SSH Secure Services on Windows 2K/XP?

jstockdale asks: "Lately I've been working on the security of the few Windows boxes I administer, specifically XP and 2000 stations. I havn't had much of a problem finding decent solutions for file/email/disk encryption (besides the fact that PGP is no longer selling their products), or for smartcard or smartcard+biometric solutions (besides the limitations on key size (2048-bit RSA maximum) and flexability). However when it comes to SSH services for remote administration, windows filesharing, and SFTP for file transfers I have hit a dead end. I have looked into SSH but their SSH for Windows Servers only runs on 2000, and costs $565. I ask what solutions have /.er's found in the realm of ssh network encryption, and also in integrating all these components simply and effectively."

What's wrong with Win2k server?

[gcshaw2nd]

This is slightly off topic, but I'm curious as to why you went with 3rd party solutions for encryption and smartcard support instead of using Windows Server, which has those capabilities built in. Mostly I'm curious about the limitations of Windows Server products (this is not a troll, and I'm not interested in flames about M$).

I always thought of PGP as a personal resource, not something capable of effectively encrypting entire network environments. Why do you choose not to use the EFS capabilities of Windows, which, to my knowledge, are very secure and transparent to the user (provided (s)he has permission to decrypt).

The same question applies to Smartcard technology. Windows supports the PKINIT protocol, RSA and CryptoAPI etc. You can install Certificate Authority software as part of your install. Why specifically go with cryptoflex?

And specifically regarding your SSH question, it's not SSH but Windows Server supports Remote Access services via which you could set up a VPN and have a secure connection to the company servers.

Please share your knowledge.

Re:OpenSSH + CygWin + libsectok

[ajs]

What's even scarier is being on an XP box, starting up a shell, typing "startx", get an xterm, run "ssh -XCfc blowfish me@linuxbox evolution" and getting a usable mail client on windows! :-)

Stunnel, TLSWrap, SSLWrap, Safetp.

[BrookHarty]

I personally use Stunnel on a few boxes, linux/windows/freebsd. It basically wraps your connection with ssl. You set it up on both servers, then connect to localhost:port and it forwards to the remote server ssl encrypted. Like ssh tunnels, but its a stand alone program. Also very transparent to the user.

TLSwrap is another ssl wrapper, used for ftp, but can be used for other ports.
Safetp seems to be a popular one with the college kids. Ive tested it out, and it does encrypt your session, and any ftp client will work since it encrypted the port.

Personally, I dont want command line on windows, I want a GUI for windows. Tight VNC isnt encrypted, but you can use stunnel to take care of that. But I find remote desktop, using rdp 5.1, is fast as hell(compared to tightvnc) and is designed for windows. Very usable over a modem too.

I Love computers and networking, 500 solutions to 1 problem.

Is stilll a problem with Cygwin shared memory?

I see to remember a problem with the cygwin sshd was that due to the cygwin libs users didn't have partitioned memory, i.e. I could log in as "userA" and have access to the administrators/another users memory space. The would be a BIG problem when using ssh-agent and the like (or just about any program really!)
Has this been fixed yet?

Re:SSH has much greater functionality than IPSEC.

[kcurrie]

> Personally I prefer IPSec to be on for all communications throughout the entire organization (versus just "from the Internet in". I'd do that via a L2TP VPN server).

I too would agree with this statement-- in an ideal world with mixed platforms (Solaris, Linux, Windows, HPUX) IPSEC everywhere would be ideal, I just fear that cross platform management would be a nightmare. One of the most attractive aspects of using IPSEC is as you mention, that you can do all of this without you users even being aware of it, and no tool changes are required.
I'm speaking out of my ass in a certain respect, as I haven't configured IPSEC on a mass scale for multiple platforms (but I have with SSH), but I'm not aware of any multiplatform (as mentioned above, all of them, not just a couple) IPSEC products where changes can be easily made by one person on one platform. Again, these may exist, and if you know of any, I'd be interested in hearing about them.

Of course I understand that IPSEC is fully documented and heavily deployed (I work at a company that makes many IPSEC products), I was just speaking about the ease of ssh implementation and light weight of the required apps. I'm not aware of any Java or Regarding compression, authentication, etc: These are all separate elements of the communications layers, and personally I don't LIKE to see them all slammed together in some emacs type "cater to everyone" combination.

It's all about what you want to use it for. Even in an all IPSEC environment, SSH is still very usefull ON TOP of it all for things like transparent X forwarding between machines (no more setting your $DISPLAY), authentication, etc.

As I mentioned, I wouldn't use SSH for a VPN, although I specifically DO use SSH instead of a VPN for telecommuting-- and I work from home 4 days a week.