Friday, August 14, 2015

How do I install FreeSSHd - SSH Server in Windows Server


How do I install FreeSSHd - SSH Server in Windows Server 2008?

Because the installation for Free SSHd is so simple as compared to others (especially as compared to OpenSSH in Windows), I have chosen to demonstrate how to install and use Free SSHd. Remember that FreeSSHd is totally free (as the name says) both for personal / non-commercial use but also for commercial use.
To start this process, I downloaded FreeSSHd.exe on my Windows Server 2008 system and ran the downloaded program. The graphical installation began.
I took all the defaults for the installation options and clicked Install to being the install.
When done, I opted not to run SSHd as a service but that may be what you want to do on your production server.

Figure 1: Do you want to run FreeSSHd as a service?
By running FreeSSHd as service, it would be available no matter if you were logged into the console or not. I also chose to create private keys for the SSH server.
Next, I ran the FreeSSHd shortcut on the desktop in order to configure and start the SSH server.

Figure 2: Running the FreeSSH Application
I could see that the SSHd server was already running.
The FreeSSHd application can offer the following:
  • Both SSH Server and Telnet Server capabilities
  • Options to run SSHd on only certain interfaces
  • Multiple methods of authentication, including integrated NTLM authentication to Windows AD
  • Multiple methods of encryption including AES 128, AES 256, 3DES, Blowfish, and more
  • Options to bring up a secure tunnel upon connection
  • Optional Secure FTP (sFTP) - for secure FTP, see the FreeFTPd website
  • The ability to administer users and restrict access to secure shell, secure tunnel, or secure FTP
  • Ability to allow access to only certain hosts or subnets
  • Ability to log all connections and commands performed through FreeSSHd
  • View currently connected users
  • Update FreeSSHd automatically
For me to be able to login, I had to do two things:
  1. Add a new user account and allow SSH command line access
  2. Open an exception in my Windows Server 2008 Firewall
To add a new user, I went to the Users tab and clicked Add.
I opted to set up a login for my local Windows administrator account. I set the authorization to NTLM. That way, there was no local password in the FreeSSHd database and if the administrator password changes in the local Windows account database, you don’t have to change the password in the FreeSSHd account database.
I authorized this new administrator SSH user to log in with SSH only.

Figure 3: Adding a SSHd user account with NTLM authorization
Here are the results:

Figure 4: A new SSHd user account added
The second thing I had to do to allow me to login was to open an exception in the Windows Firewall. While I could disable the Windows Firewall completely instead of opening the ports, of course the most secure option is to leave the firewall up and allow for an exception for SSH – TCP port 22.
To do that, I went to Start -> Administrative Tools -> Windows Firewall with Advanced Security.

Figure 5: Opening Windows Firewall with Advanced Security
Next, I clicked on Inbound Rules, then on New Rule.

Figure 6: Adding a new Inbound Rule
Next, I chose to add a Port rule.

Figure 7: Choosing to add a Rule for a Port
I specified TCP port 22 only.

Figure 8: Specifying TCP port 22 only
Take the defaults to Allow the Connection, apply this to All domains, and give the rule a Name of your choice.
Test the Connection
To test the connection, I used SecureCRT from my Windows XP machine to the Windows Server 2008 server, via SSH.
To do this, I connected to the server via the IP address (or domain name). I chose to Accept the server’s certificate and save it.

Figure 9: Connecting via SSH and logging in with your Windows username & password
I logged into the server using the administrator login and password.
And, success! I was able to access the server via SSH!

Figure 10: A successful connection to the Windows 2008 Server via SSH

In Summary

SSH is an excellent tool for Windows Server 2008 administrators to consider for remote server management. In this article, you learned how SSH can help you, the options available for SSH Server and SSH Client installations, and how to install one of those options, FreeSSHd.
Posted by at No comments:

Thursday, August 6, 2015

Configuring automatic ssh login between all users of two hosts

Configuring automatic ssh login between all users of two hosts

While some may consider it unsafe, giving users the ability to automatically login between two different SSH host is important in clustered situations. If configuring it through Kerberos is feasible, I recommend it before this method (though it may be more complex).

This documentation is for OpenSSH 3.8p1 (SUSE 9.1), which is slightly more paranoid and complex than previous revisions with the new ssh-keysign capabilities.

Server

Collecting public keys

Pick a node to be the "master" node. This node will contain the SSH configuration that we will sync everywhere else. The SSH public key database is held in /etc/ssh/ssh_known_hosts. OpenSSH now comes with a great utility named ssh-keyscan that we will use. Simply pass it the list of all of the machines you wish to be able to automatically login from, and redirect it.
ssh-keyscan -t rsa beigetwin1.chem.indiana.edu beigetwin2.chem.indiana.edu > /etc/ssh/ssh_known_hosts
PLEASE NOTE - You may run into problems if you use short hostnames. Please use the fully qualified domain names that DNS reports back for reverse resolution. If you have entries for these hosts in /etc/hosts, please make sure the FQDN comes first.

hosts.equiv

Using the ssh_known_hosts file, we can configure a list of machines which have identical username's to this one. This is what actually configures the ring of trust:
cat /etc/ssh/ssh_known_hosts | cut -d" " -f1 > /etc/hosts.equiv

Configuring sshd_config

sshd does not respect hosts.equiv by default. Add these two lines to /etc/ssh/sshd_config
RhostsRSAAuthentication yes
HostbasedAuthentication yes

Client

The client now must be configured as well. Add this line to /etc/ssh/ssh_config
   HostbasedAuthentication yes
If the client is running OpenSSH 3.7 or higher, you will need to do a little more work. You need to also add this line to /etc/ssh/ssh_config:
   EnableSSHKeysign yes
You will also need to enable setuid on the keysign binary. If you are on a 64-bit system, use lib64 instead:
chmod u+s /usr/lib/ssh/ssh-keysign

Debugging

ssh: ssh-keysign not enabled in /etc/ssh/ssh_config

On the client side, you haven't configured ssh_config properly for OpenSSH 3.8. See above for the correct instructions.

ssh: could not open any host key

For ssh-keysign to work, you must ensure that the binary is setuid root on each client host. For security reasons, this is not the default.
chmod u+s /usr/lib/ssh/ssh-keysign
If you are on a 64-bit system, you may need to use /usr/lib64 instead.

auto-login doesn't work for root

Automatic root logins are not supported by just enabling HostAuthentication. If you wish to allow automatic root login, add this to /etc/ssh/sshd_config
IgnoreRhosts no
Then copy /etc/hosts.equiv to the .shosts file within root's home directory. You will want to ensure that this file is only readable by root.

login's don't work at all

Typically, this is a DNS related issue. You may want to try setting up /etc/hosts so that the fully qualified name comes up before the short name, and update /etc/hosts.equiv and /etc/ssh/ssh_known_hosts to include the FQDN names.
If this does not help, try running the server in debug mode. Kill the first sshd process, and run:

/usr/sbin/sshd -d -d

Posted by at No comments:
Subscribe to: Posts (Atom)