Solved

OpenSSH setup on Windows 2003

Posted on 2009-04-14
12
1,908 Views
Last Modified: 2012-05-06
I'm working on a project where a client needs to send us files using sFTP. The web server in my DMZ is running Windows 2003 and since Windows doesn't support sftp or ssh I researched and found OpenSSH. I've installed OpenSSH onto my server and ran the mkgroup and mkpasswd commands to get things started. When using PuTTY to test my SSH server all I get is Access Denied. I'm using PuTTY on a different box to test access to the SSH server. What am I missing? I've searched all over the place and have tried several solutions without any success. I first want to make sure SSH is functional before trying sFTP but if a solution can cover that even better.

Thanks,

Mark
0
Comment
Question by:mklippel
  • 7
  • 5
12 Comments
 
LVL 14

Expert Comment

by:theras2000
ID: 24144279
I think that you need to login in using a valid Windows user a/c.  Not sure if a domain a/c works, so just create a local account administrator to start with.
Maybe it also needs to be part of the Remote Users group, on the server.
Have you got any sort of firewall on the server?  Port 22 needs to be open for SSH.
0
 

Author Comment

by:mklippel
ID: 24147957
I've tried with a local account on the server without any luck. I tried adding the account to the remote users group but that doesn't help.
0
 
LVL 14

Expert Comment

by:theras2000
ID: 24148194
Hmmm I don't remember it well enough.  I'll install it now and have a go.
0
 
LVL 14

Accepted Solution

by:
theras2000 earned 500 total points
ID: 24148357
OK done and working fine from another machine on my LAN.  I've installed it on WinXPP BTW, but it should be the same for you.  So this is what I did:
1. Downloaded the zip from http://sourceforge.net/project/showfiles.php?group_id=103886&package_id=111688.
2. Installed it as an admin account.
3. Opened a DOS windows (running under an admin account) to C:\Program Files\OpenSSH\bin
4. mkgroup -l >> ..\etc\group
5. mkpasswd -l >> ..\etc\passwd
6. net start opensshd
7. Ran the firewall.cpl and made an exception for port 22.
8. Downloaded PuTTY from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html on another machine on my LAN.
9. Ran PuTTY, and typed in my server's name (port was already set to SSH 22), and pressed Open.
10. I got a warning about my server's identity, and pressed Yes.
11. Got a login as: prompt, so I typed a local user name from the server.
12. A default warning page displayed, and a password: prompt, so I typed the password of that Windows user.
13. Done.  Prompt is ready at C:\Documents and Settings\User
0
 

Author Comment

by:mklippel
ID: 24148421
I'll reinstall and see what happens. I disabled the AV to make sure that it wasn't getting in the way. The firewall is disabled on the server itself so that is not an issue.
0
 

Author Comment

by:mklippel
ID: 24148548
Some progress has been made. I reinstalled, rebuilt the group and passwd file and can now log in as administrator. Now the bigger question. I need to setup a local user to have access to a directory for sftp. Currently the user is created and a password has been assigned. When trying to connect using PuTTY I get the access denied message. I'm sure this has to do with permissions somewhere. I'd like to target the user's home directory to a different location for sftp files.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 14

Expert Comment

by:theras2000
ID: 24149417
Well I must admit I don't have any experience with the sftp part of this setup.
But, this seems like a perfect little guide http://www.digitalmediaminute.com/article/1487/setting-up-a-sftp-server-on-windows
Read down at the heading "Creating Home Directories for you Users"
Have a go, and if you're still stuck I'll try it myself and see what I get.
0
 

Author Comment

by:mklippel
ID: 24149462
Thanks. I'll check out the article. As a test I added my test user to the local administrator group and I was able to log in so it appears to be permissions. I don't want any sftp users to have admin rights to our server obviously.
0
 
LVL 14

Expert Comment

by:theras2000
ID: 24149541
Yep that sounds right to me too
0
 

Author Comment

by:mklippel
ID: 24150026
Progress! The trick seems to be to give the user the "log on locally" permission and it works just fine. I now have my test user, without local admin right, able to log into the web server using PuTTY and the home folder is now redirected to a different drive and folder for security reasons. I've also testing internally sFTP and it works just fine using FileZilla. I'll test everything externally and work on locking down the file permissions.

theras2000 - you've been an awesome help!

I'll let you know how it turns out in case I run into any issues.
0
 
LVL 14

Expert Comment

by:theras2000
ID: 24150170
Ahhhhh that makes sense.  I'm so glad you got it.
0
 
LVL 14

Expert Comment

by:theras2000
ID: 24150348
Hey BTW I'll just share my experience with this.  5yrs ago I setup OpenSSH on my home XP PC, just for fun because I was learning ports and tunnels and remote desktopping.  I'm pretty sure I used this same package, but it was early like v2.1 or something.  I had locked it down to just 1 user with a tight password (and I think tight folder permissions to prevent access to anything but 1 subfolder).  I came home one day and found my traffic maxing out when nobody was using it.  Some investigation of ports etc showed me that files were being sent out via the SSH tunnel to a user who was logged in.  I booted the connection, uninstalled it and have been too scared to touch it again.  Fortunately, at the time my connectoin had already been shaped to 64kbps, so nothing too much could have got out for the 2-3hrs that it had been active.  After some research, I found there was a serious buffer overrun exploit, which had been detected and fixed ages ago on the Unix version but not the Windows one (so I assume this is how they got in).

Anyway, I don't want to alarm you more than is necessary, as this was 5yrs ago, but I just wanted to share my story so you could keep your eyes open for patches and monitor the connections.  You seem to know way more than I did at the time about permissions, so I reckon you'll be fine.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now