Quick openssh install on windows guide

[+BudMan MVC]

This will enable ssh, and optionally the subsystems sftp and scp.

 

BD has been asking about this, he mentioned he was getting errors so figured just post up the instructions here for him or anyone else interested

 

download
https://github.com/PowerShell/Win32-OpenSSH/releases/download/3_19_2016/OpenSSH-Win64-1.1.zip

extract to c:\openssh

 

PowerShell prompt
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
cd c:\openssh
.\install-sshlsa.ps1
reboot

 

edit c:\openssh\sshd_config
subsystem sftp c:\openssh\sftp-server.exe
subsystem scp c:\openssh\scp.exe

cmd prompt elevated
cd c:\openssh
sshd.exe install

services.msc
SSHD set to auto and start

 

Validate you can access ssh, sftp and scp if you enabled that subsystm
If you have any firewalls running make sure you allow
putty and filezilla work great for this, winscp works for sftp or scp (turn off optimize buffer size)

 

Optional enable publickey auth

create .ssh folder in user folder, say c:\users\administrator
explorer doesn't like foldernames that start with . use cmd line
cd %userprofile%
mkdir .ssh

 

create your key pair, puttygen works great for this
in your .ssh folder create authorized_keys file
paste in your public key to your authorized_keys file

validate you can auth using publickey

 

Once you have validated you can auth using publickey you can disable password auth if you want
edit sshd_config
PasswordAuthentication no
restart service
validate that publickey works and passwords do not

All done..

 

The guide assumes you understand the basics of public key auth, generation of keypairs, etc.. If you need/want further instruction let me know and can add pictures, etc.  This was tested on 2k12r2, I used the 1.1 download because there was mentioned of possible errors with other.  The Set-ExecutionPolicy command is needed because the script is not signed and if you don't do that before you run the script you will get an error.

[BinaryData]

You should add changing users default directory, I've looked a lot for it but couldn't find anything but ChrootDirectory. All the tutorials used the same drive.

 

Other than that, good job. I'll set this up on my Media Box and you can test it later for me.

[+BudMan MVC]

What do you want??  That user ends up somewhere else other than their directory?  Like c:\files or d:\something vs c:\users\budman

 

To be honest that is not really how ssh works.. Users can always just change dir to where they want to go that they have permissions too, or setup their sftp client to auto change to that folder for them..  But sure I will look to see if there is a way.

[BinaryData]

Well, I would like to restrict access to a Network Drive. That would be the only location they could go too. You mentioned Windows User Groups and accounts was the way to go. I was thinking I could just make Group "Neowin" and assign them to that directory only. But I couldn't test that theory because of the stupid sshd error.

[+BudMan MVC]

you can for sure lock down the windows user to what folders they can access outside their home directories via ntfs permissions..  But off the top of my head I don't know how you can sftp to default to that dir in windows

 

Yeah ok what I thought the chroot does not work in windows

https://github.com/PowerShell/Win32-OpenSSH/issues/140

 

Chroot feature does not work in Windows. In Windows sftp server, home directories are set to the user's actual home directories ( like c:/users/username or c:/users/suername.domainname )

[BinaryData]

  On 30/03/2016 at 17:06, BudMan said:

you can for sure lock down the windows user to what folders they can access outside their home directories via ntfs permissions..  But off the top of my head I don't know how you can sftp to default to that dir in windows

 

Yeah ok what I thought the chroot does not work in windows

https://github.com/PowerShell/Win32-OpenSSH/issues/140

 

Chroot feature does not work in Windows. In Windows sftp server, home directories are set to the user's actual home directories ( like c:/users/username or c:/users/suername.domainname )

Expand  

So, if I wanted to change them, I'd have to move their directory to i.e J:/

[+BudMan MVC]

What do you need to change?  Like I said users can only access what they have permissions for.. Just because when they ssh/sftp it defaults to their home folder.  Are these users too stupid to change to J: drive ?  You know they can set filezilla sftp client to auto put them in whatever folder, etc.

 

Now when they login they will land on whatever drive/folder they set.

[BinaryData]

  On 31/03/2016 at 11:19, BudMan said:

What do you need to change?  Like I said users can only access what they have permissions for.. Just because when they ssh/sftp it defaults to their home folder.  Are these users too stupid to change to J: drive ?  You know they can set filezilla sftp client to auto put them in whatever folder, etc.

 

Now when they login they will land on whatever drive/folder they set.

Expand  

Well... I only want them to be able to go to drive J:\, and that's it. 

[+BudMan MVC]

Then run linux so you can chroot.  What is the difference that they can only access their own home dir?  And J drive?  I really don't see the difference.. While I can see why you wouldn't want them to have full access to everything.  They would have access to their folder, and then whatever you give that account permission too.  Be it a drive or some other folder..

 

You could take away their write permission on their home folder.  So they can not do anything in that folder, its just where the sftp puts them when they login.  Your requirement is so inconsequential. Its like I want to just push channel button on my remote, I don't want to have to hit the power button on the remote first before I change the channel.. And no I don't want to program a marco on the remote that I push..  I just want to push the channel button, and it should know that its no on and turn it on.

 

If you want that kind of sftp server on windows, going to have to pay for it.  Something like http://www.syncplify.me/products/server/

Maybe.. Its free for 1 user, $199 for unlimited.