Use SSH public/private key authentication on Windows


Overview

You can use Cygwin to enable support for SSH public/private key authentication on Windows, which allows you to...

The Cygwin sshd server runs as a Windows service under the Local SYSTEM account created with special privileges to run the service. For a Windows 2003 Server, sshd runs under local account, sshd_server.

The sshd server authenticates user logins using a public/private key-pair.


Configure Cygwin sshd

In this example, we configure password-less public key authentication to a remote Worklight host. We will leverage a user named "WorklightAdmin"

  1. Install Cygwin.

    During installation, select the following packages...

    • Admin --> cygrunsrv
    • Net --> openssh

  2. After installation, edit...

      C:\cygwin\Cygwin.bat

    ...add the following line...

      set CYGWIN=binmode ntsec

    For example...

      @echo off

      C:
      chdir C:\cygwin\bin
      set CYGWIN=binmode ntsec
      bash --login -i

  3. Start a Cygwin terminal using "Run as Administrator"

  4. Verify Cygwin is installed property...

      cygrunsrv -h

    All Cygwin help options should display on the screen.

  5. From a bash shell, configure SSH...

      ssh-host-config

    You are prompted to answer the following questions:

      *** Query: Should privilege separation be used? : yes
      *** Query: New local account 'sshd'? : yes
      *** Query: Do you want to install sshd as a service?
      *** Query: : yes
      *** Query: Enter the value of CYGWIN for the deamon: [] binmode ntsec
      *** Query: Do you want to use a different name? (yes/no) yes/no

    At this point, for our example, we enter yes, and then plug in our WorklightAdmin user name and password...

      *** Query: Enter the new user name: WorklightAdmin
      *** Query: Reenter: WorklightAdmin
      *** Query: Create new privileged user account 'WorklightAdmin'? (yes/no) yes
      *** Query: Please enter the password:
      *** Query: Reenter:

    If the configuration is successful, you will see the following message:

      Host configuration finished. Have fun!

  6. If you ever want to change the login ID of the Cygwin sshd service afterwards...

    1. Open the Services panel

        Windows Start | Administrative Tools | Services

    2. Stop the sshd service.

        Cygwin sshd (right-click) | Properties | General | Stop

    3. Next, select the Log on tab. Under the Log on as section or prompt, clear the Local System account radio button, and select This account.

    4. Type .\WorklightAdmin as the ID and type the password for the account. Click Apply.

  7. Grant additional rights to the WorklightAdmin account. Ensure that the account has the required privileges in addition to membership to the Administrators group.

    1. From the Windows Start menu, click...

        Settings | Control Panel | Administrative Tools | Local Security Policy | Local Policies | User Rights Assignment

    2. Verify the WorklightAdmin account has the following four rights:

      • Adjust memory quotas for a process
      • Create a token object
      • Log on as a service
      • Replace a process level token

      If not, add WorklightAdmin as a user with the four rights.

  8. Close the Local Security Settings window.

  9. From a Cygwin console panel, change ownership of the following directories and files to WorklightAdmin:

    • chown WorklightAdmin /var/log/sshd.log
    • chown -R WorklightAdmin /var/empty
    • chown WorklightAdmin /etc/ssh*

  10. Restart the Cygwin sshd service.

      Cygwin sshd service | Properties | General | Start

    ...or...

      cygrunsrv -S sshd

  11. To achieve a password-less login from HostA --> remoteWLhost

    1. Login to HostA as user WorklightAdmin

    2. Copy contents of...

        $HOME/.ssh/id_rsa.pub

      If .ssh/id_rsa.pub does not exist, run..

        $ ssh-keygen -t rsa
        Generating public/private rsa key pair.
        Enter file in which to save the key (/usr/local/wasuser/.ssh/id_rsa):
        Enter passphrase (empty for no passphrase):
        Enter same passphrase again:
        Your identification has been saved in /usr/local/wasuser/.ssh/id_rsa
        Your public key has been saved in /usr/local/wasuser/.ssh/id_rsa.pub
        The key fingerprint is:
        05:db:12:51:9f:48:dc:43:cd:8f:22:b0:a7:47:2d:17 wasuser@hostname

      Leave passphrase blank.

    3. Log on to remote host (remoteWLhost) and paste the public key to...

        $HOME/.ssh/authorized_keys

      If the directory and/or file do not exist, create them.

    4. Set permissions...

        chmod go-w $HOME $HOME/.ssh
        chmod 600 $HOME/.ssh/authorized_keys
        chown `whoami` $HOME/.ssh/authorized_keys

  12. You can now run commands such on HostA such as...

      $ ssh -l WorklightAdmin remoteWLhost 'ls /cygdrive/c/path/to/Worklight/logs'
      console.log
      ffdc
      messages.log
      messages_13.02.28_13.37.37.0.log
      status.log

      $ ssh -l WorklightAdmin remoteWLhost 'tail /cygdrive/c/path/to/Worklight/logs/messages.log'
      [2/28/13 13:38:16:747 EST] jdbc.internal.DataSourceService A J2CA8001I
      [2/28/13 13:38:16:747 EST] jdbc.internal.DataSourceService A J2CA8001I
      [2/28/13 13:38:16:762 EST] jdbc.internal.DataSourceService A J2CA8001I
      [2/28/13 13:38:16:762 EST] jdbc.internal.JDBCDriverService A J2CA8001I
      [2/28/13 13:38:16:778 EST] tcpchannel.internal.TCPChannel I CWWKO0220I

      $ ssh WorklightAdmin@remoteWLhost
      Last login: Fri Mar 15 17:40:10 2013 from pavftrptwrb.sonebiz.com
      WorklightAdmin@remoteWLhost ~
      $

      scp WorklightAdmin@remoteWLhost:/cygdrive/c/path/to/Worklight/logs/messages.log messages.log.txt


Non-admin userID

If you try to connect to the Windows workstation using a non-administrator user ID, you might get error...

...add the user account to the Administrators group...

  1. Go to...

      My Computer (right-click) | Manage | Local Users and Groups Users | user account | Member Of

  2. Add the Administrators group to the list of groups that this account belongs to.

  3. From the admin console, click...