SSH on Windows 7 continued: charade, ssh, rsync, Unison

13. October 2010

05-16-11 Updated and polished.

In the previous article we established an SSH session with KiTTY. However to take full advantage of Cygwin and SSH it's equally important that your Windows client can connect with Cygwin's ssh.

As Pageant handles authentication for KiTTY, so ssh-agent authenticates for ssh.exe.
But we're on Windows! We like KiTTY, and Pageant has a nice interface, it should be all we need.

Charade is an ssh-agent in Cygwin that proxies requests to Pageant.

Client instructions (Windows-centric variation on keychain)

  1. Install Cygwin and hstart and configure environment variables on the client as done previously on the server.
  2. Compile Download charade.exe
  3. Drop it in C:\cygwin\bin
  4. Add another program start action to our Pageant entry in Task Scheduler.
    Program: hstart Arguments: /noconsole "bash -c "charade > ~/.ssh-agent""
    Move this entry up, before Pageant's start action.
  5. Append source ~/.ssh-agent to the end of C:\cygwin\home\<User>\.bash_profile
  6. Run task, launch local Cygwin shell, connect to your server: ssh <hostname>. Hooray!

With charade operational, we can use rsync and Unison over SSH. Awesome!
Remember when we exported our private key in OpenSSH format (no file extension)? That's the one ssh.exe requires.

Here's an example bash script for pushing changes over a LAN with rsync that handles spaces in filenames.

#!/bin/bash
receiver=$1

# escape spaces in file paths
# (the escapes won't be visible if you echo... you'd need to triple escape... which we don't want)
src=`cygpath $2`
src="echo $src | sed 's/ /\\ /g'"
src=`eval $src`

if [ $# = 2 ]
then
    dest=$src
    #src=$src/
else
    dest=`cygpath $3`
    dest="echo $dest | sed 's/ /\\ /g'"
    dest=`eval $dest`
fi

source ~/.ssh-agent

# rsync
# -a, archival mode, does:
#     -r (recursive)
#     -l (copy symlinks as symlinks)
#     -p (preserive permissions)
#     -t (preserve modification times)
#     -g (preserve group)
#     -o (preserve owner)
#     -D (preserve device & special files)
# -v, verbose
# --delete, delete extraneous files from destination dirs (DANGEROUS)
# --rsh, the remote shell to use
# -z, compress file data during the transfer

# ssh
# -a, disables agent forwarding
# -x, disables x11 forwarding
# -c, set the cipher specification (blowfish being the quickest)

#LAN rsync:
rsync -s -av --delete --rsh="ssh -ax -c blowfish" "$src" $receiver:"$dest"
#WAN rsync:
#rsync -s -avz --delete --rsh="ssh -ax" "$src" $receiver:"$dest"

I call the script from within my text editor like this: cmd /c bash ~/push.sh Chris-Laptop 'C:\abc\some_source_dir' 'C:\some_dest_dir'
(or 'C:\abc\source_dir\' 'C:\abc\dest_dir\', or just a single 'C:\abc\source_dest\' if the path is equivalent at the destination.)

It's important to understand the distinction of a trailing slash on the source folder with rsync (especially with --delete). Back up your data before experimenting.


More to come!

, , , , , ,

Project

Comments (0)

SSH on Windows 7 (the full awesome implementation)

8. October 2010

10-15-11 Polished.

Configuring Secure Shell on Windows 7 (or Vista) requires a bit of a special configuration for full ass-kicking. User Account Control should be enabled (duh).

Server installation & configuration

  1. Install Cygwin. You could use copssh, but don't. More on that later.
  2. Include package: openssh. Also rsync and unison, because they're amazing.
  3. Run Cygwin Bash Shell as Administrator.
  4. Execute: ssh-host-config
  5. Answer Yes to privilege separation, and yes to a new local account.
  6. Answer No to installing as a service. This is critical. Explanation further down.
  7. Execute (including the > symbol):
    mkdir ~/.ssh
    > ~/.ssh/authorized_keys
    Creating this file from the terminal assigns the appropriate permissions (Cygwin's None account is granted read access).
  8. Edit /etc/sshd_config in a text editor such as WordPad (not Notepad).
  9. Uncomment and change PasswordAuthentication to No. We're using public-key cryptography.

Public-key encryption

  1. Run PuTTYGen on the client.
  2. 1024 bits is useful for SSH from a smartphone (which is quite valuable), especially with low signal, as it will negotiate a connection quicker. Use 2048 if you wish. Generate.
  3. Comment it: User@Server-PC, e.g. Chris@Chris-PC
  4. Absolutely give it a passphrase.
  5. Save private key to the drive as User@Server-PC.ppk
  6. Conversions -> Export OpenSSH key, as User@Server-PC (no extension). You'll want this later.
  7. Save public key as User@Server-PC.pub, you may want this later too. (Note this is not the same format as in the next step.)
  8. Open C:\cygwin\home\User\.ssh\authorized_keys on the server.
  9. Paste the public key displayed at the top of PuTTYGen on the client into this file on the server. (A secure local Remote Desktop connection works well for this.)

Preliminary

This will allow us to store certain standalone executables, and omit their full path when launching them. It will also allow us to launch the server from outside of a Cygwin Bash Shell. (Note that Cygwin's bin directories will appropriately take precedence, as seen in the file C:\cygwin\etc\profile.)

  1. Create C:\Executables
  2. Press WindowsKey+PauseBreak, click Advanced system settings.
  3. Open Environment Variables..., under System variables double click the PATH variable.
  4. Add: ;C:\Executables;C:\cygwin\bin with leading semicolon, at the end. (You may prefer C:\Executables in the User PATH instead.)

Launching SSH daemon (server)

  1. Unzip hstart.exe to C:\Executables. Hstart will help hide a console window, but it's also very useful for (de)elevating applications, as you'll see later.
  2. Open Task scheduler on the server. (Why task scheduler? To bypass the prompt for application elevation on startup.)
  3. Create Task..., name it SSHD, check Run with highest privileges.
  4. Is the server a laptop? Uncheck Start the task only if the computer is on AC power under the Conditions tab.
  5. Set it to launch when you log on under Triggers.
  6. Under the Actions tab click New... Program: hstart Arguments: /noconsole "C:\cygwin\usr\sbin\sshd.exe -D"
  7. Confirm all, F5 refresh, and Run that sucker! You may need to Allow access through the firewall.

Q: Why did we go to this trouble instead of allowing ssh-host-config to install SSHD as a service?
A: So that the daemon runs as a child process of explorer.exe. Although you can allow a service to interact with the desktop, it won't have the desired effect. This way we can launch notepad remotely and have it open under our user session on the server, a child of explorer, fully visible and ready for input, and that's super awesome!

Client configuration

  1. Download KiTTY.exe to C:\Executables, a Windows only fork of PuTTY with considerable advantages.
  2. Create or download C:\Executables\kitty.ini with the following entries:
    [PuTTY]
keys=load
    This will copy KiTTY's configuration to PuTTY's registry keys on each exit, maintaining compatibility with tools such as plink and Pageant.
  3. However it won't work unless the HKEY_CURRENT_USER\Software\SimonTatham\PuTTY registry key already exists. The fast solution is to import this .reg.
  4. Rename kitty.exe to putty.exe, for compatibility with Pageant.
  5. Download Pageant.exe to C:\Executables.
  6. Create a log on triggered entry Pageant in Task Scheduler on the client, as we did for the server. Except do not run with highest privileges (more on that later). Program: pageant Arguments: C:\path\to\User@Server-PC.ppk
  7. Run the task! Type in your passphrase.
  8. You'll see Pageant in the notification area. Right click, New Session (if you don't see this double check steps 2, 3, and 4).
  9. Add the host name or IP, jump to Connection -> Data and add only your username, then jump to SSH -> Auth and browse to the private key.
  10. Back under Session, type in a session name (how about User@User-PC) and Save.
  11. Click Open to connect!

Now when the client machine boots, Pageant will prompt for your passphrase to access the private key. After which you can launch an SSH session through Pageant's Saved Sessions in the notification area, and Pageant will automate key verification. Sweet!

File browsing

Now install WinSCP wherever. Configure nothing. With KiTTY fully connected, click on its top-left icon. Select Start WinSCP. Like whoa! Full SFTP access without even configuring WinSCP, awesome! (If it failed to connect, you may have already had WinSCP installed, reinstalling it opting to delete configuration files is one solution.)

Launching applications

As our SSH daemon runs with administrative privileges, we have full remote system access. Often, however, we will want to launch an application with non-elevated privileges. For this you can use hstart.exe /nonelevated. An even more convenient way is to create an alias in .bashrc in your Cygwin home directory on the server (C:\cygwin\home\User\.bashrc). Consider adding the following:

alias med='hstart.exe /nonelevated '

You can reload the file with source ~/.bashrc. Now you may launch an application like: med notepad, and it will run with a Medium (non-elevated) integrity level, as a standard program would.

There will be more to cover in Part 2, which will illuminate some of our choices and the strength of this configuration.

, , , ,

Project

Comments (6)