Use SSH public/private key authentication on Windows
Overview
You can use Cygwin to enable support for SSH public/private key authentication on Windows, which allows you to...
- scp files from one host to another
- Execute commands on remote host
- From command-line, log on to remote host
The Cygwin sshd server runs as a Windows service under the Local SYSTEM account created with special privileges to run the service. For a Windows 2003 Server, sshd runs under local account, sshd_server.
The sshd server authenticates user logins using a public/private key-pair.
Configure Cygwin sshd
In this example, we configure password-less public key authentication to a remote Worklight host. We will leverage a user named "WorklightAdmin"
- Install Cygwin.
During installation, select the following packages...
- Admin --> cygrunsrv
- Net --> openssh
- After installation, edit...
C:\cygwin\Cygwin.bat
...add the following line...
set CYGWIN=binmode ntsec
For example...
@echo off
C:
chdir C:\cygwin\bin
set CYGWIN=binmode ntsec
bash --login -i- Start a Cygwin terminal using "Run as Administrator"
- Verify Cygwin is installed property...
cygrunsrv -h
All Cygwin help options should display on the screen.
- From a bash shell, configure SSH...
ssh-host-config
You are prompted to answer the following questions:
*** Query: Should privilege separation be used?
: yes
*** Query: New local account 'sshd'?: yes
*** Query: Do you want to install sshd as a service?
*** Query:: yes
*** Query: Enter the value of CYGWIN for the deamon: [] binmode ntsec
*** Query: Do you want to use a different name? (yes/no) yes/noAt this point, for our example, we enter yes, and then plug in our WorklightAdmin user name and password...
*** Query: Enter the new user name: WorklightAdmin
*** Query: Reenter: WorklightAdmin
*** Query: Create new privileged user account 'WorklightAdmin'? (yes/no) yes
*** Query: Please enter the password:
*** Query: Reenter:If the configuration is successful, you will see the following message:
Host configuration finished. Have fun!
- If you ever want to change the login ID of the Cygwin sshd service afterwards...
- Open the Services panel
Windows Start | Administrative Tools | Services
- Stop the sshd service.
Cygwin sshd (right-click) | Properties | General | Stop
- Next, select the Log on tab. Under the Log on as section or prompt, clear the Local System account radio button, and select This account.
- Type .\WorklightAdmin as the ID and type the password for the account. Click Apply.
- Grant additional rights to the WorklightAdmin account. Ensure that the account has the required privileges in addition to membership to the Administrators group.
- From the Windows Start menu, click...
Settings | Control Panel | Administrative Tools | Local Security Policy | Local Policies | User Rights Assignment
- Verify the WorklightAdmin account has the following four rights:
- Adjust memory quotas for a process
- Create a token object
- Log on as a service
- Replace a process level token
If not, add WorklightAdmin as a user with the four rights.
- Close the Local Security Settings window.
- From a Cygwin console panel, change ownership of the following directories and files to WorklightAdmin:
- chown WorklightAdmin /var/log/sshd.log
- chown -R WorklightAdmin /var/empty
- chown WorklightAdmin /etc/ssh*
- Restart the Cygwin sshd service.
Cygwin sshd service | Properties | General | Start
...or...
cygrunsrv -S sshd
- To achieve a password-less login from HostA --> remoteWLhost
- Login to HostA as user WorklightAdmin
- Copy contents of...
$HOME/.ssh/id_rsa.pub
If .ssh/id_rsa.pub does not exist, run..
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/usr/local/wasuser/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /usr/local/wasuser/.ssh/id_rsa
Your public key has been saved in /usr/local/wasuser/.ssh/id_rsa.pub
The key fingerprint is:
05:db:12:51:9f:48:dc:43:cd:8f:22:b0:a7:47:2d:17 wasuser@hostnameLeave passphrase blank.
- Log on to remote host (remoteWLhost) and paste the public key to...
$HOME/.ssh/authorized_keys
If the directory and/or file do not exist, create them.
- Set permissions...
chmod go-w $HOME $HOME/.ssh
chmod 600 $HOME/.ssh/authorized_keys
chown `whoami` $HOME/.ssh/authorized_keys- You can now run commands such on HostA such as...
$ ssh -l WorklightAdmin remoteWLhost 'ls /cygdrive/c/path/to/Worklight/logs'
console.log
ffdc
messages.log
messages_13.02.28_13.37.37.0.log
status.log
$ ssh -l WorklightAdmin remoteWLhost 'tail /cygdrive/c/path/to/Worklight/logs/messages.log'
[2/28/13 13:38:16:747 EST] jdbc.internal.DataSourceService A J2CA8001I
[2/28/13 13:38:16:747 EST] jdbc.internal.DataSourceService A J2CA8001I
[2/28/13 13:38:16:762 EST] jdbc.internal.DataSourceService A J2CA8001I
[2/28/13 13:38:16:762 EST] jdbc.internal.JDBCDriverService A J2CA8001I
[2/28/13 13:38:16:778 EST] tcpchannel.internal.TCPChannel I CWWKO0220I
$ ssh WorklightAdmin@remoteWLhost
Last login: Fri Mar 15 17:40:10 2013 from pavftrptwrb.sonebiz.com
WorklightAdmin@remoteWLhost ~
$
scp WorklightAdmin@remoteWLhost:/cygdrive/c/path/to/Worklight/logs/messages.log messages.log.txt
Non-admin userID
If you try to connect to the Windows workstation using a non-administrator user ID, you might get error...
XCIM0010E: An error occurred while connecting to the remote target ip_address.
Cause: CTGRI0011E An error occurred when accessing the remote registry or service control manager....add the user account to the Administrators group...
- Go to...
My Computer (right-click) | Manage | Local Users and Groups Users | user account | Member Of
- Add the Administrators group to the list of groups that this account belongs to.
- From the admin console, click...
System administration | Centralized | Installation Manager | Installation targets