Regardless of which method you use to create the OpenSSH service, to use OpenSSH effectively as a service, you should run it under the default LocalSystem account. OpenSSH must be able to, in effect, become any user, and LocalSystem has the necessary rights to allow this. If you want to run OpenSSH under another account, look in the OpenSSH documentation for the necessary rights. You should also set an environment variable called CYGWIN equal to tty so that the server interprets input correctly. Create a batch file that contains the command in Listing 3, and place it in your base directory. Instead of starting the OpenSSH server directly, run this batch file to launch the server.
Killing OpenSSH
An OpenSSH server requires very little management. The only administration task you should have to perform is adding a user to the server's Passwd file to give the user remote access to a command line on the server. You can use Notepad or any other text editor to add a user to the Passwd file. However, OpenSSH retrieves the Passwd file only when OpenSSH is launched. If you've set up OpenSSH as a service, OpenSSH is launched only when the server reboots or when you restart the service after killing the sshd.exe process. Obviously, you don't want to reboot your server whenever you need to add a user, so you need a way to kill OpenSSH. The sshd.exe process is visible in Task Manager, but you can't kill the process from there.
One answer is to use a couple of other Cygwin utilities, kill.exe and ps.exe, both of which are in the Cygwin package. Place both of them in your C:\ssh directory for ease of use and security. I recommend renaming kill.exe to cygkill.exe if you have the Win2K or NT 4.0 resource kit installed because the kits also have a kill.exe utility.
As I mentioned earlier, to work with the OpenSSH process, you must use a shell that the LocalSystem account owns. Use the procedure I outlined in the section about testing the server to launch a shell. At the command line, type
ps —ef
to obtain a list of all the Cygwin processes running. Look for the oldest OpenSSH process, and note its PID. Then type
kill —HUP
where PID is the identifier for the OpenSSH process. The service will relaunch itself, complete with a new Passwd file.
Alternatively, you can use the kill.exe utility from the Win2K or NT 4.0 resource kit. First, use tlist.exe (also from the resource kit) to obtain a list of all processes with their PIDs, then use the Kill command with the first sshd.exe process listed (the first process might not have the lowest number). After killing the process, stop and restart the OpenSSH service, and you're back in business.
Because OpenSSH spawns a separate process for each connection, you can even kill the sshd.exe process from an SSH session on a remote client without dropping your connection. Be sure to close all the old client connections after you restart the service and before you start any new connections.
A Few Precautions
SSH is a great addition to any network or systems administrator's toolkit, but it's not a silver bullet for all your security woes. Properly managed, OpenSSH is a secure tool, but you need to follow a few rules:
- Keep remote access available only to administrators when possible.
- Restrict access to the \ssh, \var, and \etc directories to LocalSystem and the local Administrators group.
- If an SSH client warns at a time other than at the initial connection to an OpenSSH server that the server's host key has changed, investigate the situation.
- Use SSH1 only if you absolutely must have compatibility with older clients.
With SSH, you can remotely issue almost any command that you would be able to issue if you were sitting at the server's console. To make the most of this capability, you should have the Win2K or NT 4.0 resource kit because they include utilities that let you remotely shut down or reboot the server, list the tasks that are running and kill them, and much more.
Now that you've seen how easy it is to set up OpenSSH, you should replace all the Telnet servers in your organization with SSH servers. OpenSSH not only is secure but also has some powerful features, including support for secure file copying, port redirection, and using public and private key pairs instead of passwords for authentication. When you see all that OpenSSH can do, you'll agree that it's an essential part of your administration toolkit.
Corrections to this Article:
- "SSH for Windows" (September 15, 2001) describes hot to download three .gz files from a Cygwin FTP site and unpack them with WinZip Computing's WinZip. Red Hat changed two of those files to use the .bz2 format. You can download the .bz2 files from a Cygwin FTP site, but WinZip won't decompress them. Go to http://sources.redhat.com/bzip2 and download the bzip2 utility, which will unpack these files.