23. February 2011 · 6 comments · Categories: Networking · Tags:
This guide explains how to install and configure a SSH server for a Windows XP home computer. SSH (Secure Shell) is a secure communications networking protocol based on the client-server model. It’s used to log into and execute commands between remote computers or devices and is widely used as a secure replacement for the insecure telnet and rlogin protocols. SSH encrypts all of the data, including the authentication data, allowing secure communications over unsecured networks, such as the Internet. Connections are made using public-key cryptography or password authentication, while the data itself is encrypted using one of several included encryption algorithms. It supports tunneling, port forwarding and transferring files with the associated protocols SFTP (Secure File Transfer Protocol) and SCP (Secure Copy Protocol), which are part of the standard SSH package. Typically used on Linux and UNIX systems, SSH runs on Windows systems using Linux-like environments such as Cygwin.

Benefits of SSH

  • Enhanced Security – user and host authentication, data encryption and integrity
  • Remotely connect computers (running Windows or Linux) and execute commands
  • Use applications such as Filezilla or WinSCP for file management operations on the same computer or from a remote computer
  • TCP/IP and X11 connection tunneling (a slightly more complex topic not explained in this guide)

The OpenSSH package

This guide uses the free and precomplied version of the OpenSSH suite, a stand alone version of SSH using a stripped down version of Gygwin. This allows for a quicker and smaller installation than if OpenSSH is installed as part of a regular Cygwin installation. The OpenSSH suite consists of the SSH program, SCP, SFTP and several supporting utilities (see http://openssh.org). The Windows version of OpenSSH hasn’t been updated for sometime, so the latest pre-compiled version available for Windows is v3.8.1p1-1 (July 2004), which still works well. See http://sshwindows.sourceforge.net/ for more information. For this guide, the SSH server is setup for password authentication.
______________________________________________________________________________

Step 1: Install OpenSSH

  1. Download OpenSSH for Windows v3.8.1p1-1. This is the direct download link.
  2. Unzip the archive and then run the installer setupssh.exe.
  3. Change the installation location to “C:\OpenSSH” instead of program files to avoid spaces in directory names.
  4. Use the default settings as shown on the screen-shot below.
  5. That’s it for the installation; however, the SSH server’s passwd file must be configured next before using.
openssh install screen

OpenSSH installation options

Step2: Configure OpenSSH

  1. On your computer, click Start–> Run–> Type in “cmd” (without quotes), and then hit the OK button.
  2. In the command window, cd to the “OpenSSH\bin” folder. If you are changing ports, go to the next step; otherwise, skip to Step 4.
  3. (Optional step) OpenSSH uses port 22 by default. If for some reason you need to use another port, you can change the port assignment for OpenSSH to prevent port conflicts. In the command window, cd to “OpenSSH\etc\” and enter “edit sshd_config” to launch the command line editor to change the port assignment (this is at approx line 13 in the file – an external text editor such as notepad may also be used). For example, to change the port to 5704:

    #Port 22
    change to:
    Port 5704

    (note that “#” needs to be removed to change the port assignment. Any other unused port other than 5704 is also OK)

    Make sure to save the file
  4. Enter the following in the command window. In the following commands, -l indicates local and -d indicates domain. Press Enter after each line; don’t include quotes:
    1. “mkgroup -l >> ..\etc\group”
      1. Creates a group file for local user accounts
    2. “mkgroup -d >> ..\etc\group” (skip – not normally required)
      1. Creates a group file for domain users. Returns [2453] if there is no PDC – primary domain controller
      2. Most instructions state to run both of the above commands. However, the “OpenSSH\readme.txt” file in “OpenSSH\doc” states: “If you use both mkgroup commands, the group file will contain duplicates. You will need to remove these by hand in a text editor.” Kind of confusing, but when both are executed I got the [2453] error for -d, but it didn’t change anything in the group file.
    3. “mkpasswd -l -u username >> ..\etc\passwd”
      1. Adds a local authorized user to passwd file for local user accounts. NOTE: Omitting the username switch adds ALL users from the machine or domain, including service accounts and the Guest account.
    4. “mkpasswd -d -u >> ..\etc\passwd” (skip – not normally required)
      1. Adds passwd file for all domain user accounts. Returns [2453] if there is no domain controller
      2. Again, if you get the [2453] error with the -d switch above, it doesn’t apply and won’t change anything in the passwd file.
  5. Enter net start opensshd  to start the SSH server (net stop opensshd stops the SSH server). It’s installed as a service, so in the future, the server will automatically start each time the computer boots.
  6. The SSH server is now configured with password authentication (the default configuration). If you want to use public key authentication, you need to generate public and private keys using the supplied executable and change the sshd_config file.  Note that the “keyauthentication.txt” file in the “OpenSSH\docs\” directory states: “This document is outdated. You can use this as a reference, but please don’t expect it to be accurate. I will update this soon.” In any case, it shouldn’t be too difficult to accomplish public key authentication using the “keyauthentication.txt” by cross referencing its information with additional sources. Some other sources explaining how to setup public-key authentication for OpenSSH are below:

    OpenSSH RSA Authentication for Windows and Linux

    ssh-keygen Tutorial – Generating RSA and DSA keys

    OpenSSH for Windows
  7. Done with the configuration. Next, testing the SSH server.

    configure ssh in command window

    SSH server configuration

Test the installation on the SSH server (from the same machine)

  1. Enter ipconfig in the command window to find your ip address.
  2. Enter ssh yourusername@192.168.x.xxx or ssh yourusername@servername (servername = computername) into the command window to login using SSH. You can also use any of the login options listed at the end of this page for logging in using a command window on the PC with the SSH server.

    Note: You may get a usage warning screen as shown below. If so, ignore it and sign in with your password. Also note that if you are logging in to the server for the first time, depending on the application being used to connect, you may also get another warning similar to: “The server’s host key was not found in the cache. You have no guarantee …blah blah… rsa2 key fingerprint is: ssh-rsa 1024 95:3c:9e:2b:23:df:bd:57:b4:ad:f1:5f:4c:2f:9c:ba
    “. This warning can also be safely ignored if you know the SSH server is the correct one you intended to log into. The warning is an anti-spoofing technique where each server is given a unique host key to prevent it from imitating another server. This technique is explained in detail on the WinSCP web site.
  3. It’s working if you get the screen below. Next, some optional tweaking for changing the home directory.
ssh logon warning screen

SSH login warning screen

Optional Tweaking

Changing the Home Directory within Documents and Settings for user(s):
By default all user home directories are set to (/home/username) in the passwd file in the “OpenSSH\etc” directory, where (/home) corresponds to “C:\Documents and Settings” for Windows XP. This is somewhat inconvenient since most users may want to start in “My Documents”. To change it, open the passwd file in a text editor and change the second to last entry from “/home/username” to “/home/username/My Documents” and save. Entries are separated by a colon “:”  for each user and are located just before the “/bin/switch” entry (switch stands for switch.exe, which enables both scp/sftp and the SSH standard command prompt to be available by switching between them).

Changing Home to outside the default directory on the SSH Server
To place users outside the default directory for their Windows profile, you need to change the directory that (/home) corresponds to by editing the value of the “native” key in the registry under (HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/home). The value of “native” corresponds to the (/home) directory in the passwd file. For instance, if the “native” entry is changed to C:\Users, then all users will be placed under separate folders in that directory — e.g., C:\Users\username1, C:\Users\username2, etc. If you then change each user (/home/username) in the passwd file to just (/home), this puts those users under C:\Users. If you have a subdirectory such as “C:\Users\OpenSSH”, you can place users there by changing the entries in the passwd file to (/home/OpenSSH) or (/home/OpenSSH/username) for separate user account directories.

Note that changing the home directory using this method works only for logins (Passwd), and doesn’t work for for SCP or SFTP. Instead, use Cygdrive Notation to change the directory for using Passwd, SCP, and SFTP (explained in next paragraph).

Registry entry to change default directory

HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/home

Changing the Drive of the Home Directory when using Passwd, SCP, and SFTP (Cygdrive Notation)
To access any folder on any drive letter outside the installation root (/home), a special notation called Cygdrive is required when using SCP, SFTP and for the home directory entries in passwd. Cygdrive notation changes the mapping of drive letters by mapping them into a UNIX-style file-system. Cygdrive notation overrides all other settings in the registry.

To use, add “/cygdrive/driveletter” to the start of the folder path in the user passwd file and/or when using the SCP or SFTP commands. For instance, to change to the “C:\windows\system” directory in a command window use: “cd /cygdrive/c/windows/system. To transfer file example.txt to d:\test using SCP, the command would be “scp example.txt  user@localhost:/cygdrive/d/test/“.

You can even change the prefix of cygdrive notation by adding two entries to the registry. Open HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2, and add a REG_DWORD called “Cygdrive flags” and set it to 2a hex. Then add a REG_SZ called “Cygdrive prefix” and set its value to the new prefix. For instance, if you set it to “/” then the C: drive becomes accessible using Cygdrive notation “/c”, the D: drive with “/d”, or the F:\test folder with “/f/test” and so forth. If it’s set to “/foo”, then the C: drive becomes accessible using Cygdrive notation “/foo/c”, the D: drive with “/foo/d”, or the F:\test folder with “/foo/f/test” and so on. This behavior can be tested in a command window using the command “mount –change-cygdrive-prefix /foo” before permanently changing the registry.

______________________________________________________________________________

Remote connections from the network

To connect to the SSH server from a remote computer on the network, a SSH compliant client is needed. SSH is usually installed by default on Linux systems, and SSH clients such as Putty are often included as well. If the remote computer will be a Windows machine, it needs to have at least the Cygwin or OpenSSH client installed in order to connect with the SSH server from a command window, while Putty is a stand-alone application. The client portion for OpenSSH can be installed separately during the OpenSSH installation process. The installation process sets the path variable for the OpenSSH client and/or Server, so that SSH commands are available from any command window on that machine. Even with an OpenSSH or Cygwin client installed, it’s a good idea to have a client like Putty also installed, because it makes connecting much simpler.

Connecting from the outside world

To connect to the SSH server from the outside world, you need to port forward port 22 (or the port set during the OpenSSH installation) to the router. Port forwarding can be setup with a program like SimplePortForwarding or by following instructions in the router user’s manual. This sets up the router to forward any connection to port 22 to the SSH server. Then, all that’s needed to connect is to use a terminal in Linux, a command window in Windows, or a client like Putty from any computer connected to the Internet and the public IP address for your router.

Using Filezilla, WinSCP and Putty

Client utilities such as Filezilla, WinSCP, and Putty can be used on the computer with the SSH server, from remote computers on the LAN, and from the outside world to connect to the SSH server. When using any of these utilities from the SSH server machine, you can use 127.0.0.1, computername, or localhost as the IP with the user login and password info for those accounts. You can also use the SFTP protocol for Filezilla, SCP or SFTP for WinSCP, and SSH for Putty. The beauty of using WinSCP or Filezilla on an SSH server machine is that file tasks like changing permissions with CHMOD, moving, or deleting files are easily accomplished using a mouse and the application UI for any files, such as those for locally installed web sites. In other words, unlike natively installed servers, such as a FTP server, the SSH server and applications using the server can run on the same machine without any loss of functionality since the SSH server runs in a separate environment (Cygwin) using the loopback interface.

filezilla setup screen

Localhost login with Filezilla

putty config screen

Putty config screen (hostname can also be localhost or 127.0.0.1)

winscp config screen

Localhost login with WinSCP

List of connecting options from command window and applications:

Using a Command Window:

Password will be the same as the user password for that machine (commands are case sensitive)

  • On the SSH server:
    • ssh yourusername@192.168.x.xxx
    • ssh yourusername@127.0.0.1
    • ssh yourusername@localhost
    • ssh yourusername@servername
  • Remote computer on the network with SSH client installed:
    • ssh yourusername@192.168.x.xxx
    • ssh yourusername@servername
  • Remote computer from outside world with SSH client installed:
    • ssh yourusername@xxx.xxx.x.xxx:port (remote ip address for your router set with port forwarding)

Using client applications such as Putty, WinSCP or Filezilla

User Name and Password will be the same as the user login credentials for that machine

  • On the SSH server:
    • IP Address: 127.0.0.1, localhost, servername, or 192.168.x.xxx
  • Remote computer on the network:
    • IP Address: servername or 192.168.x.xxx
  • Remote computer from outside world (router set with port forwarding):
    • IP Address: xxx.xxx.x.xxx (remote ip address, port usually set in application)

______________________________________________________________________________

Using SSH commands other than for connecting is another topic and not covered in this guide; however, a few are explained at the following:

The Geek Stuff5 Basic Linux SSH Client Commands

GAMEXE.NETA Beginner’s Guide to SSH

Leonard Austin –  SSH Commands

____________________________________________________________________________

Unofficial OpenSSH Suite installer for Windows – mls-software.com (ver 6.6.1p1-3 tested on 10/08/2014 with Windows XP. Server requires several additional protocols and drivers. It also has a slightly different setup. Possibly could work, but not worth the investment in time and effort.)

 

Share

6 Comments

  1. sbenge says:

    I am getting an error on Windows 8.1 that says that mkgroup and mkpasswd is a bad configuration option.

    What is the correct syntax for Win 8.1??

  2. SoboLAN says:

    This thing was quite useful. I used it to set up an SSH server on a Windows XP that runs as a virtual machine (I sometimes need it for software development). Since it’s a virtual machine, I don’t really need to set up specific public-private keys.

    This is actually more complicated than setting up SSH on a Linux machine.

    And, since it works, I can easily connect to it using a FTP client that has support for this. Transfering files between the guest and host is much easier this way.

    Thank you again :) .

  3. Eric says:

    Carjacker — if you aren’t able to understand these instructions, are you certain that SSH is something you need to be using? I mean, SSH uses only a CLI, which is VERY geeky and has no pictures to click on. I really think that if this SSH setup guide is too geeky for you, then most of what a person would use SSH for is likely to be a bit out of your reach. Further, starting your post off with an insult that, realistically, has little to do with the content and everything to do with your ability to comprehend the content will do absolutely nothing to clarify your confusion, and is more likely to piss people off than to make them write for your level of expertise. And pissing off the people who have the answers you might be looking for is likely to be extremely counterproductive at the very least.

  4. Carjacker says:

    Not one of you a-holes on multiple sites Ive been to to read up on this knows how to properly convey the setup, connection methods or usage of either OpenSSH or Putty. Your explanations seem to assume a geek lifestyle and Borg mentality that ‘everyone should understand’ your vague,misty how-to’s…Not only are most of these so called how-tos like a skillet of scrambled eggs,but they look just as such. All over the place with no rhyme nor reason and with too much geek speak that leads nowhere productive.

  5. Vikash says:

    Hi,
    I have got a problem with Openssh on Windows XP.
    The steps are same as using keygen to create private and public key, copy public key to another system .ssh folder, append it to authorized keys. restart the opensshd on both system.
    Still getting prompt for password.
    Please help.
    Thanks,
    Vikash

Bear

Bad Behavior has blocked 753 access attempts in the last 7 days.