- djm@cvs.openbsd.org 2010/01/26 01:28:35

[openssh.git] / contrib / cygwin / README

diff --git a/contrib/cygwin/README b/contrib/cygwin/README
index 798e5d6245aed67b3046cff9c1c4471a523a9a3e..3dd45014a06a43ae35bcdc4ac1f330a8d99fbd67 100644 (file)
--- a/contrib/cygwin/README
+++ b/contrib/cygwin/README
@@ -1,4 +1,90 @@
-This package is the actual port of OpenSSH to Cygwin 1.1.
+This package describes important Cygwin specific stuff concerning OpenSSH.
+
+The binary package is usually built for recent Cygwin versions and might
+not run on older versions.  Please check http://cygwin.com/ for information
+about current Cygwin releases.
+
+Build instructions are at the end of the file.
+
+===========================================================================
+Important change since 3.7.1p2-2:
+
+The ssh-host-config file doesn't create the /etc/ssh_config and
+/etc/sshd_config files from builtin here-scripts anymore, but it uses
+skeleton files installed in /etc/defaults/etc.
+
+Also it now tries hard to create appropriate permissions on files.
+Same applies for ssh-user-config.
+
+After creating the sshd service with ssh-host-config, it's advisable to
+call ssh-user-config for all affected users, also already exising user
+configurations.  In the latter case, file and directory permissions are
+checked and changed, if requireed to match the host configuration.
+
+Important note for Windows 2003 Server users:
+---------------------------------------------
+
+2003 Server has a funny new feature.  When starting services under SYSTEM
+account, these services have nearly all user rights which SYSTEM holds...
+except for the "Create a token object" right, which is needed to allow
+public key authentication :-(
+
+There's no way around this, except for creating a substitute account which
+has the appropriate privileges.  Basically, this account should be member
+of the administrators group, plus it should have the following user rights:
+
+       Create a token object
+       Logon as a service
+       Replace a process level token
+       Increase Quota
+
+The ssh-host-config script asks you, if it should create such an account,
+called "sshd_server".  If you say "no" here, you're on your own.  Please
+follow the instruction in ssh-host-config exactly if possible.  Note that
+ssh-user-config sets the permissions on 2003 Server machines dependent of
+whether a sshd_server account exists or not.
+===========================================================================
+
+===========================================================================
+Important change since 3.4p1-2:
+
+This version adds privilege separation as default setting, see
+/usr/doc/openssh/README.privsep.  According to that document the
+privsep feature requires a non-privileged account called 'sshd'.
+
+The new ssh-host-config file which is part of this version asks
+to create 'sshd' as local user if you want to use privilege
+separation.  If you confirm, it creates that NT user and adds
+the necessary entry to /etc/passwd.
+
+On 9x/Me systems the script just sets UsePrivilegeSeparation to "no"
+since that feature doesn't make any sense on a system which doesn't
+differ between privileged and unprivileged users.
+
+The new ssh-host-config script also adds the /var/empty directory
+needed by privilege separation.  When creating the /var/empty directory
+by yourself, please note that in contrast to the README.privsep document
+the owner sshould not be "root" but the user which is running sshd.  So,
+in the standard configuration this is SYSTEM.  The ssh-host-config script
+chowns /var/empty accordingly.
+===========================================================================
+
+===========================================================================
+Important change since 3.0.1p1-2:
+
+This version introduces the ability to register sshd as service on
+Windows 9x/Me systems.  This is done only when the options -D and/or
+-d are not given.
+===========================================================================
+
+===========================================================================
+Important change since 2.9p2:
+
+Since Cygwin is able to switch user context without password beginning
+with version 1.3.2, OpenSSH now allows to do so when it's running under
+a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to
+allow that feature.
+===========================================================================

 
 ===========================================================================
 Important change since 2.3.0p1:
 
 ===========================================================================
 Important change since 2.3.0p1:


@@ -17,7 +103,7 @@ features of the FAT/FAT32 filesystems.
 
 If you are installing OpenSSH the first time, you can generate global config
 files and server keys by running
 
 If you are installing OpenSSH the first time, you can generate global config
 files and server keys by running

-   
+

    /usr/bin/ssh-host-config
 
 Note that this binary archive doesn't contain default config files in /etc.
    /usr/bin/ssh-host-config
 
 Note that this binary archive doesn't contain default config files in /etc.


@@ -32,10 +118,15 @@ some options:
 
 usage: ssh-host-config [OPTION]...
 Options:
 
 usage: ssh-host-config [OPTION]...
 Options:

-    --debug      -d        Enable shell's debug output.
-    --yes        -y        Answer all questions with "yes" automatically.
-    --no         -n        Answer all questions with "no" automatically.
-    --port       -p <n>    sshd listens on port n.
+    --debug  -d            Enable shell's debug output.
+    --yes    -y            Answer all questions with "yes" automatically.
+    --no     -n            Answer all questions with "no" automatically.
+    --cygwin -c <options>  Use "options" as value for CYGWIN environment var.
+    --port   -p <n>        sshd listens on port n.
+    --pwd    -w <passwd>   Use "pwd" as password for user 'sshd_server'.
+
+Additionally ssh-host-config now asks if it should install sshd as a
+service when running under NT/W2K. This requires cygrunsrv installed.

 
 You can create the private and public keys for a user now by running
 
 
 You can create the private and public keys for a user now by running
 


@@ -53,63 +144,22 @@ Options:
     --no         -n        Answer all questions with "no" automatically.
     --passphrase -p word   Use "word" as passphrase automatically.
 
     --no         -n        Answer all questions with "no" automatically.
     --passphrase -p word   Use "word" as passphrase automatically.
 

-Install sshd as daemon via SRVANY.EXE (recommended on NT/W2K), via inetd
+Install sshd as daemon via cygrunsrv.exe (recommended on NT/W2K), via inetd

 (results in very slow deamon startup!) or from the command line (recommended
 on 9X/ME).
 
 (results in very slow deamon startup!) or from the command line (recommended
 on 9X/ME).
 

+If you start sshd as deamon via cygrunsrv.exe you MUST give the
+"-D" option to sshd. Otherwise the service can't get started at all.
+

 If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the
 following line to your inetd.conf file:
 
 If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the
 following line to your inetd.conf file:
 

-sshd stream tcp nowait root /usr/sbin/in.sshd sshd -i
+ssh stream tcp nowait root /usr/sbin/in.sshd sshd -i

 
 Moreover you'll have to add the following line to your
 ${SYSTEMROOT}/system32/drivers/etc/services file:
 
 
 Moreover you'll have to add the following line to your
 ${SYSTEMROOT}/system32/drivers/etc/services file:
 

-   sshd         22/tcp          #SSH daemon
-
-Authentication to sshd is possible in one of two ways.
-You'll have to decide before starting sshd!
-
-- If you want to authenticate via RSA and you want to login to that
-  machine to exactly one user account you can do so by running sshd
-  under that user account. You must change /etc/sshd_config
-  to contain the following:
-
-  RSAAuthentication yes
-
-  Moreover it's possible to use rhosts and/or rhosts with
-  RSA authentication by setting the following in sshd_config:
-
-  RhostsAuthentication yes
-  RhostsRSAAuthentication yes
-
-- If you want to be able to login to different user accounts you'll
-  have to start sshd under system account or any other account that
-  is able to switch user context. Note that administrators are _not_
-  able to do that by default! You'll have to give the following
-  special user rights to the user:
-  "Act as part of the operating system"
-  "Replace process level token"
-  "Increase quotas"
-  and if used via service manager
-  "Logon as a service".
-
-  The system account does of course own that user rights by default.
-
-  Unfortunately, if you choose that way, you can only logon with
-  NT password authentification and you should change
-  /etc/sshd_config to contain the following:
-
-    PasswordAuthentication yes
-    RhostsAuthentication no
-    RhostsRSAAuthentication no
-    RSAAuthentication no
-
-  However you can login to the user which has started sshd with
-  RSA authentication anyway. If you want that, change the RSA
-  authentication setting back to "yes":
-     
-    RSAAuthentication yes
+   ssh         22/tcp          #SSH daemon

 
 Please note that OpenSSH does never use the value of $HOME to
 search for the users configuration files! It always uses the
 
 Please note that OpenSSH does never use the value of $HOME to
 search for the users configuration files! It always uses the


@@ -118,7 +168,7 @@ If no home diretory is set in /etc/passwd, the root directory
 is used instead!
 
 You may use all features of the CYGWIN=ntsec setting the same
 is used instead!
 
 You may use all features of the CYGWIN=ntsec setting the same

-way as they are used by the `login' port on sources.redhat.com:
+way as they are used by Cygwin's login(1) port:

 
   The pw_gecos field may contain an additional field, that begins
   with (upper case!) "U-", followed by the domain and the username
 
   The pw_gecos field may contain an additional field, that begins
   with (upper case!) "U-", followed by the domain and the username


@@ -135,29 +185,49 @@ way as they are used by the `login' port on sources.redhat.com:
 
     locuser::1104:513:John Doe,U-user,S-1-5-21-...
 
 
     locuser::1104:513:John Doe,U-user,S-1-5-21-...
 

+Note that the CYGWIN=ntsec setting is required for public key authentication.
+

 SSH2 server and user keys are generated by the `ssh-*-config' scripts
 as well.
 
 SSH2 server and user keys are generated by the `ssh-*-config' scripts
 as well.
 

-SSH2 authentication similar to SSH1:
-    Add keys to ~/.ssh/authorized_keys2
-Interop. w/ ssh.com dsa-keys:
-    ssh-keygen -f /key/from/ssh.com -X >> ~/.ssh/authorized_keys2
-and vice versa:
-    ssh-keygen -f /privatekey/from/openssh -x > ~/.ssh2/mykey.pub
-    echo Key mykey.pub >> ~/.ssh2/authorization
-

 If you want to build from source, the following options to
 configure are used for the Cygwin binary distribution:
 
 If you want to build from source, the following options to
 configure are used for the Cygwin binary distribution:
 

---prefix=/usr --sysconfdir=/etc --libexecdir='${exec_prefix}/sbin
+       --prefix=/usr \
+       --sysconfdir=/etc \
+       --libexecdir='${sbindir}' \
+       --localstatedir=/var \
+       --datadir='${prefix}/share' \
+       --mandir='${datadir}/man' \
+       --infodir='${datadir}/info'
+       --with-tcp-wrappers
+
+If you want to create a Cygwin package, equivalent to the one
+in the Cygwin binary distribution, install like this:
+
+       mkdir /tmp/cygwin-ssh
+       cd ${builddir}
+       make install DESTDIR=/tmp/cygwin-ssh
+       cd ${srcdir}/contrib/cygwin
+       make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh
+       cd /tmp/cygwin-ssh
+       find * \! -type d | tar cvjfT my-openssh.tar.bz2 -
+
+You must have installed the following packages to be able to build OpenSSH:
+
+- zlib
+- openssl-devel
+- minires-devel
+
+If you want to build with --with-tcp-wrappers, you also need the package
+
+- tcp_wrappers

 
 

-You must have installed the zlib, openssl and regex packages to
-be able to build OpenSSH!
+Please send requests, error reports etc. to cygwin@cygwin.com.

 
 

-Please send requests, error reports etc. to cygwin@sources.redhat.com.

 
 Have fun,
 
 
 Have fun,
 

-Corinna Vinschen <vinschen@cygnus.com>
+Corinna Vinschen

 Cygwin Developer
 Red Hat Inc.
 Cygwin Developer
 Red Hat Inc.