The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.
Need help finding ssh-keyscan
Pocket Size Asian
Registered User regular
Registered User regular
I'm loading OpenSSH on a Windows server. These are the instructions I'm using:
Installing OpenSSH for Windows 2003 Server - How to get it working
In order to get host based authentication with OpenSSH to work under Windows 2003 server it is necessary to run the server with privilege separation instead of as the system account.
* Either download and install OpenSSH for Windows, which quite an old version now, or follow my instructions to compile your own.
I'm assuming you installed the package in C:\Program Files\OpenSSH
* Change the OpenSSH\etc\sshd_config file:
UsePrivilegeSeparation yes
* Create an empty folder in C:\Program Files\OpenSSH\var\empty which will be the OpenSSH server user's home directory.
* Create the server users account:
net user sshd password /add /fullname:"sshd daemon" /homedir:"C:\Program Files\OpenSSH\var\empty"
Check that the account's password will not expire in your usual user management GUI.
* Add the server users account (sshd) to the Administrators group.
net localgroup Administrators sshd /add
* Assign the server users account (sshd) the appropriate rights:
ntrights +r SeAssignPrimaryTokenPrivilege -u sshd
ntrights +r SeCreateTokenPrivilege -u sshd
ntrights +r SeDenyInteractiveLogonRight -u sshd
ntrights +r SeDenyNetworkLogonRight -u sshd
ntrights +r SeDenyRemoteInteractiveLogonRight -u sshd
ntrights +r SeIncreaseQuotaPrivilege -u sshd
ntrights +r SeServiceLogonRight -u sshd
* Give the server users account (sshd) Read, Read & Execute and List Folder Contents permissions to the OpenSSH folder and subtree.
* Give the server users account (sshd) ownership and full control of the OpenSSH/var folder and subtree.
* Now set up the group and passwed files. I've only used local accounts but domain accounts and groups can be used using the -d flag and appending these onto the local files.
cd C:\Program Files\OpenSSH\bin
mkgroup -l > ..\etc\group
mkpasswd -l > ..\etc\passwd
* If you're not using the full Cygwin install you probably won't have bash so you will need to change the shells in the passwd file to use /cygdrive/c/Windows/system32/cmd.exe, alternatively if you are going to need scp you will probably want to compile switch.exe and use that.
* Open the Services control panel and change the Log On tab on the OpenSSH service to use the server account.
* Start/Restart the OpenSSH service.
* What to do if service doesn't start
Additionally, you'd probably want to change OpenSSH\etc\banner.txt to reflect your own sites policies.
To enable host based authentication:
* Change the OpenSSH\etc\sshd_config file:
HostBasedAuthentication yes
IgnoreRhosts no
* Copy public keys from any hosts you want to allow access:
ssh-keyscan -t dsa host.domain > ..\etc\ssh_known_hosts
* Create OpenSSH\etc\shosts.equiv with entries for any hosts you want to allow access:
host.domain user
To enable public key authentication for Administrator:
* Change the OpenSSH\etc\sshd_config file:
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
* Create a directory OpenSSH in C:\Documents and Settings\Administrator
* Move C:\Documents and Settings\Administrator\.ssh to the above OpenSSH directory
o If the .ssh directory does not already exist, create one using the mkdir from a command prompt
* Create an authorized_keys2 file in the .ssh directory containing the public key of the user you are logging in from.
* Change ownership of the OpenSSH tree including .ssh and authorized_keys2 file to Administrator.
* Remove all permissions from the above OpenSSH tree, except Administrator.
* Add read and execute permissions to the above OpenSSH tree for the sshd user.
* Change Administrator entry in OpenSSH\etc\passwd to be /home/Administrator/OpenSSH
* Restart the OpenSSH service.
To enable public key authentication for users other than Administrator:
The basic principle is the same as for the Administrator account, here are some things to remember:
* Make sure the user is in OpenSSH\etc\passwd. If not add them using mkpasswd -l >> ..\etc\passwd (replace the -l with a -d if the user is a domain users). You will probably need to remove any duplicate entries that mkpasswd will have put in.
* You will also need to check the group entry in the passwd file for the user. The fields are separated by colons and the group entry is the fourth field. It should be set to something sensible from the OpenSSH\etc\groups file, probably Domain Users which, on my installation, is 513.
* Make sure you've created an OpenSSH directory in the users profile directory. This should contain the .ssh directory and the authorized_keys2 file. The OpenSSH tree should be owned by the user and the sshd must have read and execute permissions - you probably want to give Administrator permission too just so you can change things!
* Make sure the directory entry for the user in the OpenSSH\etc\passwd points at the OpenSSH directory instead of /home/user.
* Make sure that the user has read/execute permissions to the OpenSSH\bin folder and the file OpenSSH\bin\switch.exe. You can do this with the Authenticated Users group or some other suitable group.
I've made the part where I'm having an issue with bold, italic, underlined, and size 5 font.
When i installed OpenSSH it didn't load the "ssh-keyscan" and I've been looking all over the internet trying to find a .exe or at least some place that tells me how to build it or SOMETHING. So far, I have been unsuccessful.
Can someone please help me?
Installing OpenSSH for Windows 2003 Server - How to get it working
In order to get host based authentication with OpenSSH to work under Windows 2003 server it is necessary to run the server with privilege separation instead of as the system account.
* Either download and install OpenSSH for Windows, which quite an old version now, or follow my instructions to compile your own.
I'm assuming you installed the package in C:\Program Files\OpenSSH
* Change the OpenSSH\etc\sshd_config file:
UsePrivilegeSeparation yes
* Create an empty folder in C:\Program Files\OpenSSH\var\empty which will be the OpenSSH server user's home directory.
* Create the server users account:
net user sshd password /add /fullname:"sshd daemon" /homedir:"C:\Program Files\OpenSSH\var\empty"
Check that the account's password will not expire in your usual user management GUI.
* Add the server users account (sshd) to the Administrators group.
net localgroup Administrators sshd /add
* Assign the server users account (sshd) the appropriate rights:
ntrights +r SeAssignPrimaryTokenPrivilege -u sshd
ntrights +r SeCreateTokenPrivilege -u sshd
ntrights +r SeDenyInteractiveLogonRight -u sshd
ntrights +r SeDenyNetworkLogonRight -u sshd
ntrights +r SeDenyRemoteInteractiveLogonRight -u sshd
ntrights +r SeIncreaseQuotaPrivilege -u sshd
ntrights +r SeServiceLogonRight -u sshd
* Give the server users account (sshd) Read, Read & Execute and List Folder Contents permissions to the OpenSSH folder and subtree.
* Give the server users account (sshd) ownership and full control of the OpenSSH/var folder and subtree.
* Now set up the group and passwed files. I've only used local accounts but domain accounts and groups can be used using the -d flag and appending these onto the local files.
cd C:\Program Files\OpenSSH\bin
mkgroup -l > ..\etc\group
mkpasswd -l > ..\etc\passwd
* If you're not using the full Cygwin install you probably won't have bash so you will need to change the shells in the passwd file to use /cygdrive/c/Windows/system32/cmd.exe, alternatively if you are going to need scp you will probably want to compile switch.exe and use that.
* Open the Services control panel and change the Log On tab on the OpenSSH service to use the server account.
* Start/Restart the OpenSSH service.
* What to do if service doesn't start
Additionally, you'd probably want to change OpenSSH\etc\banner.txt to reflect your own sites policies.
To enable host based authentication:
* Change the OpenSSH\etc\sshd_config file:
HostBasedAuthentication yes
IgnoreRhosts no
* Copy public keys from any hosts you want to allow access:
ssh-keyscan -t dsa host.domain > ..\etc\ssh_known_hosts
* Create OpenSSH\etc\shosts.equiv with entries for any hosts you want to allow access:
host.domain user
To enable public key authentication for Administrator:
* Change the OpenSSH\etc\sshd_config file:
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
* Create a directory OpenSSH in C:\Documents and Settings\Administrator
* Move C:\Documents and Settings\Administrator\.ssh to the above OpenSSH directory
o If the .ssh directory does not already exist, create one using the mkdir from a command prompt
* Create an authorized_keys2 file in the .ssh directory containing the public key of the user you are logging in from.
* Change ownership of the OpenSSH tree including .ssh and authorized_keys2 file to Administrator.
* Remove all permissions from the above OpenSSH tree, except Administrator.
* Add read and execute permissions to the above OpenSSH tree for the sshd user.
* Change Administrator entry in OpenSSH\etc\passwd to be /home/Administrator/OpenSSH
* Restart the OpenSSH service.
To enable public key authentication for users other than Administrator:
The basic principle is the same as for the Administrator account, here are some things to remember:
* Make sure the user is in OpenSSH\etc\passwd. If not add them using mkpasswd -l >> ..\etc\passwd (replace the -l with a -d if the user is a domain users). You will probably need to remove any duplicate entries that mkpasswd will have put in.
* You will also need to check the group entry in the passwd file for the user. The fields are separated by colons and the group entry is the fourth field. It should be set to something sensible from the OpenSSH\etc\groups file, probably Domain Users which, on my installation, is 513.
* Make sure you've created an OpenSSH directory in the users profile directory. This should contain the .ssh directory and the authorized_keys2 file. The OpenSSH tree should be owned by the user and the sshd must have read and execute permissions - you probably want to give Administrator permission too just so you can change things!
* Make sure the directory entry for the user in the OpenSSH\etc\passwd points at the OpenSSH directory instead of /home/user.
* Make sure that the user has read/execute permissions to the OpenSSH\bin folder and the file OpenSSH\bin\switch.exe. You can do this with the Authenticated Users group or some other suitable group.
I've made the part where I'm having an issue with bold, italic, underlined, and size 5 font.
When i installed OpenSSH it didn't load the "ssh-keyscan" and I've been looking all over the internet trying to find a .exe or at least some place that tells me how to build it or SOMETHING. So far, I have been unsuccessful.
Can someone please help me?
---Pocket Size Asian---
Pocket Size Asian on
0
Posts
did a quick look at the ssh-keyscan manual page and what it does, and from my understanding you dont need this to actually run the sshd. if i understood the info correctly it just filters out those ip's/domains that are allowed to connect. Personally i would have skipped the ssh-keyscan and have HostBasedAuthenthication = no, and just use password/public key authenthication instead
known_hosts contains the public keys of hosts you're connecting to, so you know you're not subject to a man-in-the-middle attack. It's not quite so useful for sshd, if you're using it as a server. The server will already know you're who you say you are because your client's public key will be in the authorized_hosts file (if you're using public-key authentication).
If you use ssh as a client, it'll prompt you that you're connecting to a host that isn't in the known_hosts, show you the server fingerprint, and ask if you want to continue connecting and/or remember it in your per-user known hosts.