1 This package is the actual port of OpenSSH to Cygwin 1.1.
3 ===========================================================================
4 Important change since 2.3.0p1:
6 When using `ntea' or `ntsec' you now have to care for the ownership
7 and permission bits of your host key files and your private key files.
8 The host key files have to be owned by the NT account which starts
9 sshd. The user key files have to be owned by the user. The permission
10 bits of the private key files (host and user) have to be at least
13 Note that this is forced under `ntsec' only if the files are on a NTFS
14 filesystem (which is recommended) due to the lack of any basic security
15 features of the FAT/FAT32 filesystems.
16 ===========================================================================
18 Since this package is part of the base distribution now, the location
19 of the files has changed from /usr/local to /usr. The global configuration
20 files are in /etc now.
22 If you are installing OpenSSH the first time, you can generate
23 global config files and server keys by running
25 /usr/bin/ssh-host-config
27 Note that this binary archive doesn't contain default config files in /etc.
28 That files are only created if ssh-host-config is started.
30 If you are updating your installation you may run the above ssh-host-config
31 as well to move your configuration files to the new location and to
32 erase the files at the old location.
34 To support testing and unattended installation ssh-host-config got
37 usage: ssh-host-config [OPTION]...
39 --debug -d Enable shell's debug output.
40 --yes -y Answer all questions with "yes" automatically.
41 --no -n Answer all questions with "no" automatically.
43 You can create the private and public keys for a user now by running
45 /usr/bin/ssh-user-config
47 under the users account.
49 To support testing and unattended installation ssh-user-config got
52 usage: ssh-user-config [OPTION]...
54 --debug -d Enable shell's debug output.
55 --yes -y Answer all questions with "yes" automatically.
56 --no -n Answer all questions with "no" automatically.
57 --passphrase -p word Use "word" as passphrase automatically.
59 Install sshd as daemon via SRVANY.EXE (recommended on NT/W2K), via inetd
60 (results in very slow deamon startup!) or from the command line (recommended
63 If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the
64 following line to your inetd.conf file:
66 sshd stream tcp nowait root /usr/sbin/in.sshd sshd -i
68 Moreover you'll have to add the following line to your
69 ${SYSTEMROOT}/system32/drivers/etc/services file:
71 sshd 22/tcp #SSH daemon
73 Authentication to sshd is possible in one of two ways.
74 You'll have to decide before starting sshd!
76 - If you want to authenticate via RSA and you want to login to that
77 machine to exactly one user account you can do so by running sshd
78 under that user account. You must change /etc/sshd_config
79 to contain the following:
83 Moreover it's possible to use rhosts and/or rhosts with
84 RSA authentication by setting the following in sshd_config:
86 RhostsAuthentication yes
87 RhostsRSAAuthentication yes
89 - If you want to be able to login to different user accounts you'll
90 have to start sshd under system account or any other account that
91 is able to switch user context. Note that administrators are _not_
92 able to do that by default! You'll have to give the following
93 special user rights to the user:
94 "Act as part of the operating system"
95 "Replace process level token"
97 and if used via service manager
100 The system account does of course own that user rights by default.
102 Unfortunately, if you choose that way, you can only logon with
103 NT password authentification and you should change
104 /etc/sshd_config to contain the following:
106 PasswordAuthentication yes
107 RhostsAuthentication no
108 RhostsRSAAuthentication no
111 However you can login to the user which has started sshd with
112 RSA authentication anyway. If you want that, change the RSA
113 authentication setting back to "yes":
115 RSAAuthentication yes
117 You may use all features of the CYGWIN=ntsec setting the same
118 way as they are used by the `login' port on sources.redhat.com:
120 The pw_gecos field may contain an additional field, that begins
121 with (upper case!) "U-", followed by the domain and the username
122 separated by a backslash.
123 CAUTION: The SID _must_ remain the _last_ field in pw_gecos!
124 BTW: The field separator in pw_gecos is the comma.
125 The username in pw_name itself may be any nice name:
127 domuser::1104:513:John Doe,U-domain\user,S-1-5-21-...
129 Now you may use `domuser' as your login name with telnet!
130 This is possible additionally for local users, if you don't like
131 your NT login name ;-) You only have to leave out the domain:
133 locuser::1104:513:John Doe,U-user,S-1-5-21-...
135 V2 server and user keys are generated by `ssh-config'. If you want to
136 create DSA keys by yourself, call ssh-keygen with `-d' option.
138 DSA authentication similar to RSA:
139 Add keys to ~/.ssh/authorized_keys2
140 Interop. w/ ssh.com dsa-keys:
141 ssh-keygen -f /key/from/ssh.com -X >> ~/.ssh/authorized_keys2
143 ssh-keygen -f /privatekey/from/openssh -x > ~/.ssh2/mykey.pub
144 echo Key mykey.pub >> ~/.ssh2/authorization
146 If you want to build from source, the following options to
147 configure are used for the Cygwin binary distribution:
149 --prefix=/usr --sysconfdir=/etc --libexecdir='${exec_prefix}/sbin
151 You must have installed the zlib, openssl and regex packages to
152 be able to build OpenSSH!
154 Please send requests, error reports etc. to cygwin@sources.redhat.com.
158 Corinna Vinschen <vinschen@cygnus.com>