SSH Secure Services on Windows 2K/XP?

jstockdale asks: "Lately I've been working on the security of the few Windows boxes I administer, specifically XP and 2000 stations. I havn't had much of a problem finding decent solutions for file/email/disk encryption (besides the fact that PGP is no longer selling their products), or for smartcard or smartcard+biometric solutions (besides the limitations on key size (2048-bit RSA maximum) and flexability). However when it comes to SSH services for remote administration, windows filesharing, and SFTP for file transfers I have hit a dead end. I have looked into SSH but their SSH for Windows Servers only runs on 2000, and costs $565. I ask what solutions have /.er's found in the realm of ssh network encryption, and also in integrating all these components simply and effectively."

www.Cygwin.com

[aaron_pet]

www.cygwin.com

Tried VShell?

[triffidsting]

http://www.vandyke.com/products/vshell/

Re:Tried VShell?

[xee]

Indeed, VShell is an awesome SSH server for windows. I've been using it in a production environment for a few months now and am very pleased with its performance and ability. It hasn't been a particularly smooth ride, but VanDyke tech support is excellent (you send them a logfile, they'll tell you how to fix the problem). They even supported me before I bought the product. That was impressive. I highly recommend VanDyke SSH products for windows.

Re:openssh via cygwin.

[Telastyn]

One trick that helps is using NT resource kit's srvany to install SSHD as a service instead of cygwin's service installer. A google search can show you how. But then again a simple google search could've prevented this whole article...

Check out the VanDyke products

[mdb31]

You may want to have a look at vandyke.com; their VShell SSH server has a 'personal' edition which works very well for systems management and is cheaper than the SSH product. I've used their products for years on the server as well as client-side, and found them very reliable, as well as very well-behaved Windows services...

OpenSSH + CygWin + libsectok

[dmiller]

As a few people have mentioned OpenSSH is supported on Windows via CygWin. What hasn't been mentioned is that OpenSSH supports smartcards through the use of libsectok. I use it with Schlumberger Cyberflex Access cards.

I don't know whether libsectok has been built on Windows before, but it uses the standard /dev/tty interface so it should be too difficult to get working.

Re:OpenSSH + CygWin + libsectok

[philovivero]

Mod parent up.

Basically, I've gotten Cygwin with OpenSSH working on Win2K with zero problems.

It's an eery feeling typing "ssh philov@win2kbox" and then getting a Bash prompt.

Remember, once you install Cygwin to learn how to install *ANY* Unix server as a service on your Windows box. I got Apache and SSHd and a few others working trivially once I figured out that strange Cygwin addservice command.

Re:OpenSSH + CygWin + libsectok

[ajs]

What's even scarier is being on an XP box, starting up a shell, typing "startx", get an xterm, run "ssh -XCfc blowfish me@linuxbox evolution" and getting a usable mail client on windows! :-)

Re:when you are too lazy to hit google

[Anonvmous+Coward]

Google helps you find stuff. Google does not give you informed recommendations from your peers. Duh.

Cygwin & TTSSH

[cornice]

For the server side use SSH from cygwin and for the client side I really like TTSSH as an extension to Teraterm. It also looks like there is now a TTX SSL and an SSL OTP available too. By the way, all of these have source available.

Where to find the Windows programmers

[Carnage4Life]

Disclaimer: I work for Microsoft but this post contains my opinions and does not represent some official company statement

In my opinion the best places to find out information about Microsoft technologies and products are

1. Newsgroups: Most microsoft technologies have a newsgroup in the microsoft.public.* hierarchy that are read not only by Microsoft employees but by dozens of regular developers who just want to help others who are having problems. I personally monitor microsoft.public.xml and microsoft.public.dotnet.xml where I answer a lot of questions and pass many of those I can't answer to the actual devs who work on the applications and APIs in question.
   
   
2. Online Communities: There are a number of strong online communities where Windows developers congregate to share information, tips and tricks. These range from Microsoft sponsored sites like GotDotNet, ASP.NET, and Windows Forms.NET that are run by MSFT employees who participate actively in these communities to independent sites like 4 Guys from Rolla, Code Project, Dev Hood, DevelopMentor and CodeGuru
   
   
3. Microsoft Websites: Few places beat MSDN as a source of information about Microsoft technologies. By the way, if you are into XML check out my Extreme XML column
   
   
4. Mailing Lists: There are number of mailing lists hosted by various parties about Microsoft technologies. The ones I've seen with the most vibrance have been the DevelopMentor mailing lists and the ASP Friends lists

PS: So this post isn't offtopic I'll add something about SSH. OpenSSH in Windows is possible if one installs Cygwin.

Re:Windows Programming: A related question

[W2k]

My sources for programming info and help/support:

CodeGuru and CodeProject - both EXCELLENT sources of information, especially for MFC stuff. CodeProject also has lots on C#.

Microsoft Developer Network is a great source of support (especially the KB) and the MSDN library holds a full reference for the Microsoft implementations of C/C++, C#, Visual Basic, et al. MSDN is also integrated into Visual Studio.NET, so I rarely feel the need to visit the website directly.

Finally, lots of programmers gather in Usenet newsgroups and on IRC. I can recommend the channel #c++ on Quakenet (irc.quakenet.org) as a great source of help for Windows programmers, so long as you follow the (rather strict) channel rules. Don't miss the #c++ n00blist of people who have failed to observe these rules ... :)

I hope this helps...

Yep -- sshd configuration instructions

[KMSelf]

Second all of the above.

For configuring sshd, see http://tech.erdelynet.com/cygwin-sshd.html.

Not a troll...just a suggestion

[johnlcallaway]

Our company had to set up a complete production system that was redundant and had to be administered remotely (120 miles away). That is why we went with Solaris servers and OpenSSH/VanDyke Windows client, and tossed MS for the servers out. Of course, we were fortunate enough that none of our applications had to run on a specific platform (web server, weblogic, Oracle, C++, and Java).

Why am I telling you all this?? Not to bash MS. I ask that you look really close at your requirements and remote administration. Do they say 'I have to run on Windows??'. If not, maybe it's time to look elsewhere for solutions.

Nothing to do with security or scalability or reliability (ok ... maybe a little) but when it came right down to brass tacks, Unix is far easier and has far more options to administer remotely than Windows. That darn command line thing where I can change any setting easily from using a 24K dialup modem is a godsend when doing remote administration.

If you have to have a Windows solution, I saw a lot of good ones above that we use, Cygwin and VanDyke being my favorite.

Re:What's wrong with Win2k server?

[new500]

. . .

I'm curious as to why you went with 3rd party solutions for encryption and smartcard support instead of using Windows Server, which has those capabilities built in. Mostly I'm curious about the limitations of Windows Server products

Well for one thing, for every client that uses Windows Server for _authentication_ you have to pay up for an extra internet Client Access License. As far as I understand this (and I re- read the terms not so long back) that's each _individual_ client, not concurrent or pooled / proxied clients.

Win2k has excellent smartcard suport, out of the box, highly recommended to lock down _physical access_. But, if like me, you're interested in smartcard authentication for a fair number of users _remotely_ it may not be the best solution to work with your existing toolchain (e.g. Cygwin, OpenSSH etc.)

That's just what comes immediately to mind. I've not delved all I should, so further comment very welcome.

I'll just part with the thought that in your example of installing Certificate Services, if you used this to authenticate users for a web site in even a small installation, you could be talking about hundreds of required licenses. Up to you, though, of course :)

Stunnel, TLSWrap, SSLWrap, Safetp.

[BrookHarty]

I personally use Stunnel on a few boxes, linux/windows/freebsd. It basically wraps your connection with ssl. You set it up on both servers, then connect to localhost:port and it forwards to the remote server ssl encrypted. Like ssh tunnels, but its a stand alone program. Also very transparent to the user.

TLSwrap is another ssl wrapper, used for ftp, but can be used for other ports.
Safetp seems to be a popular one with the college kids. Ive tested it out, and it does encrypt your session, and any ftp client will work since it encrypted the port.

Personally, I dont want command line on windows, I want a GUI for windows. Tight VNC isnt encrypted, but you can use stunnel to take care of that. But I find remote desktop, using rdp 5.1, is fast as hell(compared to tightvnc) and is designed for windows. Very usable over a modem too.

I Love computers and networking, 500 solutions to 1 problem.

Re:when you are too lazy to hit google

[Qrlx]

Google helps you find stuff. Google does not give you informed recommendations from your peers. Duh.

Google search for "SSH Secure Services on Windows 2K" (cut and paste job from article title, leaving off /XP)

Result number ten is called "How to setup SSH service on an Windows NT\2000 system." using cygwin etc.

So there.

Re:Windows Programming: A related question

[Stonehand]

Pure, unadulterated bullshit of the worst sterotypical kind. Having actually /been/ there, and being aware of their recruitment procedures and also of their penchant for hiring damn fine academics who know their stuff, I can tell you that if you are a clod who can't think on his feet and doesn't know what he's doing, you won't get in. And the people that were there were pretty damn motivated to do well -- one has to be, in order to work at a company that's all but compared to the Third Reich these days.

Compare that to the unclean drivel in the Linux kernel, laden with intelligent comments like "Sun fucking blows me", clearly broken VMs that get released despite all those allegedly useful eyes staring at the code and supposedly testing it, and the unprofessional spats between the dev community.

And if you think caring about something means that it's so obviously superior, I would suggest that you consider the fanatical behavior of assorted cults throughout history -- or, alternately, the idiots on "American Idol" who clearly /care/ about their art, but can't do it worth a damn. The people who did the art for "Craft" and for that Warcraft clone and for that FreeCiv (clone...) probably /care/ about their art too, but graphically... there's no comparison with that produced by the pros.

As for why I code, when I do -- it's a method. Algorithms aren't too interesting if never tested, and I'm sure as hell not doing large amounts of repetitive mathematics by hand. So for me, programming is merely an extremely efficient way of getting things done, and not an ends in of itself. When it comes to recreation, I find classic literature or photography much more interesting than implementing Nelder-Mead simplex routines for function minimization, or their ilk.

Cygwin is STANDARD on my Windows systems

[BitMan]

As a long-time NT administrator (original NT 3.1 beta tester), no Windows system goes on my network without Cygwin . In recent years, they've added XFree86 4.x (which works flawlessly nowdays), and other goodies like OpenSSH.

And on Win/NT versions (NT, 2K, XP), you can setup OpenSSH in full server mode which is especially sweet for automation. You can find more information on how to configure OpenSSH as a server on NT/2K/XP here.

There is not a week that goes by without me needing something (let alone another user on our local support list) that Cygwin doesn't solve quickly and effectively. Again, that's why its on all my Windows systems by default.

From Openssh.com

[RedSynapse]

The following "free" clients are recommended for interoperating with OpenSSH from Windows machines:

• PuTTY is an SSH1+SSH2 implementation. PSCP, an scp-style program for Windows, is also available.

  PuTTY is available under the MIT licence (BSD-like).

  "PuTTY is a free implementation of Telnet and SSH for Win32 platforms, written and maintained primarily by Simon Tatham, who lives in Great Britain."

• TTSSH (SSH1) is an SSH1-only implementation, by Robert O'Callahan.

  "TTSSH is a free SSH client for Windows. It is implemented as an extension DLL for Teraterm Pro. Teraterm Pro is a superb free terminal emulator/telnet client for Windows, and its source is available. TTSSH adds SSH capabilities to Teraterm Pro without sacrificing any of Teraterm's existing functionality. TTSSH is also free to download and use and its source is available too, with an open source license. Furthermore, TTSSH has been developed entirely in Australia [...]."

• Cygwin (POSIX software on top of Windows)

  OpenSSH (SSH1 and SSH2 protocol) with Cygwin can run on Windows using the portable version of OpenSSH.

• MSSH

  MSSH from the Metropolitan State College of Denver supports Windows 95 and Windows 98, supporting SSH1 protocol.

• OpenSSH for Windows

  Another OpenSSH running on top of Windows..

• Secure iXplorer

  Secure iXplorer is graphical front end to PuTTY's pscp.exe.

• WinSCP

  WinSCP is a scp(1) program for Windows, with PuTTY integrated into it.

The following clients are recommended for interoperating with OpenSSH from Mac machines:

• NiftyTelnet 1.1 SSH is an SSH1-only implementation which comes with a scp-style program. Written by Jonas Wallden.

  "NiftyTelnet 1.1 SSH r3 is an enhanced version of Chris Newman's NiftyTelnet 1.1 application which adds support for encrypted terminal sessions using the SSH (Secure Shell) protocol. Please read the included Readme file before distributing this version."

• MacSSH is an SSH2-only implementation.

  "MacSSH is a modified version of BetterTelnet with SSH2 support. [...] The only SSH2 client for MacOS that I could find is a commercial product thats costs more than $100, and it crashes my Mac when closing a session... Since it's best to do things by oneself, here's MacSSH."

Warning about Cygwin!

[Ed+Avis]

From the Cygwin FAQ:

Cygwin is not secure in a multi-user environment. For example if you have a long running daemon such as "inetd" running as admin while ordinary users are logged in, or if you have a user logged in remotely while another user is logged into the console, one cygwin client can trick another into running code for it. In this way one user may gain the priveledge of another cygwin program running on the machine. This is because cygwin has shared state that is accessible by all processes.

This means that Cygwin is not suitable for running an ssh daemon unless you're sure that only one person will use the machine, or you're happy for all the users to have the same privileges.

Cygwin instructions

[rwa2]

As mentioned before, getting up and running with Cygwin is a snap! Here are your easy instructions:

• Go to the cygwin site and click on the "install now" box on the side of the screen. Run the setup.exe program off the site (don't bother to save it somewhere, it gets updated almost weekly).
• Tell it to install from the internet. Choose a mirror. It'll download a list of packages. Choose the Net | OpenSsh package. If you want to run the server, you might also want to choose everything in the Admin section. I also find Net | rsync more useful than the scp that comes with openssh.
• Once the install is complete, fire it up and run ssh-host-config to set up the server. It'll ask you a bunch of simple questions, generate your hostkey, and stick the server in the startup scripts.

With just this, the whole install takes about 32MB.
Enjoy!