Configuring Windows 7 for Remote Access with Cygwin sshd

As someone that was openly critical of Windows Vista during its short reign as the flagship Microsoft product, mostly due to my experiences bailing out friends and clients that had gone down the unhappy upgrade path from XP Pro, I feel it is important to give praise where it is due. I have been using Windows 7 on for about four months now, and I must admit that it doesn’t suck. In fact, I’ve enjoyed it enough that, when it came time to invest in a new workstation class machine for some of our development work here at Witt’z End Technologies, Windows 7 Professional was the obvious choice of operating system. Those that know me well, know that is about as close to an endorsement as I will ever get, so do not take it lightly.

Now, to all my Linux and Open Source friends that are staring at their screens in shock and horror, I am not abandoning you. We just needed a machine on which to run our Adobe Suite, along with some other necessary tools that required Windows as the primary OS. A necessary Evil, if you will, that in no way lessons my advocacy for all Good things Open Source. In fact, I want to now shift specifically to talking about something Linux provides for systems administrators that Windows still does not, and highlight the Open Source tool, Cygwin, as part of the solution.

While I have enjoyed some of the changes and optimizations made in Windows 7, I am still confused and a little annoyed by what the Big Heads at Microsoft continue to leave out of their operating systems. As a systems and network administrator, I have always relied on good, command-line, remote access to ALL of my machines. I like to be able to crank out a bash script, and have it run remote commands against *NIX and Windows machines alike, all over a secure shell. I know, crazy. SSH, otherwise known as the secure shell…is nowhere to be found on a Windows box. That is, unless you have the Cygwin mojo working for you.

Cygwin is a cool tool that, as their website clearly explains, provides “a Linux-like environment for Windows”. Among its spectacular set of Open Source tools, all compiled to run on Windows, it includes the ever-popular OpenSSH server and client. While Cygwin and its benefits have been well known in tech circles for a long time, it did not support Windows 7 prior to Cygwin version 1.7.x. Now that support is available, Windows 7 provides some challenges for getting Cygwin sshd properly installed as a service due to its approach to security. I have enumerated my steps to success in this endeavor below.

To begin, one needs to download the Cygwin setup.exe file, and install the Cygwin packages, making sure to include the openssh package. This should be a fairly straight-forward process, but the Documentation can be of help if you get turned around. Version 1.7.5 is the most current as of this writing. Once installed, you should find a Cygwin Bash Shell under Start -> All Programs -> Cygwin. Clicking on that should open up a command-line Window that, if you are at all familiar with xterm in Linux or the Terminal in OS X, should look quite familiar.

To make setting up SSH easier, the kind folks at Cygwin have provided a script to fast-track the configuration. Simply type “ssh-host-config” at your new command prompt to take advantage of it. STOP! Don’t launch it yet…we need to do something first. This script actually requires special permissions to create a service account if you wish to set SSH to run as a service on the machine so that you can remotely connect to it. Even if your login on the Windows 7 box is an Administrator (which it must be for any of this to work), this service account creation will fail. So, here is what we need to do:

Turn-off User Account Control

1. Click on Start.
2. In the Search box, type, “Change User Account Control Settings”, and click on the returned entry to launch the tool.
3. Pull the slider down to “Never notify” (Don’t worry…this is temporary. We’ll change it back later).
4. When you click on “OK”, you will be told you have to reboot the machine for the changes to take effect. Save any open work, and reboot your machine.

Install sshd as a Service

Once the machine has rebooted, we’ll want to open another shell by openning Start -> All Programs -> Cygwin -> Cygwin Bash Shell. Now, we’ll use that handy script. Type, “ssh-host-config” at the command prompt, then press Enter. Along with some other configuration output, you will be presented with a set of questions:

*** Query: Should privilege separation be used? (yes/no)

Answer yes.

*** Query: new local account 'sshd'? (yes/no)

Answer yes

*** Query: Do you want to install sshd as a service?
*** Query: (Say "no" if it is already installed as a service) (yes/no)

Answer yes

*** Query: Enter the value of CYGWIN for the daemon: []

Historically, I have entered “binmode tty ntsec” for the CYGWIN environment variable, but, according tohttp://www.cygwin.com/cygwin-ug-net/using-cygwinenv.html,binmode and ntsec have been deprecated as of Cygwin 1.7. Using them does not appear to cause any harm, but it is likely they do nothing for you either.

*** Info: This script plans to use 'cyg_server'.
*** Query: Do you want to use a different name? (yes/no)

Answer no unless you wish to use a different name on your system. You will be prompted for the login name you wish to use for the service if you say yes.

*** Query: Create new privileged user account 'cyg_server'? (yes/no)

Answer yes.

*** Query: Please enter the password:

Enter a password for this service account, and enter it again when prompted. Keep in mind, using your very best, super-secret password may not be advised, as this script will dump the password onto the screen during the confirmation phase. You can always change it later if necessary.

If all goes well, you should get some confirmation output. Pay special attention to the following, as it may have relevance if you make use of certificate-based authentication with SSH:

*** Info: Also keep in mind that the user 'cyg_server' needs read permission
*** Info: on all users' relevant files for the services running as 'cyg_serv'
...
*** Info: In particular, for the sshd server all users' .ssh/authorized_keys
*** Info: files must have appropriate permissions to allow public key
*** Info: authentication. (Re-)running ssh-user-config for each user will set
*** Info: these permissions corrently. [Similary restrictions apply, for
*** Info: instance, for .rhosts files if the rshd server is running, etc].

You can follow the instructions, and run “net start sshd” to test your configuration out, but there are a few more things I suggest. The first of which is to get the Windows Firewall configured to allow connections to this box on the SSH port, 22

Configure the Firewall

I’ve found the Search box in Windows 7 to be awesome for finding administration tools, so go to Start, and enter “firewall” in the box. You will want to open Windows Firewall with Advanced Security. Then do the following:

1. In the left-hand pane, click on Inbound Rules.
2. In the right-hand pane, click “New Rule…”.
3. For Rule Type, select “Port”, and click Next.
4. For Protocol and Ports, select “TCP”, and in the Specific Ports text box, enter “22”, and click Next.
5. For Action, select “Allow the connection”, and click Next.
6. For Profile, leave the defaults selected (unless you have good security reasons to do otherwise), and click Next.
7. For Name, enter a meaningful name for the rule. Something like, “CYGWIN sshd”. Then click Finish.

You should see your new rule listed as being enabled, and can close the firewall tool.

Turn User Account Control Back On

1. Click on Start.
2. In the Search box, type, “Change User Account Control Settings”, and click on the returned entry to launch the tool.
3. Pull the slider up to “Default”.
4. When you click on “OK”, you will be told you have to reboot the machine for the changes to take effect. Save any open work, and reboot your machine.

When the machine reboots, you will notice that a new account, Privileged User, appears on the default login screen. Annoying…so we’ll fix that. Once you login to the machine, you should be able to launch your handy Cygwin Bash Shell again, and enter “ssh localhost” at the command-line, and be prompted for your password. Entering that should present you with the same lovely prompt you had before…which is what we want. We’ve ssh’d to the machine from itself. The bigger test is to go to a remote machine, and ssh to your newly configured server. You should be able to get to that same prompt remotely as well.

Hiding the cyg_serv Service Account

OK. We’ve configured our SSH server on the Windows 7 host, and everything works, but now we’ve got that funky account entry on the login page. If you are anything like me, that will just be an annoyance from here on out, so it must be removed. Luckily, I was able to find an answer for doing so athttp://www.mydigitallife.info/2009/02/21/how-to-create-hidden-user-account-hide-user-account-from-welcome-screen-in-windows/. This will require hacking with the registry a bit, so proceed with caution (backups, etc.):

1. Open the Registry Editor by going to your Start Search box and typing, “regedit”.
2. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList.
3. Select UserList, and right-click in the pane to the right to create a New -> DWORD (32-bit) Value.
4. Name the new DWORD key “cyg_serv” (or whatever username you used creating the service for SSH), and set its value to 0 to hide it from the login page.
5. Exit the Registry Editor, and logoff.

If all has worked well, the offending service account is no longer left behind to confuse anyone logging on to the machine locally. You should also now be able to remotely SSH to the Windows 7 host.

Aside from allowing remote administration, having SSH on the machine opens up other possibilities, like using rsync or scp to move files around, or securely using RDP over an SSH tunnel. Good stuff to know, but sadly, all topics for another day.

For now, happy computing!