SSH Secure Services on Windows 2K/XP?

jstockdale asks: "Lately I've been working on the security of the few Windows boxes I administer, specifically XP and 2000 stations. I havn't had much of a problem finding decent solutions for file/email/disk encryption (besides the fact that PGP is no longer selling their products), or for smartcard or smartcard+biometric solutions (besides the limitations on key size (2048-bit RSA maximum) and flexability). However when it comes to SSH services for remote administration, windows filesharing, and SFTP for file transfers I have hit a dead end. I have looked into SSH but their SSH for Windows Servers only runs on 2000, and costs $565. I ask what solutions have /.er's found in the realm of ssh network encryption, and also in integrating all these components simply and effectively."

Tried VShell?

[triffidsting]

http://www.vandyke.com/products/vshell/

Re:Tried VShell?

[xee]

Indeed, VShell is an awesome SSH server for windows. I've been using it in a production environment for a few months now and am very pleased with its performance and ability. It hasn't been a particularly smooth ride, but VanDyke tech support is excellent (you send them a logfile, they'll tell you how to fix the problem). They even supported me before I bought the product. That was impressive. I highly recommend VanDyke SSH products for windows.

Re:openssh via cygwin.

[Telastyn]

One trick that helps is using NT resource kit's srvany to install SSHD as a service instead of cygwin's service installer. A google search can show you how. But then again a simple google search could've prevented this whole article...

Check out the VanDyke products

[mdb31]

You may want to have a look at vandyke.com; their VShell SSH server has a 'personal' edition which works very well for systems management and is cheaper than the SSH product. I've used their products for years on the server as well as client-side, and found them very reliable, as well as very well-behaved Windows services...

OpenSSH + CygWin + libsectok

[dmiller]

As a few people have mentioned OpenSSH is supported on Windows via CygWin. What hasn't been mentioned is that OpenSSH supports smartcards through the use of libsectok. I use it with Schlumberger Cyberflex Access cards.

I don't know whether libsectok has been built on Windows before, but it uses the standard /dev/tty interface so it should be too difficult to get working.

Re:OpenSSH + CygWin + libsectok

[philovivero]

Mod parent up.

Basically, I've gotten Cygwin with OpenSSH working on Win2K with zero problems.

It's an eery feeling typing "ssh philov@win2kbox" and then getting a Bash prompt.

Remember, once you install Cygwin to learn how to install *ANY* Unix server as a service on your Windows box. I got Apache and SSHd and a few others working trivially once I figured out that strange Cygwin addservice command.

Re:when you are too lazy to hit google

[Anonvmous+Coward]

Google helps you find stuff. Google does not give you informed recommendations from your peers. Duh.

Where to find the Windows programmers

[Carnage4Life]

Disclaimer: I work for Microsoft but this post contains my opinions and does not represent some official company statement

In my opinion the best places to find out information about Microsoft technologies and products are

1. Newsgroups: Most microsoft technologies have a newsgroup in the microsoft.public.* hierarchy that are read not only by Microsoft employees but by dozens of regular developers who just want to help others who are having problems. I personally monitor microsoft.public.xml and microsoft.public.dotnet.xml where I answer a lot of questions and pass many of those I can't answer to the actual devs who work on the applications and APIs in question.
   
   
2. Online Communities: There are a number of strong online communities where Windows developers congregate to share information, tips and tricks. These range from Microsoft sponsored sites like GotDotNet, ASP.NET, and Windows Forms.NET that are run by MSFT employees who participate actively in these communities to independent sites like 4 Guys from Rolla, Code Project, Dev Hood, DevelopMentor and CodeGuru
   
   
3. Microsoft Websites: Few places beat MSDN as a source of information about Microsoft technologies. By the way, if you are into XML check out my Extreme XML column
   
   
4. Mailing Lists: There are number of mailing lists hosted by various parties about Microsoft technologies. The ones I've seen with the most vibrance have been the DevelopMentor mailing lists and the ASP Friends lists

PS: So this post isn't offtopic I'll add something about SSH. OpenSSH in Windows is possible if one installs Cygwin.

Re:Windows Programming: A related question

[W2k]

My sources for programming info and help/support:

CodeGuru and CodeProject - both EXCELLENT sources of information, especially for MFC stuff. CodeProject also has lots on C#.

Microsoft Developer Network is a great source of support (especially the KB) and the MSDN library holds a full reference for the Microsoft implementations of C/C++, C#, Visual Basic, et al. MSDN is also integrated into Visual Studio.NET, so I rarely feel the need to visit the website directly.

Finally, lots of programmers gather in Usenet newsgroups and on IRC. I can recommend the channel #c++ on Quakenet (irc.quakenet.org) as a great source of help for Windows programmers, so long as you follow the (rather strict) channel rules. Don't miss the #c++ n00blist of people who have failed to observe these rules ... :)

I hope this helps...

Yep -- sshd configuration instructions

[KMSelf]

Second all of the above.

For configuring sshd, see http://tech.erdelynet.com/cygwin-sshd.html.

Re:What's wrong with Win2k server?

[new500]

. . .

I'm curious as to why you went with 3rd party solutions for encryption and smartcard support instead of using Windows Server, which has those capabilities built in. Mostly I'm curious about the limitations of Windows Server products

Well for one thing, for every client that uses Windows Server for _authentication_ you have to pay up for an extra internet Client Access License. As far as I understand this (and I re- read the terms not so long back) that's each _individual_ client, not concurrent or pooled / proxied clients.

Win2k has excellent smartcard suport, out of the box, highly recommended to lock down _physical access_. But, if like me, you're interested in smartcard authentication for a fair number of users _remotely_ it may not be the best solution to work with your existing toolchain (e.g. Cygwin, OpenSSH etc.)

That's just what comes immediately to mind. I've not delved all I should, so further comment very welcome.

I'll just part with the thought that in your example of installing Certificate Services, if you used this to authenticate users for a web site in even a small installation, you could be talking about hundreds of required licenses. Up to you, though, of course :)

From Openssh.com

[RedSynapse]

The following "free" clients are recommended for interoperating with OpenSSH from Windows machines:

• PuTTY is an SSH1+SSH2 implementation. PSCP, an scp-style program for Windows, is also available.

  PuTTY is available under the MIT licence (BSD-like).

  "PuTTY is a free implementation of Telnet and SSH for Win32 platforms, written and maintained primarily by Simon Tatham, who lives in Great Britain."

• TTSSH (SSH1) is an SSH1-only implementation, by Robert O'Callahan.

  "TTSSH is a free SSH client for Windows. It is implemented as an extension DLL for Teraterm Pro. Teraterm Pro is a superb free terminal emulator/telnet client for Windows, and its source is available. TTSSH adds SSH capabilities to Teraterm Pro without sacrificing any of Teraterm's existing functionality. TTSSH is also free to download and use and its source is available too, with an open source license. Furthermore, TTSSH has been developed entirely in Australia [...]."

• Cygwin (POSIX software on top of Windows)

  OpenSSH (SSH1 and SSH2 protocol) with Cygwin can run on Windows using the portable version of OpenSSH.

• MSSH

  MSSH from the Metropolitan State College of Denver supports Windows 95 and Windows 98, supporting SSH1 protocol.

• OpenSSH for Windows

  Another OpenSSH running on top of Windows..

• Secure iXplorer

  Secure iXplorer is graphical front end to PuTTY's pscp.exe.

• WinSCP

  WinSCP is a scp(1) program for Windows, with PuTTY integrated into it.

The following clients are recommended for interoperating with OpenSSH from Mac machines:

• NiftyTelnet 1.1 SSH is an SSH1-only implementation which comes with a scp-style program. Written by Jonas Wallden.

  "NiftyTelnet 1.1 SSH r3 is an enhanced version of Chris Newman's NiftyTelnet 1.1 application which adds support for encrypted terminal sessions using the SSH (Secure Shell) protocol. Please read the included Readme file before distributing this version."

• MacSSH is an SSH2-only implementation.

  "MacSSH is a modified version of BetterTelnet with SSH2 support. [...] The only SSH2 client for MacOS that I could find is a commercial product thats costs more than $100, and it crashes my Mac when closing a session... Since it's best to do things by oneself, here's MacSSH."