diff options
Diffstat (limited to 'contrib/cygwin/README')
| -rw-r--r-- | contrib/cygwin/README | 137 |
1 files changed, 137 insertions, 0 deletions
diff --git a/contrib/cygwin/README b/contrib/cygwin/README new file mode 100644 index 00000000..8c9d0bb7 --- /dev/null +++ b/contrib/cygwin/README @@ -0,0 +1,137 @@ +This package is the actual port of OpenSSH to Cygwin 1.1. + +=========================================================================== +Important change since 2.3.0p1: + +When using `ntea' or `ntsec' you now have to care for the ownership +and permission bits of your host key files and your private key files. +The host key files have to be owned by the NT account which starts +sshd. The user key files have to be owned by the user. The permission +bits of the private key files (host and user) have to be at least +rw------- (0600)! + +Note that this is forced under `ntsec' only if the files are on a NTFS +filesystem (which is recommended) due to the lack of any basic security +features of the FAT/FAT32 filesystems. +=========================================================================== + +Since this package is part of the base distribution now, the location +of the files has changed from /usr/local to /usr. The global configuration +files are in /etc now. + +If you are installing OpenSSH the first time, you can generate +global config files, server keys and your own user keys by running + + /usr/bin/ssh-config + +If you are updating your installation you may run the above ssh-config +as well to move your configuration files to the new location and to +erase the files at the old location. + +Be sure to start the new ssh-config when updating! + +Note that this binary archive doesn't contain default config files in /etc. +That files are only created if ssh-config is started. + +Install sshd as daemon via SRVANY.EXE (recommended on NT/W2K), via inetd +(results in very slow deamon startup!) or from the command line (recommended +on 9X/ME). + +If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the +following line to your inetd.conf file: + +sshd stream tcp nowait root /usr/sbin/in.sshd sshd -i + +Moreover you'll have to add the following line to your +${SYSTEMROOT}/system32/drivers/etc/services file: + + sshd 22/tcp #SSH daemon + +Authentication to sshd is possible in one of two ways. +You'll have to decide before starting sshd! + +- If you want to authenticate via RSA and you want to login to that + machine to exactly one user account you can do so by running sshd + under that user account. You must change /etc/sshd_config + to contain the following: + + RSAAuthentication yes + + Moreover it's possible to use rhosts and/or rhosts with + RSA authentication by setting the following in sshd_config: + + RhostsAuthentication yes + RhostsRSAAuthentication yes + +- If you want to be able to login to different user accounts you'll + have to start sshd under system account or any other account that + is able to switch user context. Note that administrators are _not_ + able to do that by default! You'll have to give the following + special user rights to the user: + "Act as part of the operating system" + "Replace process level token" + "Increase quotas" + and if used via service manager + "Logon as a service". + + The system account does of course own that user rights by default. + + Unfortunately, if you choose that way, you can only logon with + NT password authentification and you should change + /etc/sshd_config to contain the following: + + PasswordAuthentication yes + RhostsAuthentication no + RhostsRSAAuthentication no + RSAAuthentication no + + However you can login to the user which has started sshd with + RSA authentication anyway. If you want that, change the RSA + authentication setting back to "yes": + + RSAAuthentication yes + +You may use all features of the CYGWIN=ntsec setting the same +way as they are used by the `login' port on sources.redhat.com: + + The pw_gecos field may contain an additional field, that begins + with (upper case!) "U-", followed by the domain and the username + separated by a backslash. + CAUTION: The SID _must_ remain the _last_ field in pw_gecos! + BTW: The field separator in pw_gecos is the comma. + The username in pw_name itself may be any nice name: + + domuser::1104:513:John Doe,U-domain\user,S-1-5-21-... + + Now you may use `domuser' as your login name with telnet! + This is possible additionally for local users, if you don't like + your NT login name ;-) You only have to leave out the domain: + + locuser::1104:513:John Doe,U-user,S-1-5-21-... + +V2 server and user keys are generated by `ssh-config'. If you want to +create DSA keys by yourself, call ssh-keygen with `-d' option. + +DSA authentication similar to RSA: + Add keys to ~/.ssh/authorized_keys2 +Interop. w/ ssh.com dsa-keys: + ssh-keygen -f /key/from/ssh.com -X >> ~/.ssh/authorized_keys2 +and vice versa: + ssh-keygen -f /privatekey/from/openssh -x > ~/.ssh2/mykey.pub + echo Key mykey.pub >> ~/.ssh2/authorization + +If you want to build from source, the following options to +configure are used for the Cygwin binary distribution: + +--prefix=/usr --sysconfdir=/etc --libexecdir='${exec_prefix}/sbin + +You must have installed the zlib, openssl and regex packages to +be able to build OpenSSH! + +Please send requests, error reports etc. to cygwin@sources.redhat.com. + +Have fun, + +Corinna Vinschen <vinschen@cygnus.com> +Cygwin Developer +Red Hat Inc. |