SSH on Windows 7 (the full awesome implementation)

15 Oct 2011 Polished.

Configuring Secure Shell on Windows 7 (or Vista) requires a bit of a special configuration for full ass-kicking. User Account Control should be enabled (duh).

Server installation & configuration

  1. Install Cygwin. You could use copssh, but don't. More on that later.
  2. Include package: openssh. Also rsync and unison, because they're amazing.
  3. Run Cygwin Bash Shell as Administrator.
  4. Execute: ssh-host-config
  5. Answer Yes to privilege separation, and yes to a new local account.
  6. Answer No to installing as a service. This is critical. Explanation further down.
  7. Execute (including the > symbol):

    mkdir ~/.ssh
    > ~/.ssh/authorized_keys
    

    Creating this file from the terminal assigns the appropriate permissions (Cygwin's None account is granted read access).

  8. Edit /etc/sshd_config in a text editor such as WordPad (not Notepad).
  9. Uncomment and change PasswordAuthentication to No. We're using public-key cryptography.

Public-key encryption

  1. Run PuTTYGen on the client.
  2. 1024 bits is useful for SSH from a smartphone (which is quite valuable), especially with low signal, as it will negotiate a connection quicker. Use 2048 if you wish. Generate.
  3. Comment it: <User>@<Server-PC>, e.g. Chris@Chris-PC
  4. Absolutely give it a passphrase.
  5. Save private key to the drive as <User>@<Server-PC>.ppk
  6. Conversions → Export OpenSSH key, as <User>@<Server-PC> (no extension). You'll want this later.
  7. Save public key as <User>@<Server-PC>.pub, you may want this later too. (Note this is not the same format as in the next step.)
  8. Open C:\cygwin\home\<User>\.ssh\authorized_keys on the server.
  9. Paste the public key displayed at the top of PuTTYGen on the client into this file on the server. (A secure, local Remote Desktop connection works well for this.)

Preliminary

This will allow us to store certain standalone executables, and omit their full path when launching them. It will also allow us to launch the server from outside of a Cygwin Bash Shell. (Note that Cygwin's bin directories will appropriately take precedence, as seen in the file C:\cygwin\etc\profile.)

  1. Create C:\Executables
  2. Press WindowsKey + PauseBreak, click Advanced system settings.
  3. Open Environment Variables…, under System variables double click the PATH variable.
  4. Add: ;C:\Executables;C:\cygwin\bin with leading semicolon, at the end. (You may prefer C:\Executables in the User PATH instead.)

Launching SSH daemon (server)

  1. Unzip hstart.exe to C:\Executables. Hstart will help hide a console window, but it's also very useful for (de)elevating applications, as you'll see later.
  2. Open Task scheduler on the server. (Why task scheduler? To bypass the prompt for application elevation on startup.)
  3. Create Task…, name it SSHD, check Run with highest privileges.
  4. Is the server a laptop? Uncheck Start the task only if the computer is on AC power under the Conditions tab.
  5. Set it to launch when you log on under Triggers.
  6. Under the Actions tab click New… Program: hstart Arguments: /noconsole "C:\cygwin\usr\sbin\sshd.exe -D"
  7. Confirm all, F5 refresh, and Run that sucker! You may need to Allow access through the firewall.

Q: Why did we go to this trouble instead of allowing ssh-host-config to install SSHD as a service?

A: So that the daemon runs as a child process of explorer.exe. Although you can "allow a service to interact with the desktop", it won't have the desired effect. This way we can launch notepad remotely and have it open under our user session on the server, a child of explorer, fully visible and ready for input, and that's super awesome!

Client configuration

  1. Download KiTTY.exe to C:\Executables, a Windows only fork of PuTTY with considerable advantages.
  2. Create or download C:\Executables\kitty.ini with the following entries:

    [PuTTY]
    keys=load
    

    This will copy KiTTY's configuration to PuTTY's registry keys on each exit, maintaining compatibility with tools such as plink and Pageant.

  3. However it won't work unless the HKEY_CURRENT_USER\Software\SimonTatham\PuTTY registry key already exists. The fast solution is to import this .reg.
  4. Rename kitty.exe to putty.exe, for compatibility with Pageant.
  5. Download Pageant.exe to C:\Executables.
  6. Create a log on triggered entry Pageant in Task Scheduler on the client, as we did for the server. Except do not run with highest privileges (more on that later). Program: pageant Arguments: C:\path\to\<User>@<Server-PC>.ppk
  7. Run the task! Type in your passphrase.
  8. You'll see Pageant in the notification area. Right click, New Session (if you don't see this double check steps 2, 3, and 4).
  9. Add the host name or IP, jump to Connection → Data and add only your username, then jump to SSH → Auth and browse to the private key.
  10. Back under Session, type in a session name (how about <User>@<User-PC>) and Save.
  11. Click Open to connect!

Now when the client machine boots, Pageant will prompt for your passphrase to access the private key. After which you can launch an SSH session through Pageant's Saved Sessions in the notification area, and Pageant will automate key verification. Sweet!

File browsing

Now install WinSCP wherever. Configure nothing. With KiTTY fully connected, click on its top-left icon. Select Start WinSCP. Like whoa! Full SFTP access without even configuring WinSCP, awesome! (If it failed to connect, you may have already had WinSCP installed, reinstalling it opting to delete configuration files is one solution.)

Launching applications

As our SSH daemon runs with administrative privileges, we have full remote system access. Often, however, we will want to launch an application with non-elevated privileges. For this you can use hstart.exe /nonelevated. An even more convenient way is to create an alias in .bashrc in your Cygwin home directory on the server (C:\cygwin\home\<user>\.bashrc). Consider adding the following:

alias med='hstart.exe /nonelevated '

You can reload the file with source ~/.bashrc. Now you may launch an application like: med notepad, and it will run at the Medium (non-elevated) integrity level, as a standard program would.


There will be more to cover in Part 2, which will illuminate some of our choices and the strength of this configuration.