How to Install Cygwin SSH Client and Server using version 2.774

byLiveStream -
0
 Introduction

Cygwin is a Linux-like environment for Windows.  It contains a collection of tools ported from Linux that enables user to setup SSH client/server and execute shell scripts on a Windows Platform.

Within Information Management, Cygwin is used strictly for batch scripting and sftp file transfer; hence this document only applies to the system that only needs to have OpenSSH client/server installed.

Installation Package 

Windows\Cygwin\cygwin2.774\setup.exe
                                 

Product / application Installation

  1. Log on to server with a local account that has local administration rights.
*** Cygwin binds the file permission with the account that install the application.  To avoid potential issues (eg, the domain account used is no longer available), we recommend using a local account to do the installation ***
  1. Begin the installation by executing the setup.exe file from the Installation Package Location mentioned above.  If you are not able to launch the installation over the network, please copy it to the target host and launch installation there.
  2. Click Next on the Cygwin Net Release Setup Program screen.  Please ensure the setup.exe version is at 2.774.

clip_image002

  1. Select Install from Local Directory when choosing the Download Source and then click Next.

clip_image004

  1. Enter the install path for the Root Install Directory.  In this case the path D:\Cygwin is used; leave everything else at default option and click Next.

clip_image006




  1. Leave Local Package Directory at default and click Next.

clip_image008


  1. If you have Setup Alert, click OK

clip_image010








  1. A package list will be displayed once the setup is initialized.
clip_image012

  1. Browse and expand Editors section of the package list and click on the Skip label to the left of vim.

clip_image014
  1. The package list should looks like the following.

clip_image016


  1. Browse and expand the Net section of the package list and then click on Skip label to install that is mark in red.

clip_image018 
  1. Change the status to Install and make sure that the version of OpenSSH server is 6.0p1-1.  Also confirm that libwrap0 and libopenssl are all selected to be installed and then click on Next.

clip_image020

  1. Make sure Select required packages (RECOMMENDED) is checked, click Next.
    clip_image022
  1. The installation would start.

clip_image024

  1. Once the installation is completed, check the Add icon to Start Menu check box and then click on Finish.

clip_image026

 Product / application Configuration

Configure Cygwin and Setup SSHD (If Applicable)

*** Only complete 4.1 if you are setting up SFTP file transfer with a functional ID ***
  1. Create a local group named SFTP Service Accounts.
clip_image028

  1. Add the service account that will be used for SFTP transfer to the SFTP Service Accounts Group.
clip_image030
  1. Launch Local Security Policy (secpol.msc) and navigate to Security Settings > Local Policies > User Rights Assignment and locate Log on as a batch job.

clip_image032

  1. In the add dialog, change the location to the current host, then click on "Object Type" and make sure "Groups" is checked.
clip_image034



  1. Add the SFTP Service Accounts group to the Log on as a batch job policy.


clip_image036


 

Configure Cygwin and Setup SSHD

  1. Log on to server with local account that has administration rights and full access to Cygwin.
  2. Double click on the Cygwin shortcut on the desktop.

clip_image038


  1. A Cygwin command prompt would open as follows.

clip_image040

  1. In the command prompt, enter ssh-host-config -y.  SSH key will be generated on the system and will be setup with default options.

# ssh-host-config -y
    
      Note:
    • If you are prompted to create a new user name, enter cyg_server.
    • If you are prompted for user password, enter the cyg_s3rv3r! for cyg_server account.  This will create a privileged user account cyg_server which is also part of Administrator group for the sshd service.
clip_image042

** Please be advised that Cygwin will create an account cyg_server, and automatically setup the password you’ve entered.  However if your system has password complexity requirement policy, the password could get rejected without error, which will cause sshd to fail on start.  Please refer to Section 6 for steps to correct this **









  1. Once the configuration is completed, following screen will be displayed.

clip_image044

  1. Once the configuration is completed issue the command net start sshd to start the server.  The setup has configured the service to start automatically after reboot.

clip_image046

** If sshd service cannot be started (see below), please refer to section 6 on how to correct this issue, please ensure the sshd service starts properly before moving on to next step **

clip_image048


  1. Right click on My Computer on the Desktop and then select Properties.  In the System Properties screen, click on the Advanced tab.

clip_image050



  1. Click on the Environment Variables button.

clip_image052
  1. Click on the New button in the System variables section.

clip_image054

  1. Enter the following new environment variable to ignore carriage returns,

      Variable name: SHELLOPTS
       Varialbe value: igncr

clip_image056



  1. Double click on the Path variable to edit the existing entry.
clip_image058

  1. Append ;D:\cygwin\bin to the end of the Path variable and then click on OK.

clip_image060

  1. Grant the Local Admin Group (LOCAL\ADMINISTRATORS) full control permission on the following files
    • D:\cygwin\etc\group
    • D:\cygwin\etc\passwd

clip_image062

4.3    Enable User Access in SSH Server

In order to enable user to access the SSH server, the Windows user account and groups have to be added to the /etc/passwd and /etc/group file before Cygwin can authenticate local users or domain users. 

  1. Log on to the server with a domain account that has local administration rights.
  2. Launch the Cygwin command prompt from the desktop shortcut.
  3. To add domain user to the /etc/passwd file, execute the following.

# mkgroup –d [domain name] –g ‘Domain Users’ >> /etc/group
# mkpasswd –d [domain name] –u [user name] –p /home >> /etc/passwd

For the [domain name] parameter, use the full domain path.  For example, use office.adroot.Companygc.net for OFFICE domain or sysdev.adroot.Companygc.net for SYSDEV domain.

            For example, to add a user bgates01 from the Office domain.
clip_image064
Note: If you want to add domain user, you must log on with a domain account that has local administration rights.

  1. Once the configuration is completed, try connecting either locally or from a remote workstation to verify the SSH connection and login credentials.

Note: Please be advised that the User Name in Cygwin is case sensitive.  If the functional ID you created has in AD has both upper and lower cases, you must enter it as appear in AD or Cygwin will not recognize the account.

# ssh [user name]@localhost

The user id is case sensitive, please enter it as appeared in AD.  When prompted for Are you sure you want to continue connecting, please enter yes.  Enter the password and make sure that you see similar prompt as the screenshot.
clip_image066


Note: Currently the SSH Server implementation in Cygwin is not able to distinguish the same account name from different domains (including local accounts) e.g. office\bgates, sysdev\bgates or locahost\bgates.  Please avoid importing users with the same account name into the same server.

Be advised that Cygwin will not prevent the addition of duplicated user id into /etc/passwd; however only the first user that was added can login.

4.4    Configure SSH key exchange

*** To configure SSH key exchange and private/public key pair needs to be generate on the host that is initiating the SSH/SFTP connection ***

  1. Log on to server with the local account or domain account that requires SSH key exchange to be setup.
  2. Launch the Cygwin command prompt from the desktop shortcut.
  3. Generate a RSA key pair on the initiating host by issuing the following command and press Enter for any response to a question.

# ssh-keygen –t rsa –b 2048

Generating public/private rsa key pair.
Enter file in which to save the key (/home/gliu06/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/gliu06/.ssh/id_rsa.
Your public key has been saved in /home/gliu06/.ssh/id_rsa.pub.
The key fingerprint is:fe:43:65:70:b2:a0:7e:e4:78:b0:7a:88:5d:5b:00:49
gliu06@OCDT70210580
The key's randomart image is:
+--[ RSA 2048]----+
|   .E.           |
|    o   . o .    |
|     . . . =     |
|      + . . o    |
|     . BS  o     |
|      =.= .      |
|   o + =..       |
|  . + o  ..      |
|     .    ..     |
+-----------------+

  1. By default the private/public key pair will be generated in user’s home directory under .ssh directory.  Verify the keys are generated .ssh folder.

# ls ~/.ssh

id_rsa  id_rsa.pub

  1. Upload the public key (id_rsa.pub) to the destination host though scp or sftp.  The following command will copy the public key to the target user’s .ssh folder.

# scp ~/.ssh/id_rsa.pub gliu06@imcsm:~/

The authenticity of host 'imcsm (172.17.111.51)' can't be established.                RSA key fingerprint is 89:83:61:32:66:c4:64:fd:06:62:55:41:ed:13:70:47.                     Are you sure you want to continue connecting (yes/no)? yes                Warning: Permanently added 'imcsm,172.17.111.51' (RSA) to the list of
known hosts.
gliu06@imcsm's password:
id_rsa.pub                                    100%  609     0.6KB/s   00:00

  1. Log on to the destination host through ssh.

# ssh gliu06@imcsm

Last unsuccessful login: Fri Dec 17 16:34:49 EST 2010 on ssh from
172.17.108.86
Last login: Tue Dec 21 12:02:33 EST 2010 on ssh from 172.17.108.86
************************************************************
*  Welcome to AIX Version 6.1!                                                *
*                                                                             *
*                                                                             *
*  Please see the README file in /usr/lpp/bos for information pertinent to
*  this release of the AIX Operating System.                                  *
************************************************************

  1. Create a .ssh folder in the user’s home directory and copy the public key to authorized_keys.

# mkdir ~/.ssh
# cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
# rm ~/id_rsa.pub

  1. Update the folder/file permission on the .ssh folder and authorized_keys file.

# chmod 0600 ~/.ssh

4.5    Additional Setup for SFTP File Transfer Functional ID (If Applicable)

*** Only configure this if you are setting up a functional ID for SFTP file transfer ***

  1. Log on to server with the local account or domain account that has local administrator rights to the host.
  2. Launch the Cygwin command prompt from the desktop shortcut.
  3. Execute the following commands to get the group id of the SFTP Service Accounts group which in this case it’s 1009 (the last number in the output).

# mkgroup -l -g “FTP Service Accounts”

SFTP Service Accounts:S-1-5-21-3091395128-1227428965-4083078307-1009:1009:

  1. Edit the /etc/passwd file in vi.

# vi /etc/passwd

  1. Locate the function ID that will be used for the key exchange and navigate to the 4th column.  The 4th column is the Primary Group ID assigned to the account.  Replace the primary group ID with the group ID identified in Step 3 (eg, 1009).

clip_image068

4.6    Testing SSH/SFTP Key Exchange

  1. Execute the following command from the initiating host to verify the SSH Key Exchange functions properly.

# ssh -vv gliu06@imcsm

clip_image070

  1. Also issue the following to verify sftp is functioning.
# sftp -vv gliu06@imcsm
clip_image072



   Update cyg_server Account Password

1.      To update the cyg_server account password, first log into LRMSBCCWPRWEB01 server with an account that has local administrator rights.
2.      Launch a command prompt (cmd) then enter the following command to stop the Cygwin SSHD service.
# net stop sshd
clip_image074
3.      Launch Server Manager (servermanager.msc) and navigate to Configuration > Local Users and Groups > Users.  Locate the cyg_server id and update its password.
clip_image076
clip_image078
4.      Once the password is updated, launch the Services console (services.msc).  Locate the CYGWIN sshd service and double click on it.
clip_image080
5.      Click on the Log On tab and update the password with the new one.
clip_image082
6.      Once the password is updated, switch back to the command prompt and issue net start sshd.  Make sure the SSHD service starts successfully.
# net start sshd
clip_image084

6      Uninstalling Cygwin

  1. To uninstall Cygwin, first log into the target host with local admin rights.  Then open a command prompt.
  2. Issue the following command to stop the SSHD service.  *** If you get an error such as service does not exist, that means you have Cygwin installed, but SSHD service not enabled, please skip to step 5 ***

# net stop sshd

clip_image086

  1. Close the command prompt and open a Cygwin prompt by clicking on the Cygwin icon on the desktop.
  2. Issue the following command to remove the SSHD service from the system, then exit the cygwin prompt.

# cygrunsrv –R sshd

clip_image088



  1. Right click on My Computer on the desktop and select Manage.  Once the Computer Management console appears, navigate to Computer Management > System Tools > Local Users and Groups > Users.


clip_image090

  1. Delete the cyg_server and sshd account from the server.

clip_image092



  1. Open Windows Explorer and navigate to the installation folder of Cygwin.  In this case it will be D:\Cygwin.


clip_image094

  1. Right click on the cygwin folder and select Sharing and Security.  Once the Properties page is displayed, click on Security tab then click on Advanced button.

clip_image096

  1. In the Advance Security Settings for cygwin page, click on the Owner tab and select Administrators in the Change owner to pane.  Check the Replace owner on subcontainers and objects checkbox and then click Apply.

clip_image098

clip_image100

  1. Once the ownership is updated, click on the Permissions tab.  Check the Replace permission entries on all child objects check box then click Apply.

clip_image102

  1. Click Yes if the following dialog box appears.

clip_image104

clip_image106



  1. Once the security update is completed, backup the D:\Cygwin folder if required and then delete the D:\Cygwin folder and the desktop shortcut. 
  2. Right click on My Computer and select Properties.  Click on the Advanced tab in System Properties then click on the Environment Variables button.


clip_image108

  1. Look for the SHELLOPTS variable in System variables section and delete it.  *** If you plan to reinstall Cygwin, you can skip this step ***



  

   Known Issues/Frequently Asked Questions

Unable to start sshd service.


  1. When trying to start the sshd service, the following login error is received.  This is usually caused by the password entered for the cyg_server account is not compliant with the password policy, or if you have uninstalled and reinstalled Cygwin, where credential was cached by previous installation.

clip_image110

  1. To resolve this issue, first launch the Computer Management Console (compmgmt.msc).  Navigate to the cyg_server account and reset the password.

clip_image112



  1. Launch the Services MMC (services.msc).  Navigate to the CYGWIN sshd service and double click on it.


clip_image114

  1. Navigate to the Log On tab and update the password with the new one.

clip_image116

  1. Start the service from Services MMC, it should now start properly.

clip_image118

Strange SFTP issue on systems that uses EMC storage

  1. A very strange issue occurs on systems that uses EMC storage.  When using sftp with public key exchange, and error could occur with the following exit code.

# sftp –vv imcsm

:
:
Debug1: Exit status 128
Connection Closed


  1. The above issue does not happen on every system that uses EMC storage; however there are two workarounds if it does occur.
    • Grant connecting user local admin rights to the destination host.
    • Grant user read permission to the following folders

C:\Program Files\EMC\PowerCommon
C:\Program Files\EMC\PowerPath

clip_image120

Created New User Account in Cygwin but Unable to use the Cygwin Environment


  1. After registering a domain user with mkpasswd, the user reported that they could not login through SSH or when they launch Cygwin through RDP, it shows the following error and cannot move on.

Cannot Create /tmp

  1. Although the root cause of this issue is still unknown, however it is resolved by removing users Windows profile and recreate it.


 Other Info

To check cygwin version, use the following command.

            # uname –a

To check OpenSSH version, use the following command.

            # cygcheck –srv | grep ssh

  License

All Cygwin components used for this installation are covered by the GNU GPL.
Tags:

Post a Comment

Previous Post Next Post