Installing a CYGWIN sshd server under windows 2003 without introducing windows security issues Bill Doyle, Auxiliary

Services-IT University of Minnesota

References ....................................................................................................................... 2 History and Discussion ................................................................................................... 2 Procedure ........................................................................................................................ 2 Maintenance: ................................................................................................................... 4 Create New User: ........................................................................................................ 4

References
I mostly followed this document to install the CYGWIN SSH service http://www1.umn.edu/oit/img/assets/5630/cygSSH.pdf Note, that installing as per Joel's instructions above leaves your entire computer's file system (except some files in the Windows directory) completely readable by any SSH user. Also see this doc. http://ist.uwaterloo.ca/~kscully/CYGWINSSHD_W2K3.html

History and Discussion

We needed to provide a system for agencies around the U (mostly from Unix platforms) to drop off files for Printing and Addressing and Mailing projects. The system needed to be automatable and meet OIT security guidelines (which excluded FTP as a viable mechanism). The files also needed to be available to automated processes running on a windows server in Auxiliary Services. The software that met the security guidelines was the suite SSH/SFTP/SCP. For it to be available to the windows server the SSH server either needed to run on windows or the SSH server needed to run on a windows accessible platform (i.e. LINUX with SAMBA file shares). There are commercial windows SSH servers but they tend to be either very expensive (and adequate), or cheap (and inadequate). I had hosted SSHD on windows systems before using CYGWIN. The default CYGWIN install tended to let the SSH clients have full, unimpeded access to the windows computer. This was obviously inadequate. I looked at restricting the SSH users to specific folders (chroot only to find that the SSHD implementation in CYGWIN did not really support chrooting. More modern SSHD implementations on full versions of LINUX support this, but I still wanted to have as few systems involved as possible so decided to figure out how to achieve the access restriction without the native chroot. What resulted, relies on a series of windows and *nix tricks to achieve a chrootlike implementation of the CYGWIN SSHD server. The biggest trick is to isolate the Data and CYGWIN partitions on separate windows drive volumes. This makes it easy to restrict access to the system without changing too much of either the native windows permissions or the CYGWIN environment.

Procedure
The basic installation of CYGWIN is documented here by Joel Anderson. I deviate a bit from this default installation.. 1. Install CYGWIN to it's own drive NOT the default C:\CYGWIN.... (Note: All Drives must be NTFS for "chrooting" to work). Drive E: 2. The SFTP volume should also be its on own NTFS volume. Drive D: 3. Create a windows group. SSH-Users 4. From the CYGWIN prompt execute the following command mkgroup -l ssh-users >>/etc/group This copies the windows group to the captive CYGWIN configuration.

5. Use your Group to "Deny All" access to all volumes EXCEPT your CYGWIN and

SFTP volume(s).

6. Go to your sftp volume D: and remove all access for group "Everyone"
7. Go to drive C: and deny all access to group ssh-users. 8. Go to the Cygwin drive (or folder) and give ssh-users full permissions. 9. Now you need to redirect CYGWIN's home directory to your sftp volume. 10. This key symbolically changes the CYGWIN subsystem /home to your chrooted windows volume for your sftp access. a. Open Regedit b. Create a new key under HKLM/Software/Cygnus solutions/CYGWIN/mounts v2 called /home c. Under the /home key create a regdoubleword value flags and assign it the hex value a d. Under the /home key create a string value native having a string value corresponding to the windows path to your sftp root directory. ( d:\ftp in my

case)

11. Now create your users in windows and assigning them home directories under your
sftp root directory (d:\ftp\username in my case). Directories created in this way automatically have the proper CYGWIN permissions to restrict access. 12. Now import your windows users into CYGWIN using the mkpasswd sytaxx (mkpasswd -l > /etc/passwd) 13. You should be able to logon via ssh or sftp or scp using your user accounts. 14. Test it by sshing $ssh newuser@localhost. You should find yourself in newuser's home directory. 15. Test it by creating an empty file $touch newfile file "newfile" should be visble in the windows home directory.

Note: It seems that CYGWIN built as above does not properly support complex windows passwords. This effectively restricts any users that need to use the SSH subsystem to using passwords that are lowercase + numbers. This took me quite awhile to figure out, but could be setup in about an hour following the instructions above along with Joel's procedure.

Maintenance:
Create New User:
1. Create the windows user: Make sure password is all lower-case + numbers, mixed case will cause problems

2. Open the newly created user account and assign the users home drive using the %username% sytax (see example)

3. This will create the home folder for the user and assign the proper windows rights

4. Add the user to the group windows group ssh-users.

5. Now import the users to the CYGWIN environment by executing the following command from the CYGWIN prompt: mkpasswd -l > /etc/passwd

6. Test the new user account(s) with the following syntax: ssh username@localnost

Note, the password can be changed from this interface, but is probably best changed from windows or not changed at all.