Open Source Software Technical Articles

Want the Best of the Wazi Blogs Delivered Directly to your Inbox?

Subscribe to Wazi by Email

Your email:

Connect with Us!

Current Articles | RSS Feed RSS Feed

Installing an SSH/SFTP Server on Windows

  
  
  

Here's the scenario: you've just started a meeting with your IT security chief and, as you're describing how the big client wants you to set up an FTP server so they can upload a bunch of confidential files for your project, you notice that the chief's face is turning an interesting shade of red. In the calm, measured voice that lets you know you've just stepped into a minefield, she suggests that you might want to find a file transfer mechanism that is ever-so-slightly more secure than FTP. Or else.


Since you are, of course, a strong advocate of open source solutions, you do some research and discover OpenSSH and the SSH File Transfer Protocol (also know as SFTP). SFTP looks like it's just the ticket and puts a smile on the security chief's face. The only problem is that your server room runs on Windows and OpenSSH doesn't. After a little more research, you find that OpenSSH does run on Windows — it just needs a little help from the Cygwin project. Now if you could just find some instructions on how to get started. This is where we come in.

Before You Start


This is a bare bones guide to getting an OpenSSH Secure Shell (SSH) and SFTP (Secure File Transfer Protocol) server running under Windows. You will need a copy of the Cygwin installer, Internet access, and an Administrator account on your Windows server. You can download the Cygwin installer (setup.exe) from cygwin.com. At the time this tutorial was published, the Cygwin installer was at version 1.5.25-15.


Please note that the basic instructions covered in this tutorial should work on most versions of Windows and have been thoroughly tested on Windows XP and Vista. We have included version-specific notes where the instructions diverged.

Meat & Potatoes


Installation


Because OpenSSH is available as an optional component of Cygwin, the easiest way to get OpenSSH running under Windows is to employ a custom Cygwin install.

 

  • Login to Windows using an administrator account.

  • Copy the Cygwin installer somewhere convenient (like c:\, for example).

  • Run setup.exe.

Cygwin installation type
Cygwin installation type

  • Choose “Install from Internet".

  • Select a directory for the installed Cygwin files (the “Root Directory”). The default c:\cygwin will work fine. Make sure "Install For" is set to "All Users" and "Default Text File Type" is set to "Unix/binary".

Cygwin install location
Cygwin install location

  • Select a directory for the downloaded installation files (the “Local Package Directory”). It's better if this is not the same as the Root Directory. Something like c:\cygwin_packages works well.

Cygwin packages location
Cygwin packages location

  • For the Internet connection, "Direct Connection" will probably work. If not, check with your network administrator to see what’s most appropriate.

Cygwin connection type
Cygwin connection type

  • The download sites are mirrors of the central Cygwin package repository and should have essentially identical content. Choosing a site in your region will likely result in speedier downloads.

Cygwin download site
Cygwin download site

  • Once the installer has downloaded and displayed the list of packages available on the repository, click on the "View" button until the text to the right of the button says "Full". In the list of packages, scroll down until you see a package called "openssh: The OpenSSH server and client programs" in the Package column. Under the New column, click on the word "Skip". This should display a version number for the installable OpenSSH package. Note that this may change the status on other packages, from "Skip" to a version. Don't change those entries! They're packages upon which OpenSSH depends.

Cygwin OpenSSH package selection
Cygwin OpenSSH package selection

  • The next screen will begin the installation process. Installation will take some time and may be a good opportunity to take a coffee break (or two).

  • Once the installation is complete, you can choose whether or not to add Cygwin shortcuts to the Start menu or Desktop.

  • Now launch the Cygwin shell (this is similar to a DOS/command window) by clicking on a shortcut (if you created one during the installation), or by running c:\cygwin\Cygwin.bat.


Vista vs. XP Note: on Windows XP you can simply run the Cygwin.bat. On Vista, you’ll need to run Cygwin.bat as an administrator.

    1. On XP: At the prompt, run the following commands:
      export CYGWIN='ntsec tty'
      chmod +rw /etc/group
      chmod +rw /etc/passwd
      chmod 0755 /var
      ssh-host-config -y
      net start sshd


      On Vista: At the prompt, run the following commands:
      export CYGWIN='ntsec tty'
      chmod +rw /etc/group
      chmod +rw /etc/passwd
      chmod 0755 /var
      ssh-host-config

      Answer yes to each question except "Do you want to use a different name?" and "Create new privileged user account 'cyg_server'?" The answer to both of these is no.
      net start sshd

      This will configure, install and start the SSH/SFTP server as a Windows service.

  • Synchronize Cygwin user information with your Windows users by running:
  1. mkpasswd -cl > /etc/password
    mkgroup --local > /etc/group

  • You can test the server by connecting from another system using an SFTP client such as FileZilla or an SSH client such as PuTTY.



Note: The default configuration we've gone through uses port 22 for SSH connections. You will need to open this port in your firewall in order for the SSH server to work.



Configuring A User's Home Directory


For most Windows users and administrators, a user's home directory is c:\Documents and Settings\[user name]. However, under Cygwin and OpenSSH, when remote users log in they may be surprised to find their (Cygwin) home is under c:\cygwin\home\[user name]. Fortunately, changing the Cygwin/OpenSSH behavior to match Windows standard behavior more closely is pretty straightforward, provided you understand the differences in the path conventions for Windows and Cygwin.

 

19a98812-f823-48dc-841e-bf029c63c6d7

 

Translating Paths From Cygwin to Windows and Back


Since Cygwin is a Linux/Unix emulation that runs on top of Windows, the Cygwin shell does some things quite differently from Windows or a DOS command shell. Most notably, the paths in Cygwin follow a different, Linux-like convention.


Under Linux (and Cygwin), the file system has a single top level called the root and written "/". The path delimiters are slashes, so, for example, the path to a directory called user inside a directory called home would be "/home/user".

Windows, of course, supports multiple top levels on the file system: c:\, d:\, e:\ etc. The path delimiters are back-slashes and a similar path on the c drive would be "c:\home\user".

In order for Cygwin to let Linux applications understand path information, Cygwin paths follow the Linux convention. However, the root directory in Cygwin points to the Windows directory in which Cygwin was installed.

To shoehorn the Windows path information in under the Linux convention, Cygwin puts the drive letters under a "cygdrive" directory. So, the path to the file "c:\home\user\myfile.txt" (Windows-speak) in Cygwin is "/cygdrive/c/home/user/myfile.txt". The Cygwin path for something on, say, the g:\ drive, would be "/cygdrive/g/..."

Some general path examples for Windows:

Windows PathCygwin Path
c:\cygwin /
c:\ /cygdrive/c
e:\ /cygdrive/e
c:\Program Files\MyApp /cygdrive/c/Program\ Files/MyApp
c:\cygwin\home\username /home/username


Note the escaped space in the Cygwin path for the fourth example.

Default Directory for Users


Here's why we need all this path information: when using the mkpasswd command to create Cygwin user accounts from local Windows user accounts, the user’s (Cygwin) home directory will default to “/home/[username]” (Cygwin path).


When that user logs in remotely through SFTP, he or she will start in that home directory; so in order to change the starting point for an SFTP session, the home directory setting for the user will need to be updated.

To change this, open the file /etc/passwd in a text editor that understands how to read Unix line endings.

Warning: Notepad doesn’t read Unix files correctly. Wordpad does, but if you use Wordpad, be very careful to save the passwd file in a text format. Saving in any non-text format will break the file which will have unfortunate effects on Cygwin.

Each line in the file corresponds to the Cygwin settings for a particular user. The entries are separated by colons, “:”. There are seven entries for each user:

    • Username.

    • Password: actually a placeholder.

    • User ID (UID): a unique number assigned to each users.

    • Group ID (GID): the unique number assigned to the user’s primary group.

    • User ID Information: A comment field, normally used for human readable information about a user.

    • Home Directory: the path of the user’s home directory.

    • User’s Default Shell: the path to the shell executable. In Cygwin, this is almost always /bin/bash.



Change the 6th field to the path you’d like as the SFTP entry point for each user. Note that this must be a Cygwin-style path, for example: /cygdrive/c/Documents\ and\ Settings/[user name].


Once the service has been restarted, the new home directories will take effect.

Finishing Up


Now that the server is set for secure transfers, the users have the right home directories, and all is right with the world, it might be a good time to mention that your big client is going to need some way of connecting with the new SFTP server. Since FTP and SFTP are entirely different under the hood, the client will need a new client. Fortunately, the open source community can help once again. WinSCP is an excellent, streamlined Windows SFTP client which also supports FTP and SCP file transfers. If you need a cross-platform client, you might also consider FileZilla, an SFTP, FTP, and FTPS client that runs on Windows, Linux, Mac OS X, the BSDs, and other platforms.




This work is licensed under a Creative Commons Attribution 3.0 Unported License
Creative Commons License.


This work is licensed under a Creative Commons Attribution 3.0 Unported License
Creative Commons License.

Comments

Thanks for this! 
 
note typo above 
mkpasswd -cl > /etc/passwd
Posted @ Tuesday, January 08, 2013 8:01 AM by Marge
how i want to change the username and password. because right now i can connect to the server through winscp but it require username and password. can u help me
Posted @ Friday, January 25, 2013 3:32 AM by afiq
Thanks for the GREAT tutorial. It seems that after I changed the home directory, the users land in the correct directory BUT they are also able to navigate anywere in the system. Is there a way to prevent this ?
Posted @ Friday, June 28, 2013 5:53 AM by patrick
Hi, Thanks for the detailed article. I do not know any thing about SFTP / Linux / Unix but I was able to configure this with ease. Many Thanks.  
 
My question is, how can we secure Users home directories? So, the users cannot navigate to other users home directories. Thanks in advance.
Posted @ Wednesday, September 04, 2013 9:02 AM by Balu Kalepu
how do i find out my host name?
Posted @ Sunday, October 27, 2013 6:32 AM by Daniel
@Daniel, open command prompt, type HOSTNAME, and hit enter.
Posted @ Friday, January 03, 2014 4:05 PM by Dan
i am getting the following error(s) 
 
/usr/bin/cygrunsrv: Error installing a service: OpenSCManager: Win32 error 5: 
Access is denied. 
 
*** ERROR: Installing sshd as a service failed! 
Posted @ Thursday, January 30, 2014 2:13 PM by Dennis Nerada
I solved the error. I right-clicked on the Cygwin64 Terminal icon and selected "Run as adminstrator"
Posted @ Thursday, January 30, 2014 2:19 PM by Dennis Nerada
How to un-install the complete package of "cygwin" from machine?
Posted @ Thursday, May 01, 2014 7:42 AM by Nit
Hi There 
 
Great Article! 
 
I've installed the 32bit version on Win2008ServerR2 (yes, I know, its 64 bit). Cygwin Terminal opens OK and I can ping all servers, however I am unable to connect to Cygwin via PuTTy from another server..., and I cannot connect from another server that needs an SFTP server?? 
 
the PuTTy error is 
 
"Network error: connection refused" 
 
The Win2008 server is pingable, and there is no firewall running 
 
Where should I look first?
Posted @ Sunday, June 08, 2014 6:31 AM by Peter
How do you restrict access? The SFTP is working fine, but when I log in with the user I've created, I can see all drives on the server. I should only see the contents of the directory I've created for this user.
Posted @ Thursday, July 17, 2014 12:48 PM by Cengiz
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics