SSH Secure Services on Windows 2K/XP?

jstockdale asks: "Lately I've been working on the security of the few Windows boxes I administer, specifically XP and 2000 stations. I havn't had much of a problem finding decent solutions for file/email/disk encryption (besides the fact that PGP is no longer selling their products), or for smartcard or smartcard+biometric solutions (besides the limitations on key size (2048-bit RSA maximum) and flexability). However when it comes to SSH services for remote administration, windows filesharing, and SFTP for file transfers I have hit a dead end. I have looked into SSH but their SSH for Windows Servers only runs on 2000, and costs $565. I ask what solutions have /.er's found in the realm of ssh network encryption, and also in integrating all these components simply and effectively."

CygWin

[Darth+Troll]

Works just dandy

Re:CygWin

[Frank+of+Earth]

I don't run Cygwin on our prod servers but I do run it on my desktop and it works great.

What I do is create a batch file called scmd [super command] that opens up a connection to localhost through ssh.

Then I just create an alias to my /c and Im able to use all the great unix utilities under windows. You be surprised how something so simple like tail/head works so well when analysing log files in Windows.

Not to get too offtopic, but it's all great for running cron jobs. The AT scheduler is the worst.

www.Cygwin.com

[aaron_pet]

www.cygwin.com

openssh via cygwin.

[ssklar]

openssh works fine under cygwin. that is what we use.

Putty

[crouchingpenguin]

You can get Putty here: http://www.chiark.greenend.org.uk/~sgtatham/putty/ .

Re:Putty

[Osty]

And he can get a fancy alpha-blended PuTTY here. However, the way I understood it, he was asking for a server, not a client. PuTTY is only a client (ssh client, scp, sftp, etc).

Bitvise is nice and reasonably priced

[anaradad]

I've been running a Bitvise WinSSHD server for a while and it works just fine. Integrates with the Windows login also, which is a nice plus. Easy to install, configure, and use.

Putty ssh client

[bluegreenone]

I know you are asking about server software specifically, but I thought I'd take the opportunity to mention Putty, a suite of useful SSH clients includind a SSH/telnet, Pageant their key manager, and plink their command-line version.

Check out the VanDyke products

[mdb31]

You may want to have a look at vandyke.com; their VShell SSH server has a 'personal' edition which works very well for systems management and is cheaper than the SSH product. I've used their products for years on the server as well as client-side, and found them very reliable, as well as very well-behaved Windows services...

Have you looked at remotely anywhere?

[slacker_bovine]

Rather than some *cough* *cough*....I wish to actually try to provide some help. I've been using Remotely Anywhere for remote administration of my win2k network. It does a lot more than it sounds like you're asking for, but it is extremely useful and runs an ssh server. It is relatively cheap, but not free. Website

Re:Tried VShell?

[xee]

Indeed, VShell is an awesome SSH server for windows. I've been using it in a production environment for a few months now and am very pleased with its performance and ability. It hasn't been a particularly smooth ride, but VanDyke tech support is excellent (you send them a logfile, they'll tell you how to fix the problem). They even supported me before I bought the product. That was impressive. I highly recommend VanDyke SSH products for windows.

OpenSSH + CygWin + libsectok

[dmiller]

As a few people have mentioned OpenSSH is supported on Windows via CygWin. What hasn't been mentioned is that OpenSSH supports smartcards through the use of libsectok. I use it with Schlumberger Cyberflex Access cards.

I don't know whether libsectok has been built on Windows before, but it uses the standard /dev/tty interface so it should be too difficult to get working.

winscp (freeware)

[hrdluk0]

There is a freeware windows scp program callled, not surprisingly, winscp. It is freeware and uses some code from Putty. Everyone I know has found this program very useful. Main web page: http://winscp.vse.cz/eng/ and download here: http://winscp.vse.cz/eng/download.php I found version 2.0 to be quite stable even though it is called beta.

Cygwin & TTSSH

[cornice]

For the server side use SSH from cygwin and for the client side I really like TTSSH as an extension to Teraterm. It also looks like there is now a TTX SSL and an SSL OTP available too. By the way, all of these have source available.

Terminal Server

The RDP protocol is encrypted by default.

Where to find the Windows programmers

[Carnage4Life]

Disclaimer: I work for Microsoft but this post contains my opinions and does not represent some official company statement

In my opinion the best places to find out information about Microsoft technologies and products are

1. Newsgroups: Most microsoft technologies have a newsgroup in the microsoft.public.* hierarchy that are read not only by Microsoft employees but by dozens of regular developers who just want to help others who are having problems. I personally monitor microsoft.public.xml and microsoft.public.dotnet.xml where I answer a lot of questions and pass many of those I can't answer to the actual devs who work on the applications and APIs in question.
   
   
2. Online Communities: There are a number of strong online communities where Windows developers congregate to share information, tips and tricks. These range from Microsoft sponsored sites like GotDotNet, ASP.NET, and Windows Forms.NET that are run by MSFT employees who participate actively in these communities to independent sites like 4 Guys from Rolla, Code Project, Dev Hood, DevelopMentor and CodeGuru
   
   
3. Microsoft Websites: Few places beat MSDN as a source of information about Microsoft technologies. By the way, if you are into XML check out my Extreme XML column
   
   
4. Mailing Lists: There are number of mailing lists hosted by various parties about Microsoft technologies. The ones I've seen with the most vibrance have been the DevelopMentor mailing lists and the ASP Friends lists

PS: So this post isn't offtopic I'll add something about SSH. OpenSSH in Windows is possible if one installs Cygwin.

Re:Windows Programming: A related question

[W2k]

My sources for programming info and help/support:

CodeGuru and CodeProject - both EXCELLENT sources of information, especially for MFC stuff. CodeProject also has lots on C#.

Microsoft Developer Network is a great source of support (especially the KB) and the MSDN library holds a full reference for the Microsoft implementations of C/C++, C#, Visual Basic, et al. MSDN is also integrated into Visual Studio.NET, so I rarely feel the need to visit the website directly.

Finally, lots of programmers gather in Usenet newsgroups and on IRC. I can recommend the channel #c++ on Quakenet (irc.quakenet.org) as a great source of help for Windows programmers, so long as you follow the (rather strict) channel rules. Don't miss the #c++ n00blist of people who have failed to observe these rules ... :)

I hope this helps...

Yep -- sshd configuration instructions

[KMSelf]

Second all of the above.

For configuring sshd, see http://tech.erdelynet.com/cygwin-sshd.html.

Re:Tried VShell?

[dmayle]

I agree completely. I've been a huge fan of Vandyke products, and continue to recommend them to clients of mine who want Windows familiarity thrown in with their security (I implement security solutions for small to medium size businesses). All of their products that I've used (SecureFX, SecureCRT and VShell) have each gotten better with each version (which you often can't say about new software).

Re:What's wrong with Win2k server?

[new500]

. . .

I'm curious as to why you went with 3rd party solutions for encryption and smartcard support instead of using Windows Server, which has those capabilities built in. Mostly I'm curious about the limitations of Windows Server products

Well for one thing, for every client that uses Windows Server for _authentication_ you have to pay up for an extra internet Client Access License. As far as I understand this (and I re- read the terms not so long back) that's each _individual_ client, not concurrent or pooled / proxied clients.

Win2k has excellent smartcard suport, out of the box, highly recommended to lock down _physical access_. But, if like me, you're interested in smartcard authentication for a fair number of users _remotely_ it may not be the best solution to work with your existing toolchain (e.g. Cygwin, OpenSSH etc.)

That's just what comes immediately to mind. I've not delved all I should, so further comment very welcome.

I'll just part with the thought that in your example of installing Certificate Services, if you used this to authenticate users for a web site in even a small installation, you could be talking about hundreds of required licenses. Up to you, though, of course :)

Re:This should be in .NET server and ported to W2K

[ergo98]

SSH tunneling is basically a predecessor to IPSec (and a hackish one at that). Both IPSec and L2TP are standards, and neither are proprietary to Windows: Both are supported in Linux, or any other major operating system, as well.

Cygwin is STANDARD on my Windows systems

[BitMan]

As a long-time NT administrator (original NT 3.1 beta tester), no Windows system goes on my network without Cygwin . In recent years, they've added XFree86 4.x (which works flawlessly nowdays), and other goodies like OpenSSH.

And on Win/NT versions (NT, 2K, XP), you can setup OpenSSH in full server mode which is especially sweet for automation. You can find more information on how to configure OpenSSH as a server on NT/2K/XP here.

There is not a week that goes by without me needing something (let alone another user on our local support list) that Cygwin doesn't solve quickly and effectively. Again, that's why its on all my Windows systems by default.

From Openssh.com

[RedSynapse]

The following "free" clients are recommended for interoperating with OpenSSH from Windows machines:

• PuTTY is an SSH1+SSH2 implementation. PSCP, an scp-style program for Windows, is also available.

  PuTTY is available under the MIT licence (BSD-like).

  "PuTTY is a free implementation of Telnet and SSH for Win32 platforms, written and maintained primarily by Simon Tatham, who lives in Great Britain."

• TTSSH (SSH1) is an SSH1-only implementation, by Robert O'Callahan.

  "TTSSH is a free SSH client for Windows. It is implemented as an extension DLL for Teraterm Pro. Teraterm Pro is a superb free terminal emulator/telnet client for Windows, and its source is available. TTSSH adds SSH capabilities to Teraterm Pro without sacrificing any of Teraterm's existing functionality. TTSSH is also free to download and use and its source is available too, with an open source license. Furthermore, TTSSH has been developed entirely in Australia [...]."

• Cygwin (POSIX software on top of Windows)

  OpenSSH (SSH1 and SSH2 protocol) with Cygwin can run on Windows using the portable version of OpenSSH.

• MSSH

  MSSH from the Metropolitan State College of Denver supports Windows 95 and Windows 98, supporting SSH1 protocol.

• OpenSSH for Windows

  Another OpenSSH running on top of Windows..

• Secure iXplorer

  Secure iXplorer is graphical front end to PuTTY's pscp.exe.

• WinSCP

  WinSCP is a scp(1) program for Windows, with PuTTY integrated into it.

The following clients are recommended for interoperating with OpenSSH from Mac machines:

• NiftyTelnet 1.1 SSH is an SSH1-only implementation which comes with a scp-style program. Written by Jonas Wallden.

  "NiftyTelnet 1.1 SSH r3 is an enhanced version of Chris Newman's NiftyTelnet 1.1 application which adds support for encrypted terminal sessions using the SSH (Secure Shell) protocol. Please read the included Readme file before distributing this version."

• MacSSH is an SSH2-only implementation.

  "MacSSH is a modified version of BetterTelnet with SSH2 support. [...] The only SSH2 client for MacOS that I could find is a commercial product thats costs more than $100, and it crashes my Mac when closing a session... Since it's best to do things by oneself, here's MacSSH."

SSH has much greater functionality than IPSEC.

[kcurrie]

The problem with using things like IPSEC is that you need IPSEC servers which are your choke points, unless you want to have a configuration nightmare and manage thousands of independant IPSEC configs on thousands of machines-- totally not practical. SSH gives you many handy things like X forwarding/arbitrary port forwarding, the ability to load a password into memory (via ssh-agent) and use it for automatic, passwordless authentication, file transfers (both with things like scp and sftp, and it can be used for a transport agent for things like rsync/unison, etc). It's easier to poke a SINGLE hole through a firewall on any port you want, with no compatability issues. Built in (variable) compression, very handy for speeding up your X sessions, as well as things like IMAP/POP mail transfers, etc. Using something like IPSEC, how can you say "I want to compress all IMAP and POP mail to hostA, but not web traffic on hostA, and I want X compressed to hostB, but not to hostC?" All of these things are easy to do with SSH.
With SSH I can use one standard protocol/app set that will run on everything from cell phones to PDAs to huge servers, running all kinds of OS's, generally at little to no cost. Show me an IPSEC solution that can do that. SSH requires no kernal mods, or even anything that must be installed as a root/administrator on any platform. The code is open, and free for you to mod as well. If you must have VPN type functionality you CAN do things like PPP over SSH if you must, although this isn't the highest performing option, it is possible.
The one thing SSH *IS* missing is the ability to forward UDP traffic.

It's easy with an SSH tunnel

[Supp0rtLinux]

I had a similar issue. My solution was to host all shared files on a Linux server running Samba. I then set up SSH tunnels for the WINS/NetBIOS ports. Windows clients didn't know it was secure, but I did. Most Windows clients wouldn't know if their stuff was secure or not anyways...