- Cygwin contrib improvements from Corinna Vinschen <vinschen@redhat.com>

[openssh.git] / contrib / cygwin / README

This package is the actual port of OpenSSH to Cygwin 1.1.

===========================================================================
Important change since 2.3.0p1:

When using `ntea' or `ntsec' you now have to care for the ownership
and permission bits of your host key files and your private key files.
The host key files have to be owned by the NT account which starts
sshd. The user key files have to be owned by the user. The permission
bits of the private key files (host and user) have to be at least
rw------- (0600)!

Note that this is forced under `ntsec' only if the files are on a NTFS
filesystem (which is recommended) due to the lack of any basic security
features of the FAT/FAT32 filesystems.
===========================================================================

If you are installing OpenSSH the first time, you can generate global config
files and server keys by running
   
   /usr/bin/ssh-host-config

Note that this binary archive doesn't contain default config files in /etc.
That files are only created if ssh-host-config is started.

If you are updating your installation you may run the above ssh-host-config
as well to move your configuration files to the new location and to
erase the files at the old location.

To support testing and unattended installation ssh-host-config got
some options:

usage: ssh-host-config [OPTION]...
Options:
    --debug      -d        Enable shell's debug output.
    --yes        -y        Answer all questions with "yes" automatically.
    --no         -n        Answer all questions with "no" automatically.
    --port       -p <n>    sshd listens on port n.

You can create the private and public keys for a user now by running

  /usr/bin/ssh-user-config

under the users account.

To support testing and unattended installation ssh-user-config got
some options as well:

usage: ssh-user-config [OPTION]...
Options:
    --debug      -d        Enable shell's debug output.
    --yes        -y        Answer all questions with "yes" automatically.
    --no         -n        Answer all questions with "no" automatically.
    --passphrase -p word   Use "word" as passphrase automatically.

Install sshd as daemon via SRVANY.EXE (recommended on NT/W2K), via inetd
(results in very slow deamon startup!) or from the command line (recommended
on 9X/ME).

If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the
following line to your inetd.conf file:

sshd stream tcp nowait root /usr/sbin/in.sshd sshd -i

Moreover you'll have to add the following line to your
${SYSTEMROOT}/system32/drivers/etc/services file:

   sshd         22/tcp          #SSH daemon

Authentication to sshd is possible in one of two ways.
You'll have to decide before starting sshd!

- If you want to authenticate via RSA and you want to login to that
  machine to exactly one user account you can do so by running sshd
  under that user account. You must change /etc/sshd_config
  to contain the following:

  RSAAuthentication yes

  Moreover it's possible to use rhosts and/or rhosts with
  RSA authentication by setting the following in sshd_config:

  RhostsAuthentication yes
  RhostsRSAAuthentication yes

- If you want to be able to login to different user accounts you'll
  have to start sshd under system account or any other account that
  is able to switch user context. Note that administrators are _not_
  able to do that by default! You'll have to give the following
  special user rights to the user:
  "Act as part of the operating system"
  "Replace process level token"
  "Increase quotas"
  and if used via service manager
  "Logon as a service".

  The system account does of course own that user rights by default.

  Unfortunately, if you choose that way, you can only logon with
  NT password authentification and you should change
  /etc/sshd_config to contain the following:

    PasswordAuthentication yes
    RhostsAuthentication no
    RhostsRSAAuthentication no
    RSAAuthentication no

  However you can login to the user which has started sshd with
  RSA authentication anyway. If you want that, change the RSA
  authentication setting back to "yes":
     
    RSAAuthentication yes

You may use all features of the CYGWIN=ntsec setting the same
way as they are used by the `login' port on sources.redhat.com:

  The pw_gecos field may contain an additional field, that begins
  with (upper case!) "U-", followed by the domain and the username
  separated by a backslash.
  CAUTION: The SID _must_ remain the _last_ field in pw_gecos!
  BTW: The field separator in pw_gecos is the comma.
  The username in pw_name itself may be any nice name:

    domuser::1104:513:John Doe,U-domain\user,S-1-5-21-...

  Now you may use `domuser' as your login name with telnet!
  This is possible additionally for local users, if you don't like
  your NT login name ;-) You only have to leave out the domain:

    locuser::1104:513:John Doe,U-user,S-1-5-21-...

V2 server and user keys are generated by `ssh-config'. If you want to
create DSA keys by yourself, call ssh-keygen with `-d' option.

DSA authentication similar to RSA:
    Add keys to ~/.ssh/authorized_keys2
Interop. w/ ssh.com dsa-keys:
    ssh-keygen -f /key/from/ssh.com -X >> ~/.ssh/authorized_keys2
and vice versa:
    ssh-keygen -f /privatekey/from/openssh -x > ~/.ssh2/mykey.pub
    echo Key mykey.pub >> ~/.ssh2/authorization

If you want to build from source, the following options to
configure are used for the Cygwin binary distribution:

--prefix=/usr --sysconfdir=/etc --libexecdir='${exec_prefix}/sbin

You must have installed the zlib, openssl and regex packages to
be able to build OpenSSH!

Please send requests, error reports etc. to cygwin@sources.redhat.com.

Have fun,

Corinna Vinschen <vinschen@cygnus.com>
Cygwin Developer
Red Hat Inc.