-This package is the actual port of OpenSSH to Cygwin 1.1.
+This package describes important Cygwin specific stuff concerning OpenSSH.
+
+The binary package is usually built for recent Cygwin versions and might
+not run on older versions. Please check http://cygwin.com/ for information
+about current Cygwin releases.
+
+Build instructions are at the end of the file.
+
+===========================================================================
+Important change since 3.7.1p2-2:
+
+The ssh-host-config file doesn't create the /etc/ssh_config and
+/etc/sshd_config files from builtin here-scripts anymore, but it uses
+skeleton files installed in /etc/defaults/etc.
+
+Also it now tries hard to create appropriate permissions on files.
+Same applies for ssh-user-config.
+
+After creating the sshd service with ssh-host-config, it's advisable to
+call ssh-user-config for all affected users, also already exising user
+configurations. In the latter case, file and directory permissions are
+checked and changed, if requireed to match the host configuration.
+
+Important note for Windows 2003 Server users:
+---------------------------------------------
+
+2003 Server has a funny new feature. When starting services under SYSTEM
+account, these services have nearly all user rights which SYSTEM holds...
+except for the "Create a token object" right, which is needed to allow
+public key authentication :-(
+
+There's no way around this, except for creating a substitute account which
+has the appropriate privileges. Basically, this account should be member
+of the administrators group, plus it should have the following user rights:
+
+ Create a token object
+ Logon as a service
+ Replace a process level token
+ Increase Quota
+
+The ssh-host-config script asks you, if it should create such an account,
+called "sshd_server". If you say "no" here, you're on your own. Please
+follow the instruction in ssh-host-config exactly if possible. Note that
+ssh-user-config sets the permissions on 2003 Server machines dependent of
+whether a sshd_server account exists or not.
+===========================================================================
+
+===========================================================================
+Important change since 3.4p1-2:
+
+This version adds privilege separation as default setting, see
+/usr/doc/openssh/README.privsep. According to that document the
+privsep feature requires a non-privileged account called 'sshd'.
+
+The new ssh-host-config file which is part of this version asks
+to create 'sshd' as local user if you want to use privilege
+separation. If you confirm, it creates that NT user and adds
+the necessary entry to /etc/passwd.
+
+On 9x/Me systems the script just sets UsePrivilegeSeparation to "no"
+since that feature doesn't make any sense on a system which doesn't
+differ between privileged and unprivileged users.
+
+The new ssh-host-config script also adds the /var/empty directory
+needed by privilege separation. When creating the /var/empty directory
+by yourself, please note that in contrast to the README.privsep document
+the owner sshould not be "root" but the user which is running sshd. So,
+in the standard configuration this is SYSTEM. The ssh-host-config script
+chowns /var/empty accordingly.
+===========================================================================
+
+===========================================================================
+Important change since 3.0.1p1-2:
+
+This version introduces the ability to register sshd as service on
+Windows 9x/Me systems. This is done only when the options -D and/or
+-d are not given.
+===========================================================================
+
+===========================================================================
+Important change since 2.9p2:
+
+Since Cygwin is able to switch user context without password beginning
+with version 1.3.2, OpenSSH now allows to do so when it's running under
+a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to
+allow that feature.
+===========================================================================
===========================================================================
Important change since 2.3.0p1:
features of the FAT/FAT32 filesystems.
===========================================================================
-Since this package is part of the base distribution now, the location
-of the files has changed from /usr/local to /usr. The global configuration
-files are in /etc now.
+If you are installing OpenSSH the first time, you can generate global config
+files and server keys by running
+
+ /usr/bin/ssh-host-config
-If you are installing OpenSSH the first time, you can generate
-global config files, server keys and your own user keys by running
-
- /usr/bin/ssh-config
+Note that this binary archive doesn't contain default config files in /etc.
+That files are only created if ssh-host-config is started.
-If you are updating your installation you may run the above ssh-config
+If you are updating your installation you may run the above ssh-host-config
as well to move your configuration files to the new location and to
erase the files at the old location.
-Be sure to start the new ssh-config when updating!
+To support testing and unattended installation ssh-host-config got
+some options:
-Note that this binary archive doesn't contain default config files in /etc.
-That files are only created if ssh-config is started.
+usage: ssh-host-config [OPTION]...
+Options:
+ --debug -d Enable shell's debug output.
+ --yes -y Answer all questions with "yes" automatically.
+ --no -n Answer all questions with "no" automatically.
+ --cygwin -c <options> Use "options" as value for CYGWIN environment var.
+ --port -p <n> sshd listens on port n.
+ --pwd -w <passwd> Use "pwd" as password for user 'sshd_server'.
-Install sshd as daemon via SRVANY.EXE (recommended on NT/W2K), via inetd
-(results in very slow deamon startup!) or from the command line (recommended
-on 9X/ME).
-
-If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the
-following line to your inetd.conf file:
-
-sshd stream tcp nowait root /usr/sbin/in.sshd sshd -i
+Additionally ssh-host-config now asks if it should install sshd as a
+service when running under NT/W2K. This requires cygrunsrv installed.
-Moreover you'll have to add the following line to your
-${SYSTEMROOT}/system32/drivers/etc/services file:
+You can create the private and public keys for a user now by running
- sshd 22/tcp #SSH daemon
+ /usr/bin/ssh-user-config
-Authentication to sshd is possible in one of two ways.
-You'll have to decide before starting sshd!
+under the users account.
-- If you want to authenticate via RSA and you want to login to that
- machine to exactly one user account you can do so by running sshd
- under that user account. You must change /etc/sshd_config
- to contain the following:
+To support testing and unattended installation ssh-user-config got
+some options as well:
- RSAAuthentication yes
+usage: ssh-user-config [OPTION]...
+Options:
+ --debug -d Enable shell's debug output.
+ --yes -y Answer all questions with "yes" automatically.
+ --no -n Answer all questions with "no" automatically.
+ --passphrase -p word Use "word" as passphrase automatically.
- Moreover it's possible to use rhosts and/or rhosts with
- RSA authentication by setting the following in sshd_config:
+Install sshd as daemon via cygrunsrv.exe (recommended on NT/W2K), via inetd
+(results in very slow deamon startup!) or from the command line (recommended
+on 9X/ME).
- RhostsAuthentication yes
- RhostsRSAAuthentication yes
+If you start sshd as deamon via cygrunsrv.exe you MUST give the
+"-D" option to sshd. Otherwise the service can't get started at all.
-- If you want to be able to login to different user accounts you'll
- have to start sshd under system account or any other account that
- is able to switch user context. Note that administrators are _not_
- able to do that by default! You'll have to give the following
- special user rights to the user:
- "Act as part of the operating system"
- "Replace process level token"
- "Increase quotas"
- and if used via service manager
- "Logon as a service".
+If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the
+following line to your inetd.conf file:
- The system account does of course own that user rights by default.
+ssh stream tcp nowait root /usr/sbin/in.sshd sshd -i
- Unfortunately, if you choose that way, you can only logon with
- NT password authentification and you should change
- /etc/sshd_config to contain the following:
+Moreover you'll have to add the following line to your
+${SYSTEMROOT}/system32/drivers/etc/services file:
- PasswordAuthentication yes
- RhostsAuthentication no
- RhostsRSAAuthentication no
- RSAAuthentication no
+ ssh 22/tcp #SSH daemon
- However you can login to the user which has started sshd with
- RSA authentication anyway. If you want that, change the RSA
- authentication setting back to "yes":
-
- RSAAuthentication yes
+Please note that OpenSSH does never use the value of $HOME to
+search for the users configuration files! It always uses the
+value of the pw_dir field in /etc/passwd as the home directory.
+If no home diretory is set in /etc/passwd, the root directory
+is used instead!
You may use all features of the CYGWIN=ntsec setting the same
-way as they are used by the `login' port on sources.redhat.com:
+way as they are used by Cygwin's login(1) port:
The pw_gecos field may contain an additional field, that begins
with (upper case!) "U-", followed by the domain and the username
locuser::1104:513:John Doe,U-user,S-1-5-21-...
-V2 server and user keys are generated by `ssh-config'. If you want to
-create DSA keys by yourself, call ssh-keygen with `-d' option.
+Note that the CYGWIN=ntsec setting is required for public key authentication.
-DSA authentication similar to RSA:
- Add keys to ~/.ssh/authorized_keys2
-Interop. w/ ssh.com dsa-keys:
- ssh-keygen -f /key/from/ssh.com -X >> ~/.ssh/authorized_keys2
-and vice versa:
- ssh-keygen -f /privatekey/from/openssh -x > ~/.ssh2/mykey.pub
- echo Key mykey.pub >> ~/.ssh2/authorization
+SSH2 server and user keys are generated by the `ssh-*-config' scripts
+as well.
If you want to build from source, the following options to
configure are used for the Cygwin binary distribution:
---prefix=/usr --sysconfdir=/etc --libexecdir='${exec_prefix}/sbin
+ --prefix=/usr \
+ --sysconfdir=/etc \
+ --libexecdir='${sbindir}' \
+ --localstatedir=/var \
+ --datadir='${prefix}/share' \
+ --mandir='${datadir}/man' \
+ --infodir='${datadir}/info'
+ --with-tcp-wrappers
+
+If you want to create a Cygwin package, equivalent to the one
+in the Cygwin binary distribution, install like this:
+
+ mkdir /tmp/cygwin-ssh
+ cd ${builddir}
+ make install DESTDIR=/tmp/cygwin-ssh
+ cd ${srcdir}/contrib/cygwin
+ make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh
+ cd /tmp/cygwin-ssh
+ find * \! -type d | tar cvjfT my-openssh.tar.bz2 -
+
+You must have installed the following packages to be able to build OpenSSH:
+
+- zlib
+- openssl-devel
+- minires-devel
+
+If you want to build with --with-tcp-wrappers, you also need the package
+
+- tcp_wrappers
-You must have installed the zlib, openssl and regex packages to
-be able to build OpenSSH!
+Please send requests, error reports etc. to cygwin@cygwin.com.
-Please send requests, error reports etc. to cygwin@sources.redhat.com.
Have fun,
-Corinna Vinschen <vinschen@cygnus.com>
+Corinna Vinschen
Cygwin Developer
Red Hat Inc.