Public key authentication using Cygwin

Public key authentication using Cygwin


Overview

Enabling public key authentication allows us to seamlessly, without having to interactively enter credentials, perform the following tasks...

  • scp files from one host to another
  • Execute commands on remote host
  • Log on to remote host
The Cygwin sshd server runs as a Windows service under the Local SYSTEM account created with special privileges to run the service. For a Windows 2003 Server, sshd runs under local account, sshd_server. The sshd server authenticates user logins using a public/private key-pair.

Configure Cygwin sshd

In this example, we configure password-less public key authentication to a remote Worklight host. We will leverage a user named "WorklightAdmin"


  1. Install Cygwin.During installation, select the following packages...

    • Admin --> cygrunsrv
    • Net --> openssh
  2. After installation, edit...
      C:\cygwin\Cygwin.bat
    ...add the following line...

      set CYGWIN=binmode ntsec
    For example...

      @echo off

      C:
      chdir C:\cygwin\bin
      set CYGWIN=binmode ntsec
      bash --login -i
  3. Start a Cygwin terminal using "Run as Administrator"
  4. Verify Cygwin is installed property...
      cygrunsrv -h
    All Cygwin help options should display on the screen.
  5. From a bash shell, configure SSH...
      ssh-host-config
    You are prompted to answer the following questions:

      *** Query: Should privilege separation be used? : yes
      *** Query: New local account 'sshd'? : yes
      *** Query: Do you want to install sshd as a service?
      *** Query: : yes
      *** Query: Enter the value of CYGWIN for the deamon: [] binmode ntsec
      *** Query: Do you want to use a different name? (yes/no) yes/no
    At this point, for our example, we enter yes, and then plug in our WorklightAdmin user name and password...

      *** Query: Enter the new user name: WorklightAdmin
      *** Query: Reenter: WorklightAdmin
      *** Query: Create new privileged user account 'WorklightAdmin'? (yes/no) yes
      *** Query: Please enter the password:
      *** Query: Reenter:
    If the configuration is successful, you will see the following message:

      Host configuration finished. Have fun!
  6. If you ever want to change the login ID of the Cygwin sshd service afterwards...

    1. Open the Services panel
        Windows Start | Administrative Tools | Services
    2. Stop the sshd service.
        Cygwin sshd (right-click) | Properties | General | Stop
    3. Next, select the Log on tab. Under the Log on as section or prompt, clear the Local System account radio button, and select This account.
    4. Type .\WorklightAdmin as the ID and type the password for the account. Click Apply.
  7. Grant additional rights to the WorklightAdmin account. Ensure that the account has the required privileges in addition to membership to the Administrators group.


    1. From the Windows Start menu, click...
        Settings | Control Panel | Administrative Tools | Local Security Policy | Local Policies | User Rights Assignment
    2. Verify the WorklightAdmin account has the following four rights:
      • Adjust memory quotas for a process
      • Create a token object
      • Log on as a service
      • Replace a process level token
      If not, add WorklightAdmin as a user with the four rights.
  8. Close the Local Security Settings window.
  9. From a Cygwin console panel, change ownership of the following directories and files to WorklightAdmin:
    • chown WorklightAdmin /var/log/sshd.log
    • chown -R WorklightAdmin /var/empty
    • chown WorklightAdmin /etc/ssh*
  10. Restart the Cygwin sshd service.
      Cygwin sshd service | Properties | General | Start
    ...or...

      cygrunsrv -S sshd
  11. To achieve a password-less login from HostA --> remoteWLhost

    1. Login to HostA as user WorklightAdmin
    2. Copy contents of...
        $HOME/.ssh/id_rsa.pub
      If .ssh/id_rsa.pub does not exist, run..

        $ ssh-keygen -t rsa
        Generating public/private rsa key pair.
        Enter file in which to save the key (/usr/local/wasuser/.ssh/id_rsa):
        Enter passphrase (empty for no passphrase):
        Enter same passphrase again:
        Your identification has been saved in /usr/local/wasuser/.ssh/id_rsa
        Your public key has been saved in /usr/local/wasuser/.ssh/id_rsa.pub
        The key fingerprint is:
        05:db:12:51:9f:48:dc:43:cd:8f:22:b0:a7:47:2d:17 wasuser@hostname
      Leave passphrase blank.
    3. Log on to remote host (remoteWLhost) and paste the public key to...
        $HOME/.ssh/authorized_keys
      If the directory and/or file do not exist, create them.
    4. Set permissions...
        chmod go-w $HOME $HOME/.ssh
        chmod 600 $HOME/.ssh/authorized_keys
        chown `whoami` $HOME/.ssh/authorized_keys
  12. You can now run commands such on HostA such as...
      $ ssh -l WorklightAdmin remoteWLhost 'ls /cygdrive/c/path/to/Worklight/logs'
      console.log
      ffdc
      messages.log
      messages_13.02.28_13.37.37.0.log
      status.log

      $ ssh -l WorklightAdmin remoteWLhost 'tail /cygdrive/c/path/to/Worklight/logs/messages.log'
      [2/28/13 13:38:16:747 EST] jdbc.internal.DataSourceService A J2CA8001I
      [2/28/13 13:38:16:747 EST] jdbc.internal.DataSourceService A J2CA8001I
      [2/28/13 13:38:16:762 EST] jdbc.internal.DataSourceService A J2CA8001I
      [2/28/13 13:38:16:762 EST] jdbc.internal.JDBCDriverService A J2CA8001I
      [2/28/13 13:38:16:778 EST] tcpchannel.internal.TCPChannel I CWWKO0220I

      $ ssh WorklightAdmin@remoteWLhost
      Last login: Fri Mar 15 17:40:10 2013 from pavftrptwrb.sonebiz.com
      WorklightAdmin@remoteWLhost ~
      $

      scp WorklightAdmin@remoteWLhost:/cygdrive/c/path/to/Worklight/logs/messages.log messages.log.txt

Non-admin userID

If you try to connect to the Windows workstation using a non-administrator user ID, you might get error...

    XCIM0010E: An error occurred while connecting to the remote target ip_address.
    Cause: CTGRI0011E An error occurred when accessing the remote registry or service control manager.
...add the user account to the Administrators group...

  1. Go to...
      My Computer (right-click) | Manage | Local Users and Groups Users | user account | Member Of
  2. Add the Administrators group to the list of groups that this account belongs to.
  3. From the admin console, click...

Change public location in sshd_Config


# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile /home/.ssh/authorized_keys
Subscribe to: Posts (Atom)