Here's the scenario: you've just started a meeting with your IT security chief and, as you're describing how the big client wants you to set up an FTP server so they can upload a bunch of confidential files for your project, you notice that the chief's face is turning an interesting shade of red. In the calm, measured voice that lets you know you've just stepped into a minefield, she suggests that you might want to find a file transfer mechanism that is ever-so-slightly more secure than FTP. Or else.
Since you are, of course, a strong advocate of open source solutions, you do some research and discover OpenSSH and the SSH File Transfer Protocol (also know as SFTP). SFTP looks like it's just the ticket and puts a smile on the security chief's face. The only problem is that your server room runs on Windows and OpenSSH doesn't. After a little more research, you find that OpenSSH does run on Windows — it just needs a little help from the Cygwin project. Now if you could just find some instructions on how to get started. This is where we come in.
This is a bare bones guide to getting an OpenSSH Secure Shell (SSH) and SFTP (Secure File Transfer Protocol) server running under Windows. You will need a copy of the Cygwin installer, Internet access, and an Administrator account on your Windows server. You can download the Cygwin installer (setup.exe) from cygwin.com. At the time this tutorial was published, the Cygwin installer was at version 1.5.25-15.
Please note that the basic instructions covered in this tutorial should work on most versions of Windows and have been thoroughly tested on Windows XP and Vista. We have included version-specific notes where the instructions diverged.
Because OpenSSH is available as an optional component of Cygwin, the easiest way to get OpenSSH running under Windows is to employ a custom Cygwin install.
Vista vs. XP Note: on Windows XP you can simply run the Cygwin.bat. On Vista, you’ll need to run Cygwin.bat as an administrator.
export CYGWIN='ntsec tty'chmod +rw /etc/groupchmod +rw /etc/passwdchmod 0755 /varssh-host-config -ynet start sshd
export CYGWIN='ntsec tty'chmod +rw /etc/groupchmod +rw /etc/passwdchmod 0755 /varssh-host-config
net start sshd
mkpasswd -cl > /etc/passwordmkgroup --local > /etc/group
Note: The default configuration we've gone through uses port 22 for SSH connections. You will need to open this port in your firewall in order for the SSH server to work.
For most Windows users and administrators, a user's home directory is c:\Documents and Settings\[user name]. However, under Cygwin and OpenSSH, when remote users log in they may be surprised to find their (Cygwin) home is under c:\cygwin\home\[user name]. Fortunately, changing the Cygwin/OpenSSH behavior to match Windows standard behavior more closely is pretty straightforward, provided you understand the differences in the path conventions for Windows and Cygwin.
Since Cygwin is a Linux/Unix emulation that runs on top of Windows, the Cygwin shell does some things quite differently from Windows or a DOS command shell. Most notably, the paths in Cygwin follow a different, Linux-like convention.
Under Linux (and Cygwin), the file system has a single top level called the root and written "/". The path delimiters are slashes, so, for example, the path to a directory called user inside a directory called home would be "/home/user".Windows, of course, supports multiple top levels on the file system: c:\, d:\, e:\ etc. The path delimiters are back-slashes and a similar path on the c drive would be "c:\home\user".In order for Cygwin to let Linux applications understand path information, Cygwin paths follow the Linux convention. However, the root directory in Cygwin points to the Windows directory in which Cygwin was installed.To shoehorn the Windows path information in under the Linux convention, Cygwin puts the drive letters under a "cygdrive" directory. So, the path to the file "c:\home\user\myfile.txt" (Windows-speak) in Cygwin is "/cygdrive/c/home/user/myfile.txt". The Cygwin path for something on, say, the g:\ drive, would be "/cygdrive/g/..."Some general path examples for Windows:
Note the escaped space in the Cygwin path for the fourth example.
Here's why we need all this path information: when using the mkpasswd command to create Cygwin user accounts from local Windows user accounts, the user’s (Cygwin) home directory will default to “/home/[username]” (Cygwin path).
When that user logs in remotely through SFTP, he or she will start in that home directory; so in order to change the starting point for an SFTP session, the home directory setting for the user will need to be updated.To change this, open the file /etc/passwd in a text editor that understands how to read Unix line endings. Warning: Notepad doesn’t read Unix files correctly. Wordpad does, but if you use Wordpad, be very careful to save the passwd file in a text format. Saving in any non-text format will break the file which will have unfortunate effects on Cygwin.Each line in the file corresponds to the Cygwin settings for a particular user. The entries are separated by colons, “:”. There are seven entries for each user:
Change the 6th field to the path you’d like as the SFTP entry point for each user. Note that this must be a Cygwin-style path, for example: /cygdrive/c/Documents\ and\ Settings/[user name].
Once the service has been restarted, the new home directories will take effect.
Now that the server is set for secure transfers, the users have the right home directories, and all is right with the world, it might be a good time to mention that your big client is going to need some way of connecting with the new SFTP server. Since FTP and SFTP are entirely different under the hood, the client will need a new client. Fortunately, the open source community can help once again. WinSCP is an excellent, streamlined Windows SFTP client which also supports FTP and SCP file transfers. If you need a cross-platform client, you might also consider FileZilla, an SFTP, FTP, and FTPS client that runs on Windows, Linux, Mac OS X, the BSDs, and other platforms.
Allowed tags: <a> link, <b> bold, <i> italics