Slashdot Mirror
SSH Secure Services on Windows 2K/XP?
jstockdale asks: "Lately I've been working on the security of the few Windows boxes I administer, specifically XP and 2000 stations. I havn't had much of a problem finding decent solutions for file/email/disk encryption (besides the fact that PGP is no longer selling their products), or for smartcard or smartcard+biometric solutions (besides the limitations on key size (2048-bit RSA maximum) and flexability). However when it comes to SSH services for remote administration, windows filesharing, and SFTP for file transfers I have hit a dead end. I have looked into SSH but their SSH for Windows Servers only runs on 2000, and costs $565. I ask what solutions have /.er's found in the realm of ssh network encryption, and also in integrating all these components simply and effectively."
Works just dandy
www.cygwin.com
Please use [ informative / summarizing ] SUBJECT LINES
Flame me here
openssh works fine under cygwin. that is what we use.
Non impediti ratione cogitationis.
You can get Putty here: http://www.chiark.greenend.org.uk/~sgtatham/putty/ .
http://www.vandyke.com/products/vshell/
Non, je ne veux pas coucher avec toi ce soir.
If you need what SSH provides, buy the damn thing and get it over with. You'd spend a helluva lot more than 10 hours getting something else working - or even just looking for something else.
I've been running a Bitvise WinSSHD server for a while and it works just fine. Integrates with the Windows login also, which is a nice plus. Easy to install, configure, and use.
My question is sort of off-topic, but I don't really know where to ask it: Where is the Windows programming community? How do Windows programmers get their information and help? I am familiar with how to get information for *nix programming: just search the web, look up the manpages, and post questions on the mailing lists/newsgroups. But I have a hell of a time writing Windows programs because I can't seem to find the mutual support network that is so common in the *nix world.
You may want to have a look at vandyke.com; their VShell SSH server has a 'personal' edition which works very well for systems management and is cheaper than the SSH product. I've used their products for years on the server as well as client-side, and found them very reliable, as well as very well-behaved Windows services...
There's lots of options available for SSH on Win32, a simple Google search turns them up. Specifically there's a free zipfile out there called ssh-win32.zip that contains a basic SSH terminal that works well. There's also GPL port-attempts of the unix commandline ssh tools, some of which work ok. In the cheapware/shareware category there's stuff like SecureCRT and F-Secure SSH. The list goes on and on... apparently some people like PuTTY.
11*43+456^2
Rather than some *cough* *cough*....I wish to actually try to provide some help. I've been using Remotely Anywhere for remote administration of my win2k network. It does a lot more than it sounds like you're asking for, but it is extremely useful and runs an ssh server. It is relatively cheap, but not free. Website
As a few people have mentioned OpenSSH is supported on Windows via CygWin. What hasn't been mentioned is that OpenSSH supports smartcards through the use of libsectok. I use it with Schlumberger Cyberflex Access cards.
I don't know whether libsectok has been built on Windows before, but it uses the standard /dev/tty interface so it should be too difficult to get working.
Although, I have had problems that if you try and resize the rxvt it stops responding, and stupid Windows doesn't kill the children if you kill the rxvt so you end up with dead processes hanging around if you're not careful, but in principle it all works fine. ssh, scp, the lot. It all interoperates with Unix beautifully.
There is a freeware windows scp program callled, not surprisingly, winscp. It is freeware and uses some code from Putty. Everyone I know has found this program very useful. Main web page: http://winscp.vse.cz/eng/ and download here: http://winscp.vse.cz/eng/download.php I found version 2.0 to be quite stable even though it is called beta.
Do you know what the licensing for code snippets from MSDN is? They always provide them but I can't find a copyright release anywhere. Maybe I'm not looking hard enough (or recently enough).
My unit recently started using the SSH product and had issues with it. When SFTP'ing files from our windows boxes to our *nix servers random sections of text files would mysteriously dissapear. Also the term client has been flaky for me, when I'm in emacs (my editor of choice) and I backscroll it will occasionally insert random sections of my backscroll into my emacs buffer... So if you go with SSH for Windows clients, watch your text ftp's and save before you scroll up ;)
They who would give up an essential liberty for temporary security, deserve neither liberty nor security
Perhaps the poor guy just didn't know about it.
It's not very well known in the Windows world - seems to be something that us Unix folk load onto Windows machines to make them feel a little more like "home". I hope it gains more recognition by the Windows "mainstream" types, as it's one excellent bundle of useful apps.
OpenSSH on Cygwin. It's free. I'm not sure if Cygwin provides enough unixy hooks to support sftp, but I'd imagine it does...
Google helps you find stuff. Google does not give you informed recommendations from your peers. Duh.
If you're looking for fingerprint login that integrates well with Win2k, check into the DigitalPersona U.are.U stuff.
I have their inexpensive "UareU Pro" system, and it works great for (literally) one-touch Win2k logins. You can integrate it with your domain server to make fingerprint logins universal, but even just on a local workstation, it works fine.
Unfortunately, zero Linux support.
You can use the fingerprint biometrics for an encrypted virtual drive with additional software, but without any documentation or peer review of their encrypted storage, it's impossible to evaluate their security.
This is slightly off topic, but I'm curious as to why you went with 3rd party solutions for encryption and smartcard support instead of using Windows Server, which has those capabilities built in. Mostly I'm curious about the limitations of Windows Server products (this is not a troll, and I'm not interested in flames about M$).
I always thought of PGP as a personal resource, not something capable of effectively encrypting entire network environments. Why do you choose not to use the EFS capabilities of Windows, which, to my knowledge, are very secure and transparent to the user (provided (s)he has permission to decrypt).
The same question applies to Smartcard technology. Windows supports the PKINIT protocol, RSA and CryptoAPI etc. You can install Certificate Authority software as part of your install. Why specifically go with cryptoflex?
And specifically regarding your SSH question, it's not SSH but Windows Server supports Remote Access services via which you could set up a VPN and have a secure connection to the company servers.
Please share your knowledge.
Last time I had a Windows problem, I did look on the net (DejaNews). What I found were that several other people had the same problem, but nobody had posted a solution.
Maybe this was because there was no solution!
For the server side use SSH from cygwin and for the client side I really like TTSSH as an extension to Teraterm. It also looks like there is now a TTX SSL and an SSL OTP available too. By the way, all of these have source available.
I'm guessing that your point was that there are fewer servers than clients, but you have to realise that you don't know what he does for a living.
I personally work to support a network of thousands of Linux and Windows servers. Definitly more servers than clients owned by us.
You can run both CMD and bash via OpenSSH on Windows with Cygwin. It works reliably, and there's quite a few useful command line utilities for the newer versions of windows (2000, XP), especially if you grab the resource kits. However, if you have the bandwidth (and hopefully you do) why not run terminal services?
In my opinion the best places to find out information about Microsoft technologies and products are
PS: So this post isn't offtopic I'll add something about SSH. OpenSSH in Windows is possible if one installs Cygwin.
While attending a security session put on by the SANS institute, they had a REALLY cool solution for protecting machine to machine communication in an 'unsafe' network environment.
They used a feature of IPSEC that didn't encrypt the packets, but CRC'd them anyway. Then they configured the machines that were supposed to listen to the outside world (Business logic servers/ database servers) to punt all packets that didn't have an IPSEC crc on 'em.
The system does the decoding at IIRC the 2nd or 3rd layer, using some very efficient code Microsoft got from Cisco. The teacher reported pounding on a laptop on a 100mbit segment with 6 orther attacking computers and the laptop registered about 12% utilization whil punting illegal packets.
"Draco dormiens nunquam titillandus."
Now that Microsoft has woken up to the need for improved security it is imperative that they should have SSH as an integral part of .NET Server and back-port it, Security Configurator and Analysis-style, to W2K Server and NT4 Server.
SSH, SFTP and SCP would be wonderful tools to have. Just yank out Telnet, yank out IIS FTP Server and so forth and put this in instead. Terminal Services is fine and all but sometimes you need to do remote file transfers. The current alternatives MS provides are just not any good.
Knowledge is power. Knowledge shared is power multiplied.
Yup, another classic example of 'when all you know how to use is a hammer, every problem starts to look like a nail.
Vintage computer games and RPG books available. Email me if you're interested.
How about filesystem encryption for Linux? Something that works effectively, well enough that it can be used in the real world. The kernel loopback encryption would be perfect, except it breaks with each kernel release and an indefinite time must be waited for patches - and patches might make old data unreadable. Is there any practical solution?
Second all of the above.
For configuring sshd, see http://tech.erdelynet.com/cygwin-sshd.html.
What part of "gestalt" don't you understand?
Our company had to set up a complete production system that was redundant and had to be administered remotely (120 miles away). That is why we went with Solaris servers and OpenSSH/VanDyke Windows client, and tossed MS for the servers out. Of course, we were fortunate enough that none of our applications had to run on a specific platform (web server, weblogic, Oracle, C++, and Java).
... maybe a little) but when it came right down to brass tacks, Unix is far easier and has far more options to administer remotely than Windows. That darn command line thing where I can change any setting easily from using a 24K dialup modem is a godsend when doing remote administration.
Why am I telling you all this?? Not to bash MS. I ask that you look really close at your requirements and remote administration. Do they say 'I have to run on Windows??'. If not, maybe it's time to look elsewhere for solutions.
Nothing to do with security or scalability or reliability (ok
If you have to have a Windows solution, I saw a lot of good ones above that we use, Cygwin and VanDyke being my favorite.
I rarely read replies, it's my opinion and if you thought about your opinion a little more, I'm OK with that.
I too am an administrator of many Windows boxen and am very security conscious . The absolute best information I have found about Windows Security, was from this Oreilly book: Securing Windows NT/2000 Servers for the Internet
A Checklist for System Administrators I know its primarilly about creating Windows Bastion hosts, but there is an aweful lot of general Windows security and remote administration information as well. Every Windows sysadmin needs to give it a read!
Rule of Life Number 2: Remember, it can all go to hell at any minute. --Jimmy Buffet
but what does ssh have over Terminal Services?
Is it more "secure"? It seems that win2k has very little command prompt ability and most people don't even know anything other then a few basics... So I guess my question I guess is Why?
I personally use Stunnel on a few boxes, linux/windows/freebsd. It basically wraps your connection with ssl. You set it up on both servers, then connect to localhost:port and it forwards to the remote server ssl encrypted. Like ssh tunnels, but its a stand alone program. Also very transparent to the user.
TLSwrap is another ssl wrapper, used for ftp, but can be used for other ports.
Safetp seems to be a popular one with the college kids. Ive tested it out, and it does encrypt your session, and any ftp client will work since it encrypted the port.
Personally, I dont want command line on windows, I want a GUI for windows. Tight VNC isnt encrypted, but you can use stunnel to take care of that. But I find remote desktop, using rdp 5.1, is fast as hell(compared to tightvnc) and is designed for windows. Very usable over a modem too.
I Love computers and networking, 500 solutions to 1 problem.
You can download cygwin for free from cygwin.com. It includes both the client and the server for ssh. You can set up ssh as a service that runs even prior to login, so it's the real deal. All drives are accessible through the shell via the invisible /cygdrive/c, /cygdrive/d, etc directory. All the rest is explained on the Cygwin site. I believe commercial support for Cygwin is offered by Redhat, but it's worth noting that they have a very responsive free support list, frequented by all the major developers/porters.
Give it a go. I think you'll be impressed.
Says the RIAA: When you EQ, you're stealing bass!
Comment removed based on user account deletion
Google helps you find stuff. Google does not give you informed recommendations from your peers. Duh.
/XP)
Google search for "SSH Secure Services on Windows 2K" (cut and paste job from article title, leaving off
Result number ten is called "How to setup SSH service on an Windows NT\2000 system." using cygwin etc.
So there.
I've looked at BestCrypt, Scramdisk, and DiskCrypt.
What have you found that works for you?
Get off my launchpad!
As a long-time NT administrator (original NT 3.1 beta tester), no Windows system goes on my network without Cygwin . In recent years, they've added XFree86 4.x (which works flawlessly nowdays), and other goodies like OpenSSH.
And on Win/NT versions (NT, 2K, XP), you can setup OpenSSH in full server mode which is especially sweet for automation. You can find more information on how to configure OpenSSH as a server on NT/2K/XP here.
There is not a week that goes by without me needing something (let alone another user on our local support list) that Cygwin doesn't solve quickly and effectively. Again, that's why its on all my Windows systems by default.
-- Bryan "TheBS" Smith
Independent Author, Consultant and Trainer
- PuTTY
is an SSH1+SSH2 implementation. PSCP, an
scp-style
program for Windows, is also available.
- TTSSH (SSH1)
is an SSH1-only implementation, by Robert O'Callahan.
- Cygwin (POSIX software on top of Windows)
- MSSH
- OpenSSH for Windows
- Secure iXplorer
- WinSCP
The following clients are recommended for interoperating with OpenSSH from Mac machines:PuTTY is available under the MIT licence (BSD-like).
"PuTTY is a free implementation of Telnet and SSH for Win32 platforms, written and maintained primarily by Simon Tatham, who lives in Great Britain."
"TTSSH is a free SSH client for Windows. It is implemented as an extension DLL for Teraterm Pro. Teraterm Pro is a superb free terminal emulator/telnet client for Windows, and its source is available. TTSSH adds SSH capabilities to Teraterm Pro without sacrificing any of Teraterm's existing functionality. TTSSH is also free to download and use and its source is available too, with an open source license. Furthermore, TTSSH has been developed entirely in Australia [...]."
OpenSSH (SSH1 and SSH2 protocol) with Cygwin can run on Windows using the portable version of OpenSSH.
MSSH from the Metropolitan State College of Denver supports Windows 95 and Windows 98, supporting SSH1 protocol.
Another OpenSSH running on top of Windows..
Secure iXplorer is graphical front end to PuTTY's pscp.exe.
WinSCP is a scp(1) program for Windows, with PuTTY integrated into it.
"NiftyTelnet 1.1 SSH r3 is an enhanced version of Chris Newman's NiftyTelnet 1.1 application which adds support for encrypted terminal sessions using the SSH (Secure Shell) protocol. Please read the included Readme file before distributing this version."
"MacSSH is a modified version of BetterTelnet with SSH2 support. [...] The only SSH2 client for MacOS that I could find is a commercial product thats costs more than $100, and it crashes my Mac when closing a session... Since it's best to do things by oneself, here's MacSSH."
The problem with using things like IPSEC is that you need IPSEC servers which are your choke points, unless you want to have a configuration nightmare and manage thousands of independant IPSEC configs on thousands of machines-- totally not practical. SSH gives you many handy things like X forwarding/arbitrary port forwarding, the ability to load a password into memory (via ssh-agent) and use it for automatic, passwordless authentication, file transfers (both with things like scp and sftp, and it can be used for a transport agent for things like rsync/unison, etc). It's easier to poke a SINGLE hole through a firewall on any port you want, with no compatability issues. Built in (variable) compression, very handy for speeding up your X sessions, as well as things like IMAP/POP mail transfers, etc. Using something like IPSEC, how can you say "I want to compress all IMAP and POP mail to hostA, but not web traffic on hostA, and I want X compressed to hostB, but not to hostC?" All of these things are easy to do with SSH.
With SSH I can use one standard protocol/app set that will run on everything from cell phones to PDAs to huge servers, running all kinds of OS's, generally at little to no cost. Show me an IPSEC solution that can do that. SSH requires no kernal mods, or even anything that must be installed as a root/administrator on any platform. The code is open, and free for you to mod as well. If you must have VPN type functionality you CAN do things like PPP over SSH if you must, although this isn't the highest performing option, it is possible.
The one thing SSH *IS* missing is the ability to forward UDP traffic.
-- I speak only for myself.
I use Bitvise WinSSHD.
Aside from dropping you straight to the Win2k command prompt, it has
You might want to take the one-day class on securing Windows 2000 currently being run in various cities by the SANS Institute or you won't have to worry about having secure remote access to your server(s) -- someone else will.
It won't help to have the best encryption in the world securing your front door to a system that has 120 vulnerabilities in the default install!
In times of universal deceit, telling the truth gets you modded -1 Troll
I had a similar issue. My solution was to host all shared files on a Linux server running Samba. I then set up SSH tunnels for the WINS/NetBIOS ports. Windows clients didn't know it was secure, but I did. Most Windows clients wouldn't know if their stuff was secure or not anyways...
-- Ed Avis ed@membled.com
- Go to the cygwin site and click on the "install now" box on the side of the screen. Run the setup.exe program off the site (don't bother to save it somewhere, it gets updated almost weekly).
- Tell it to install from the internet. Choose a mirror. It'll download a list of packages. Choose the Net | OpenSsh package. If you want to run the server, you might also want to choose everything in the Admin section. I also find Net | rsync more useful than the scp that comes with openssh.
- Once the install is complete, fire it up and run ssh-host-config to set up the server. It'll ask you a bunch of simple questions, generate your hostkey, and stick the server in the startup scripts.
With just this, the whole install takes about 32MB.Enjoy!
OpenSSH For Windows is what I use. It works pretty well. The Server only works on NT/2000 I think, but the client works on everything.
http://www.networksimplicity.com/openssh/
Comment removed based on user account deletion
Freeware SSH and SCP for Windows 9x, NT, ME, 2000 and XP By John Fitzgibbon