Darren Tucker | 798ca84 | 2003-11-13 11:28:49 +1100 | [diff] [blame] | 1 | This package describes important Cygwin specific stuff concerning OpenSSH. |
| 2 | |
| 3 | The binary package is usually built for recent Cygwin versions and might |
| 4 | not run on older versions. Please check http://cygwin.com/ for information |
| 5 | about current Cygwin releases. |
| 6 | |
| 7 | Build instructions are at the end of the file. |
| 8 | |
| 9 | =========================================================================== |
| 10 | Important change since 3.7.1p2-2: |
| 11 | |
| 12 | The ssh-host-config file doesn't create the /etc/ssh_config and |
| 13 | /etc/sshd_config files from builtin here-scripts anymore, but it uses |
| 14 | skeleton files installed in /etc/defaults/etc. |
| 15 | |
| 16 | Also it now tries hard to create appropriate permissions on files. |
| 17 | Same applies for ssh-user-config. |
| 18 | |
| 19 | After creating the sshd service with ssh-host-config, it's advisable to |
| 20 | call ssh-user-config for all affected users, also already exising user |
| 21 | configurations. In the latter case, file and directory permissions are |
| 22 | checked and changed, if requireed to match the host configuration. |
| 23 | |
| 24 | Important note for Windows 2003 Server users: |
| 25 | --------------------------------------------- |
| 26 | |
| 27 | 2003 Server has a funny new feature. When starting services under SYSTEM |
Damien Miller | a8e06ce | 2003-11-21 23:48:55 +1100 | [diff] [blame] | 28 | account, these services have nearly all user rights which SYSTEM holds... |
Darren Tucker | 798ca84 | 2003-11-13 11:28:49 +1100 | [diff] [blame] | 29 | except for the "Create a token object" right, which is needed to allow |
| 30 | public key authentication :-( |
| 31 | |
| 32 | There's no way around this, except for creating a substitute account which |
| 33 | has the appropriate privileges. Basically, this account should be member |
| 34 | of the administrators group, plus it should have the following user rights: |
| 35 | |
| 36 | Create a token object |
| 37 | Logon as a service |
| 38 | Replace a process level token |
| 39 | Increase Quota |
| 40 | |
| 41 | The ssh-host-config script asks you, if it should create such an account, |
| 42 | called "sshd_server". If you say "no" here, you're on your own. Please |
| 43 | follow the instruction in ssh-host-config exactly if possible. Note that |
| 44 | ssh-user-config sets the permissions on 2003 Server machines dependent of |
| 45 | whether a sshd_server account exists or not. |
| 46 | =========================================================================== |
Ben Lindstrom | a582029 | 2001-07-18 16:25:41 +0000 | [diff] [blame] | 47 | |
| 48 | =========================================================================== |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 49 | Important change since 3.4p1-2: |
| 50 | |
| 51 | This version adds privilege separation as default setting, see |
| 52 | /usr/doc/openssh/README.privsep. According to that document the |
| 53 | privsep feature requires a non-privileged account called 'sshd'. |
| 54 | |
| 55 | The new ssh-host-config file which is part of this version asks |
| 56 | to create 'sshd' as local user if you want to use privilege |
| 57 | separation. If you confirm, it creates that NT user and adds |
| 58 | the necessary entry to /etc/passwd. |
| 59 | |
| 60 | On 9x/Me systems the script just sets UsePrivilegeSeparation to "no" |
| 61 | since that feature doesn't make any sense on a system which doesn't |
| 62 | differ between privileged and unprivileged users. |
| 63 | |
| 64 | The new ssh-host-config script also adds the /var/empty directory |
| 65 | needed by privilege separation. When creating the /var/empty directory |
| 66 | by yourself, please note that in contrast to the README.privsep document |
| 67 | the owner sshould not be "root" but the user which is running sshd. So, |
| 68 | in the standard configuration this is SYSTEM. The ssh-host-config script |
| 69 | chowns /var/empty accordingly. |
| 70 | =========================================================================== |
| 71 | |
| 72 | =========================================================================== |
Tim Rice | fe1d100 | 2001-11-26 17:19:43 -0800 | [diff] [blame] | 73 | Important change since 3.0.1p1-2: |
| 74 | |
| 75 | This version introduces the ability to register sshd as service on |
| 76 | Windows 9x/Me systems. This is done only when the options -D and/or |
| 77 | -d are not given. |
| 78 | =========================================================================== |
| 79 | |
| 80 | =========================================================================== |
Ben Lindstrom | a582029 | 2001-07-18 16:25:41 +0000 | [diff] [blame] | 81 | Important change since 2.9p2: |
| 82 | |
| 83 | Since Cygwin is able to switch user context without password beginning |
| 84 | with version 1.3.2, OpenSSH now allows to do so when it's running under |
| 85 | a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to |
| 86 | allow that feature. |
| 87 | =========================================================================== |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 88 | |
| 89 | =========================================================================== |
| 90 | Important change since 2.3.0p1: |
| 91 | |
| 92 | When using `ntea' or `ntsec' you now have to care for the ownership |
| 93 | and permission bits of your host key files and your private key files. |
| 94 | The host key files have to be owned by the NT account which starts |
| 95 | sshd. The user key files have to be owned by the user. The permission |
| 96 | bits of the private key files (host and user) have to be at least |
| 97 | rw------- (0600)! |
| 98 | |
| 99 | Note that this is forced under `ntsec' only if the files are on a NTFS |
| 100 | filesystem (which is recommended) due to the lack of any basic security |
| 101 | features of the FAT/FAT32 filesystems. |
| 102 | =========================================================================== |
| 103 | |
Damien Miller | 8ac0a7e | 2001-03-07 21:38:19 +1100 | [diff] [blame] | 104 | If you are installing OpenSSH the first time, you can generate global config |
| 105 | files and server keys by running |
Damien Miller | a8e06ce | 2003-11-21 23:48:55 +1100 | [diff] [blame] | 106 | |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 107 | /usr/bin/ssh-host-config |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 108 | |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 109 | Note that this binary archive doesn't contain default config files in /etc. |
| 110 | That files are only created if ssh-host-config is started. |
| 111 | |
| 112 | If you are updating your installation you may run the above ssh-host-config |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 113 | as well to move your configuration files to the new location and to |
| 114 | erase the files at the old location. |
| 115 | |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 116 | To support testing and unattended installation ssh-host-config got |
| 117 | some options: |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 118 | |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 119 | usage: ssh-host-config [OPTION]... |
| 120 | Options: |
Darren Tucker | 6369958 | 2004-01-23 21:35:44 +1100 | [diff] [blame] | 121 | --debug -d Enable shell's debug output. |
| 122 | --yes -y Answer all questions with "yes" automatically. |
| 123 | --no -n Answer all questions with "no" automatically. |
| 124 | --cygwin -c <options> Use "options" as value for CYGWIN environment var. |
| 125 | --port -p <n> sshd listens on port n. |
| 126 | --pwd -w <passwd> Use "pwd" as password for user 'sshd_server'. |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 127 | |
Ben Lindstrom | a582029 | 2001-07-18 16:25:41 +0000 | [diff] [blame] | 128 | Additionally ssh-host-config now asks if it should install sshd as a |
| 129 | service when running under NT/W2K. This requires cygrunsrv installed. |
| 130 | |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 131 | You can create the private and public keys for a user now by running |
| 132 | |
| 133 | /usr/bin/ssh-user-config |
| 134 | |
| 135 | under the users account. |
| 136 | |
| 137 | To support testing and unattended installation ssh-user-config got |
| 138 | some options as well: |
| 139 | |
| 140 | usage: ssh-user-config [OPTION]... |
| 141 | Options: |
| 142 | --debug -d Enable shell's debug output. |
| 143 | --yes -y Answer all questions with "yes" automatically. |
| 144 | --no -n Answer all questions with "no" automatically. |
| 145 | --passphrase -p word Use "word" as passphrase automatically. |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 146 | |
Ben Lindstrom | a582029 | 2001-07-18 16:25:41 +0000 | [diff] [blame] | 147 | Install sshd as daemon via cygrunsrv.exe (recommended on NT/W2K), via inetd |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 148 | (results in very slow deamon startup!) or from the command line (recommended |
| 149 | on 9X/ME). |
| 150 | |
Ben Lindstrom | a582029 | 2001-07-18 16:25:41 +0000 | [diff] [blame] | 151 | If you start sshd as deamon via cygrunsrv.exe you MUST give the |
| 152 | "-D" option to sshd. Otherwise the service can't get started at all. |
Ben Lindstrom | 834417a | 2001-05-03 22:45:21 +0000 | [diff] [blame] | 153 | |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 154 | If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the |
| 155 | following line to your inetd.conf file: |
| 156 | |
Damien Miller | 6a568f3 | 2001-12-29 14:10:09 +1100 | [diff] [blame] | 157 | ssh stream tcp nowait root /usr/sbin/in.sshd sshd -i |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 158 | |
| 159 | Moreover you'll have to add the following line to your |
| 160 | ${SYSTEMROOT}/system32/drivers/etc/services file: |
| 161 | |
Damien Miller | 6a568f3 | 2001-12-29 14:10:09 +1100 | [diff] [blame] | 162 | ssh 22/tcp #SSH daemon |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 163 | |
Ben Lindstrom | de2273f | 2001-03-14 21:30:18 +0000 | [diff] [blame] | 164 | Please note that OpenSSH does never use the value of $HOME to |
| 165 | search for the users configuration files! It always uses the |
| 166 | value of the pw_dir field in /etc/passwd as the home directory. |
| 167 | If no home diretory is set in /etc/passwd, the root directory |
| 168 | is used instead! |
| 169 | |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 170 | You may use all features of the CYGWIN=ntsec setting the same |
Darren Tucker | 798ca84 | 2003-11-13 11:28:49 +1100 | [diff] [blame] | 171 | way as they are used by Cygwin's login(1) port: |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 172 | |
| 173 | The pw_gecos field may contain an additional field, that begins |
| 174 | with (upper case!) "U-", followed by the domain and the username |
| 175 | separated by a backslash. |
| 176 | CAUTION: The SID _must_ remain the _last_ field in pw_gecos! |
| 177 | BTW: The field separator in pw_gecos is the comma. |
| 178 | The username in pw_name itself may be any nice name: |
| 179 | |
| 180 | domuser::1104:513:John Doe,U-domain\user,S-1-5-21-... |
| 181 | |
| 182 | Now you may use `domuser' as your login name with telnet! |
| 183 | This is possible additionally for local users, if you don't like |
| 184 | your NT login name ;-) You only have to leave out the domain: |
| 185 | |
| 186 | locuser::1104:513:John Doe,U-user,S-1-5-21-... |
| 187 | |
Darren Tucker | 798ca84 | 2003-11-13 11:28:49 +1100 | [diff] [blame] | 188 | Note that the CYGWIN=ntsec setting is required for public key authentication. |
| 189 | |
Ben Lindstrom | de2273f | 2001-03-14 21:30:18 +0000 | [diff] [blame] | 190 | SSH2 server and user keys are generated by the `ssh-*-config' scripts |
| 191 | as well. |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 192 | |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 193 | If you want to build from source, the following options to |
| 194 | configure are used for the Cygwin binary distribution: |
| 195 | |
Ben Lindstrom | a582029 | 2001-07-18 16:25:41 +0000 | [diff] [blame] | 196 | --prefix=/usr \ |
| 197 | --sysconfdir=/etc \ |
Damien Miller | 7ffa367 | 2005-03-05 11:20:40 +1100 | [diff] [blame] | 198 | --libexecdir='${sbindir}' \ |
Darren Tucker | 798ca84 | 2003-11-13 11:28:49 +1100 | [diff] [blame] | 199 | --localstatedir=/var \ |
Damien Miller | 7ffa367 | 2005-03-05 11:20:40 +1100 | [diff] [blame] | 200 | --datadir='${prefix}/share' \ |
| 201 | --mandir='${datadir}/man' \ |
| 202 | --infodir='${datadir}/info' |
Darren Tucker | 798ca84 | 2003-11-13 11:28:49 +1100 | [diff] [blame] | 203 | --with-tcp-wrappers |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 204 | |
Darren Tucker | 798ca84 | 2003-11-13 11:28:49 +1100 | [diff] [blame] | 205 | If you want to create a Cygwin package, equivalent to the one |
| 206 | in the Cygwin binary distribution, install like this: |
| 207 | |
| 208 | mkdir /tmp/cygwin-ssh |
Damien Miller | 7ffa367 | 2005-03-05 11:20:40 +1100 | [diff] [blame] | 209 | cd ${builddir} |
Darren Tucker | 798ca84 | 2003-11-13 11:28:49 +1100 | [diff] [blame] | 210 | make install DESTDIR=/tmp/cygwin-ssh |
Damien Miller | 7ffa367 | 2005-03-05 11:20:40 +1100 | [diff] [blame] | 211 | cd ${srcdir}/contrib/cygwin |
Darren Tucker | 798ca84 | 2003-11-13 11:28:49 +1100 | [diff] [blame] | 212 | make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh |
| 213 | cd /tmp/cygwin-ssh |
| 214 | find * \! -type d | tar cvjfT my-openssh.tar.bz2 - |
Damien Miller | 7ffa367 | 2005-03-05 11:20:40 +1100 | [diff] [blame] | 215 | |
| 216 | You must have installed the following packages to be able to build OpenSSH: |
| 217 | |
| 218 | - zlib |
| 219 | - openssl-devel |
| 220 | - minires-devel |
| 221 | |
| 222 | If you want to build with --with-tcp-wrappers, you also need the package |
| 223 | |
| 224 | - tcp_wrappers |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 225 | |
Ben Lindstrom | a582029 | 2001-07-18 16:25:41 +0000 | [diff] [blame] | 226 | Please send requests, error reports etc. to cygwin@cygwin.com. |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 227 | |
Damien Miller | 7ffa367 | 2005-03-05 11:20:40 +1100 | [diff] [blame] | 228 | |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 229 | Have fun, |
| 230 | |
Darren Tucker | 798ca84 | 2003-11-13 11:28:49 +1100 | [diff] [blame] | 231 | Corinna Vinschen |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 232 | Cygwin Developer |
| 233 | Red Hat Inc. |