running sshd | |
75 | under that user account. You must change /etc/sshd_config | |
76 | to contain the following: | |
77 | ||
78 | RSAAuthentication yes | |
79 | ||
80 | Moreover it's possible to use rhosts and/or rhosts with | |
81 | RSA authentication by setting the following in sshd_config: | |
82 | ||
83 | RhostsAuthentication yes | |
84 | RhostsRSAAuthentication yes | |
85 | ||
86 | - If you want to be able to login to different user accounts you'll | |
87 | have to start sshd under system account or any other account that | |
88 | is able to switch user context. Note that administrators are _not_ | |
89 | able to do that by default! You'll have to give the following | |
90 | special user rights to the user: | |
91 | "Act as part of the operating system" | |
92 | "Replace process level token" | |
93 | "Increase quotas" | |
94 | and if used via service manager | |
95 | "Logon as a service". | |
96 | ||
97 | The system account does of course own that user rights by default. | |
98 | ||
99 | Unfortunately, if you choose that way, you can only logon with | |
100 | NT password authentification and you should change | |
101 | /etc/sshd_config to contain the following: | |
102 | ||
103 | PasswordAuthentication yes | |
104 | RhostsAuthentication no | |
105 | RhostsRSAAuthentication no | |
106 | RSAAuthentication no | |
107 | ||
108 | However you can login to the user which has started sshd with | |
109 | RSA authentication anyway. If you want that, change the RSA | |
110 | authentication setting back to "yes": | |
111 | ||
112 | RSAAuthentication yes | |
113 | ||
114 | You may use all features of the CYGWIN=ntsec setting the same | |
115 | way as they are used by the `login' port on sources.redhat.com: | |
116 | ||
117 | The pw_gecos field may contain an additional field, that begins | |
118 | with (upper case!) "U-", followed by the domain and the username | |
119 | separated by a backslash. | |
120 | CAUTION: The SID _must_ remain the _last_ field in pw_gecos! | |
121 | BTW: The field separator in pw_gecos is the comma. | |
122 | The username in pw_name itself may be any nice name: | |
123 | ||
124 | domuser::1104:513:John Doe,U-domain\user,S-1-5-21-... | |
125 | ||
126 | Now you may use `domuser' as your login name with telnet! | |
127 | This is possible additionally for local users, if you don't like | |
128 | your NT login name ;-) You only have to leave out the domain: | |
129 | ||
130 | locuser::1104:513:John Doe,U-user,S-1-5-21-... | |
131 | ||
132 | V2 server and user keys are generated by `ssh-config'. If you want to | |
133 | create DSA keys by yourself, call ssh-keygen with `-d' option. | |
134 | ||
135 | DSA authentication similar to RSA: | |
136 | Add keys to ~/.ssh/authorized_keys2 | |
137 | Interop. w/ ssh.com dsa-keys: | |
138 | ssh-keygen -f /key/from/ssh.com -X >> ~/.ssh/authorized_keys2 | |
139 | and vice versa: | |
140 | ssh-keygen -f /privatekey/from/openssh -x > ~/.ssh2/mykey.pub | |
141 | echo Key mykey.pub >> ~/.ssh2/authorization | |
142 | ||
143 | If you want to build from source, the following options to | |
144 | configure are used for the Cygwin binary distribution: | |
145 | ||
146 | --prefix=/usr --sysconfdir=/etc --libexecdir='${exec_prefix}/sbin | |
147 | ||
148 | You must have installed the zlib, openssl and regex packages to | |
149 | be able to build OpenSSH! | |
150 | ||
151 | Please send requests, error reports etc. to cygwin@sources.redhat.com. | |
152 | ||
153 | Have fun, | |
154 | ||
155 | Corinna Vinschen <vinschen@cygnus.com> | |
156 | Cygwin Developer | |
157 | Red Hat Inc. |