# SSH on Windows 7 (the full awesome implementation)

8. October 2010

10-15-11 Polished.

Configuring Secure Shell on Windows 7 (or Vista) requires a bit of a special configuration for full ass-kicking. User Account Control should be enabled (duh).

## Server installation & configuration

1. Install Cygwin. You could use copssh, but don't. More on that later.
2. Include package: openssh. Also rsync and unison, because they're amazing.
3. Run Cygwin Bash Shell as Administrator.
4. Execute: ssh-host-config
5. Answer Yes to privilege separation, and yes to a new local account.
6. Answer No to installing as a service. This is critical. Explanation further down.
7. Execute (including the > symbol):
mkdir ~/.ssh> ~/.ssh/authorized_keys
Creating this file from the terminal assigns the appropriate permissions (Cygwin's None account is granted read access).
8. Edit /etc/sshd_config in a text editor such as WordPad (not Notepad).
9. Uncomment and change PasswordAuthentication to No. We're using public-key cryptography.

## Public-key encryption

1. Run PuTTYGen on the client.
2. 1024 bits is useful for SSH from a smartphone (which is quite valuable), especially with low signal, as it will negotiate a connection quicker. Use 2048 if you wish. Generate.
3. Comment it: User@Server-PC, e.g. Chris@Chris-PC
4. Absolutely give it a passphrase.
5. Save private key to the drive as User@Server-PC.ppk
6. Conversions -> Export OpenSSH key, as User@Server-PC (no extension). You'll want this later.
7. Save public key as User@Server-PC.pub, you may want this later too. (Note this is not the same format as in the next step.)
8. Open C:\cygwin\home\User\.ssh\authorized_keys on the server.
9. Paste the public key displayed at the top of PuTTYGen on the client into this file on the server. (A secure local Remote Desktop connection works well for this.)

#### Preliminary

This will allow us to store certain standalone executables, and omit their full path when launching them. It will also allow us to launch the server from outside of a Cygwin Bash Shell. (Note that Cygwin's bin directories will appropriately take precedence, as seen in the file C:\cygwin\etc\profile.)

1. Create C:\Executables
2. Press WindowsKey+PauseBreak, click Advanced system settings.
3. Open Environment Variables..., under System variables double click the PATH variable.
4. Add: ;C:\Executables;C:\cygwin\bin with leading semicolon, at the end. (You may prefer C:\Executables in the User PATH instead.)

## Launching SSH daemon (server)

1. Unzip hstart.exe to C:\Executables. Hstart will help hide a console window, but it's also very useful for (de)elevating applications, as you'll see later.
2. Open Task scheduler on the server. (Why task scheduler? To bypass the prompt for application elevation on startup.)
3. Create Task..., name it SSHD, check Run with highest privileges.
4. Is the server a laptop? Uncheck Start the task only if the computer is on AC power under the Conditions tab.
5. Set it to launch when you log on under Triggers.
6. Under the Actions tab click New... Program: hstart Arguments: /noconsole "C:\cygwin\usr\sbin\sshd.exe -D"
7. Confirm all, F5 refresh, and Run that sucker! You may need to Allow access through the firewall.

Q: Why did we go to this trouble instead of allowing ssh-host-config to install SSHD as a service?
A: So that the daemon runs as a child process of explorer.exe. Although you can allow a service to interact with the desktop, it won't have the desired effect. This way we can launch notepad remotely and have it open under our user session on the server, a child of explorer, fully visible and ready for input, and that's super awesome!

## Client configuration

[PuTTY]
keys=load
This will copy KiTTY's configuration to PuTTY's registry keys on each exit, maintaining compatibility with tools such as plink and Pageant.
3. However it won't work unless the HKEY_CURRENT_USER\Software\SimonTatham\PuTTY registry key already exists. The fast solution is to import this .reg.
4. Rename kitty.exe to putty.exe, for compatibility with Pageant.
6. Create a log on triggered entry Pageant in Task Scheduler on the client, as we did for the server. Except do not run with highest privileges (more on that later). Program: pageant Arguments: C:\path\to\User@Server-PC.ppk
8. You'll see Pageant in the notification area. Right click, New Session (if you don't see this double check steps 2, 3, and 4).
10. Back under Session, type in a session name (how about User@User-PC) and Save.
11. Click Open to connect!

Now when the client machine boots, Pageant will prompt for your passphrase to access the private key. After which you can launch an SSH session through Pageant's Saved Sessions in the notification area, and Pageant will automate key verification. Sweet!

## File browsing

Now install WinSCP wherever. Configure nothing. With KiTTY fully connected, click on its top-left icon. Select Start WinSCP. Like whoa! Full SFTP access without even configuring WinSCP, awesome! (If it failed to connect, you may have already had WinSCP installed, reinstalling it opting to delete configuration files is one solution.)

## Launching applications

As our SSH daemon runs with administrative privileges, we have full remote system access. Often, however, we will want to launch an application with non-elevated privileges. For this you can use hstart.exe /nonelevated. An even more convenient way is to create an alias in .bashrc in your Cygwin home directory on the server (C:\cygwin\home\User\.bashrc). Consider adding the following:

alias med='hstart.exe /nonelevated '

You can reload the file with source ~/.bashrc. Now you may launch an application like: med notepad, and it will run with a Medium (non-elevated) integrity level, as a standard program would.

There will be more to cover in Part 2, which will illuminate some of our choices and the strength of this configuration.

NatNiks
2012 July 31. 6:14 AM #

Hi,    greate post

1) i was looking for a way to setup a ssh tunnel to a vista box
and to have the posibility to route my trafic form there into
the network where the vista is located.

2) "You could use copssh, but don't. More on that later."
i have the same feeling but could you pls explain your view ?

Christopher Galpin
2012 September 2. 1:11 PM #

1) Afraid I can't help you with this, though you're right an SSH Tunnel is useful for that. If you desire *all* traffic routed you can use OpenVPN.

2) Copssh is just a package of Cygwin, OpenSSH and some things.  Except Cygwin is useful for much more than just OpenSSH, and it's plenty easy already to setup Cygwin with the OpenSSH package, plus you'll have that flexibility of modifying the packages in the future - adding Unison or rsync for instance.

Keijo
2013 January 18. 2:24 PM #

Pretty cool post.

Added some workaround to your hstart technique (C:\cygwin\usr\sbin\sshd.exe -D just started/stopped) to make it persistent with this line in the Task Scheduler arguments:

/noconsole "C:\cygwin\mintty.exe /usr/sbin/sshd.exe -D"

Regards.
Keijo.

Alex
2013 February 25. 1:14 PM #

Great article.

When  I run  C:\DV\bin\hstart.exe "C:\cygwin\usr\sbin\sshd.exe -D"
I received error "The program can't start because cygssp-0.dll is missing from yous computer"  But it is on my computer under cygwin\bin directory.

When I run C:\DV\bin\hstart.exe  "C:\cygwin\bin\mintty.exe C:\cygwin\usr\sbin\sshd.exe -D"  it start/stop

C:\DV\bin\hstart.exe  "C:\cygwin\bin\mintty.exe /usr/sbin/sshd.exe -D" start/stop also.

Thank you,
Alex

awd
2013 March 7. 11:36 AM #

Make sure "C:\cygwin\bin" is in your system environment variable.

Shawn
2013 March 28. 10:48 AM #

I just had to say thanks, very cool idea. I was able to get it to run perfectly on Win7. It's nice to having SSH access to the couple of windows boxes I have. I just keep the ppk on my thumbdrive now so I can SSH into that box from anywhere.  Thanks for the well written instructions.

*

(private)

• Comment
• Preview

#### Author

 Christopher S. Galpin E-mail me