Chinaunix首页 | 论坛 | 博客
  • 博客访问: 3931276
  • 博文数量: 421
  • 博客积分: 685
  • 博客等级: 上将
  • 技术积分: 3670
  • 用 户 组: 普通用户
  • 注册时间: 2010-02-18 14:20
文章分类

全部博文(421)

文章存档

2012年(5)

2011年(52)

2010年(83)

2009年(67)

2008年(65)

2007年(149)

分类: WINDOWS

2009-04-03 09:53:21

【知识介绍】

Cygwin是Windows下的一个Linux仿真环境,它包括两部分,一是cygwin1.dll文件,它作为一个Linux API仿真器层为各Linux应用程序提供各种Linux下的系统调用。另一部分包括一系列Linux下的常用工具包,这些工具包是用l这些工具的源码针 对Cygwin环境重庆编译而成,本文介绍的OpenSSH for windows就是这些工具包中的一个。需要注意的是Cygwin并不能让原生Linux程序在windows下直接运行,如果你想让一个Linux应用 程序在windows下运行,你将不行不将应用程序从源代码重新编译。

  不过OpenSSH for windows是一个命令行的工具,而且目前与windows 2003的兼容性还不是很好。其它还有一些windows平台的OpenSSH替代品,下面我主要介绍几种免费的产品。

  PuTTY是这些产品中最有名的一种,它实际包含了多个工具分别用来完成SSH的各个功能,包括了SSH1和SSH2的客户端和服务器端实现。它采用类似类似BSD的MIT软件许可证。它也主要是一个基于命令行的工具。

  WinSCP是一个Windows环境下使用SSH的开源图形化SFTP客户端。同时支持SCP协议。它的主要功能就是在本地与远程计算机间安 全的复制文件。它的最大特点是界面非常友好,使用时可以选择windows资源管理器界面或者“Norton Commander”界面,而且已经有中文版本。可惜,在我的windows XP机器上,安装始终报错。

  Secure iXplorer GPL是PuTTY'工具包中pscp.exe(用于安全复制文件)的一个图形化前端。

  FileZilla是一款windows平台下的功能强大的FTP客户端软件,它有丰富的功能特性,并支持SFTP。

========================================

【how to】

How to install a ssh server (called sshd, from ) on a Windows 2000 or XP
How to install a sftp server on a Windows 2000 or XP

reference:

--------------------------------

The ssh server is an emulation of the UNIX environment and OpenSSH for Windows, by Redhat, called cygwin

(1a) Login as Administrator
Windows XP - login as a user with Administrator privilege;
Windows 2003 Server: login as local admin, it will not work for domain users or domain admin.

(1b) Make sure the current admin/user has a Windows password set.
If not, use g Control Panel...User Accounts to create a password.
Just to be on the safe side, after you created a password, logoff and then log in again.

(2a) Create a folder c:\cygwin

(2b) g Download cygwin's setup.exe from and save setup.exe in c:\cygwin

Cygwin's setup.exe has some uncommon properties, to find out more.

Click Start...Run...and type c:\cygwin\setup.exe

If you are asked to select "Just Me" or "All Users", choose "All Users"

When it asks for "Local Package Directory", type c:\cygwin

Choose a download site that is "close" to you.
When a selection screen comes up (you can resize the windows to see better),

========================================

||下面是仅选择安装openssh、tcp_wrapper...||

========================================

click the little View button for "Full" view  ,
find the package "openssh", click on the word "skip" so that an x appears in Column B,
see
(optional) find the package "tcp_wrappers", click on the word "skip" so that an x appears in Column B,
if you add "tcp_wrapper", you will most likely get "ssh-exchange-identification: Connectiion closed by remote host" error.
If you get that error, edit the file  /etc/hosts.allow and add these two lines
ALL: 127.0.0.1/32 : allow  
ALL: [::1]/128: allow
before the PARANOID line.
(optional) find the package "diffutils", click on the word "skip" so that an x appears in Column B, 
find the package "zlib", click on the word "skip" (it should be already selected) so that an x appears in Column B.

Notes:
tcp_wrappers provides host-based access control and possible need you to edit "/etc/hosts.allow" 
zlib is the compression and decompression library that is used by many programs.
Thanks to Lex Sheehan on the diffutils tips, and Thomas Braun for the hosts.allow tips.

Click next to start installing cygwin and ssh.
Size of the basic cygwin system is more than 50 Meg, this may take a while.

Take a coffee break and wait.g

备注

========================================

||全选安装的话,点开第一层的+号展开,然后点第一||

||层最后面的文字让其变成install然后可展开子层||

||确认所有的包都被选择。                   ||

========================================

(3) Right click My Computer, Properties, Advanced, Environment Variables
See
Click the "New" new button to add a new entry to System variables:
variable name is CYGWIN
variable value is ntsec tty

(4) Right click My Computer, Properties, Advanced, Environment Variables
See
Select the Path variable and click the "Edit" edit button:
append  ;c:\cygwin\bin   to the end of the existing variable string.

(5) 

For Windows Vista  significant revisions to this page is needed.
In the interim, for how to install cygwin sshd under Vista.

For Windows XP , open a cygwin window by double clicking theg icon; a black screen pops open,
For Windows Vista , right click the g icon and choose "run as administrator"; a black screen pops open, type

With recent releases of cygwin, there are permission problems.
Add these 3 commands:

chmod +r  /etc/passwd
chmod +r  /etc/group
chmod  755  /var


ssh-host-config  -y  (on slower computers, it may take several minutes to generate the dsa security keys)
If the script asks you about "", answer yes
If the script asks about " sshd on this machine", answer yes
If the script asks you about "", answer yes

Thanks to David Spillett of Londdon, UK on the permission tips.

Windows Vista
If Vista asks "create a new local account ssh_server which has the required privileges" answer yes

When the script stops and asks you for "environment variable CYGWIN="     your answer is ntsec tty 
( for an explanation of ntsec)
( for an explanation of tty )
(thanks to Peter Reutemann of New Zealand and Ron Dozier of University of Delaware)
(thanks to Mike and Michael Pechner for the Windows Vista tip)
(thanks to Kevin Hilton on the Vista tips in the ssh-host-config section)

See Note 25 near the end of this web page if you need to run ssh-host-config again.

(6) While you are still in the (black) cygwin screen, start the sshd service, type
net start sshd
or
cygrunsrv  --start  sshd

on how to stop the sshd service.

If the service fails to start, try (thanks to Ross Beveridge of HP for this tip)
chown system /etc/ssh*
chown system /var/empty  or chown sshd_server /var/empty
net start sshd

If you get "ssh-exchange-identification: Connectiion closed by remote host" error.
edit the file  /etc/hosts.allow and add these two lines
ALL: 127.0.0.1/32 : allow  
ALL: [::1]/128: allow
before the PARANOID line. Thanks to Thomas Braun for the hosts.allow tips.(一般默认已添加

备注

================================================

|| 如果重启后,SecureCRT ssh连接不上,提示“连接已复位”;
|| 可打开windows的服务管理,重启“CYGWIN sshd”服务

================================================

(7) Make sure every Windows user has a password set, if not, 
go to g Control Panel....User Accounts and create a password.

(7a) Make sure every Windows user has done the following at least once:
Login in as the Windows user, pop a console command screen by clicking Start...Run....cmd
Thanks to Magno Corrêa of Brazil for the tip in (7a)

(8) important Pop a cygwin gwindow, harmonize Windows user information with cygwin, otherwise they cannot login
mkpasswd   -cl   >   /etc/passwd
mkgroup   --local    >   /etc/group

If your XP logs on to a domain, you most likely have to manually edit /etc/group. .

If  your local account name is the same as the domain name, then you would need to use Windows's User admin function to
rename the loacal account from name to name.local
Then rebuild the passwd and group files as shown above, then edit the /etc/group file as shown above. Open firewall's TCP port 22
 
(Thanks to Christopher Poda of Venturi Wireless, Sunnyvale, California)

If your XP logs on to a domain, you may want to edit /etc/passwd to replace /home/username by //unc_server/path_to_home 
(thanks to Geoff Thomas)

mkpasswd creates a password file from Windows' user list, for more details.
mkgroup creates a group file from Windows' user list, for more details.
Thanks to John Skiggn of Cingular Wireless in Redmond, Washington for his tweak on domain user /etc/group


Test to see if sshd is working, pop a cygwin gwindow (note: the command below is case sensitive)
whoami
ssh    localhost
or
ssh  -vvv  localhost
or
ssh    "$USERNAME@127.0.0.1"


if ssh complains "The authenticity of host xx.xx.xx.xx can't be established .... Are you sure you want to continue connecting (yes/no)?"  Answer yes  (Thanks to Daniel Griscom of Suitable Systems)

g If you get an error message like "ssh-exchange-identification: Connection closed by remote host",
it is probably caused by McAfee 8.0i, see . (Thanks to Ron Dozier of University of Delaware, USA)

Error is also related to /etc/hosts.allow file, see

g If you get an error message like "entry point _getreent", or "QuerryService Status: Win32 error 1062", it is probably
caused by the existance of an older version of "cygwin1.dll" located in the search path.
Do a full serarch of "cygwin1.dll" and remove the old version, except the current version at c:\cygwin\bin  (Thanks to Joe britton)

If you get a prompt without error messages, type
cd   /cygdrive/c
ls

if you see a directory listing, success! g g g
(type exit to end the cygwin ssh session)  
Thanks to Roger Pack for his tips clarifying between Microsoft's ls.exe (installed by MS compilers) and cygwin's ls.exe

If you have a Windows username that contains space, expand the space into \ [space],
e.g. if the Windows login name is  Mickey mouse
ssh  Mickey\  mouse@127.0.0.1

If you have a Unix system that does not know what to do with TERM cygwin, add to .login

If you have troubles ssh into the server, try run ssh-user-config

Thanks to Jared Kilgour for above $USERNAME variable substitution.
Thanks to Justin Kerk for the tip on quotes around $USERNAME to allow for spaces in username.
Thanks to Ron Dozier of University of Delaware for the Unix .login tweak.


g
Windows XP SP2  open the Windows Firewall to allow TCP port 22 through

Click Start...Control Panel....Security Centre....Manage Security Settings for Windows Firewall....Exceptions tab....Add Port...
"Name of port" is ssh    "Port number" is 22 (check the "TCP" checkbox)
(Thanks to Stefano of Sardegna, Italy for his Windows Firewall reminder)

If you don't have sufficient privileges to open port 22 above, possible due to a group policy or other reasons,
you can create an exception for SSHD.
Click Start.. Control Panel...Security Center ... Windows Firewall...select the "Exception" tab.
Click "Add Program" button  .. Browse to c:\cygwin\bin\sshd.exe
(Thanks to Thomas Johnson for this work around)

If you previously used Windows XP SP1 and installed sshd service, then upgraded to Windows XP SP2,
The upgrade disables the sshd service and deletes the CYGWIN environment variable.
Re-enter the environment variables and path.
Click Start...Control Panel....Security Centre....Manage Security Settings for Windows Firewall....Exceptions tab....Add Port...
"Name of port" is ssh    "Port number" is 22 (check the "TCP" checkbox)
(Thanks to Chris Davitt of New Zealand   for this SP1 to SP2 problem)


Multiple Windows users g

Create other Windows users using the g Control Panel...User Accounts.
After you created (or removed) Windows users
pop a g cygwin windows to harmonize Windows user information with cygwin, otherwise they cannot login
mkpasswd   --local   >   /etc/passwd
mkgroup   --local    >   /etc/group

g
Don't get too carry away with multiple users, if a user can successfully ssh into the box, he can "cd" to just about any directory.

Note:  The behaviors of Windows 2003 Server is different.
to install OpenSSH on Windows 2003 Server, by Stephen Pillinger of the School of Computer Science, University of Birmingham.
 


Users from the internal network (geeks call this a LAN) can
ssh  usersname@ip_address   (e.g. ssh   john@192.168.0.100)

On Unix/Linux systems, user names do not contains spaces. On Windows system, user names can have spaces.
If you have a Windows username that contains spaces, expand each space into \ [space],
e.g. if the Windows username is  mickey mouse
ssh  mickey\  mouse@192.168.0.100


g

If you have a NAT firewall, port forward (D-link calls this Virtual Server) TCP port 22 to the (internal) IP address
of the Windows box where the sshd server is running. See above diagram.

Users from the outside (geeks call this a WAN) can   (the IP address is your firewall/router's WAN address)
ssh  username@external_ip_address   (e.g. ssh   john@64.64.64.64 )
ssh  mickey\   mouse@external_ip_address  (e.g.  ssh  mickey\  mouse@64.64.64.64 )

Caveat Emptor :
-assuming you have an IP address that is accessible from the outside world; some ISP give non-accessible IP address (). to their  customers.
-assuming your ISP does not suffer from extreme paranoia, he/she allows "port 22 TCP" traffic through their network.
-assuming your corporate firewall allows TCP port 22 and port forwards to the computer running the ssh server.

If your install includes tcp_wrapper and you get an error message like "ssh-exchange-identification: Connection closed by remote host", do
start ... run ... c:\cygwin\setup.exe , add "mc Midnight Commander" package (a friendly editor for those who are unfamiliar with Unix editors),
Invoke cygwin g
cd /etc

mc   highlight the file /etc/hosts.deny and edit (F4)
change the line ALL:ALL EXCEPT localhost:DENY to
ALL:ALL EXCEPT localhast AND '192.168.':DENY   (assuming your internal network is 192.168.xx.xx )
and edit the content of the file /etc/hosts.allow to be just one line.
sshd: ALL
(Thanks to Carl Falk of Sweden for the hosts.allow and hosts.deny content)

In some extreme cases,
if you want to use TCP port 443 as the sshd listening port  (instead of the default SSH port 22), .
(Why? Port 443 is normally assigned to https traffic, even severely paranoia IT geeks will leave this port open. Some IT will even intercept TCP port 443 traffic and redirect them to a proxy server, these are the extreme total control freaks).


g

g  As a bonus, openssh includes sftp and sftp-server for doing encrypted file transfers.
These two programs function much like the familiar ftp-client and ftp-server.

g For example, from a remote laptop, you can transfer (send and retrieve) files to your home computer (see above diagram).
sftp   username@ip_address   (e.g.  sftp  john@32.97.166.74 )
sftp   username@hostname   (e.g. sftp  john@supercomputer.ibm.com )
openSSH [which uses openSSL] has strong encryption capability.
The encryption used by openSSH can be either AES-128, AES-192, AES-256, 3DES, Blowfish, cast-128, arcfour (RC4)
The default encryption algorithm (cipher) is AES-128-CBC.
You can force a particular encryption algorithm preference (cipher) by adding a directive such as
Ciphers   blowfish-cbc,aes128-cbc,3des-cbc
  to /etc/sshd_config for faster transfer.
The sftp client I like best is .

Caveat Emptor :
-assuming you have an IP address that is accessible by the outside world, some ISP do not give out outside-accessible IP address.
-assuming your ISP does not suffer from extreme paranoia, he/she allows "port 22 TCP" traffic through their network.
-assuming your firewall allows TCP port 22 and port forwards to the computer running the ssh server.


After you establish a ssh or sftp connection into the Windows box,
changing directory is rather painful, for example, to change to "my documents", type
cd    "/cygdrive/c/documents and settings/$USERNAME/my documents"

Similarly, to change directory to d: drive
cd    /cygdrive/d

To reduce pain, use a graphical sftp client such as .


Where can you find a ssh or sftp client ?
(1) is the best ssh client for Windows, it also has psftp.exe which is a console mode sftp client.
(2) Commercial software vendors such as Software.
(3) , a free, GNU (GPL) licensed sftp client.

If you prefer to use a graphical client to do sftp file transfers,
purchase a high quality commercial software called SecureFX
from VanDyke Software in Albuquerque, New Mexico, USA
or use , a free, GNU (GPL) licensed sftp client,
or use , a free, GNU (GPL) licensed sftp and scp client.
Also, ftp.ssh.com in their directory, there is a Windows version of ssh and sftp client for non-commercial use,
thanks to Stephan of Rutgers State University of New Jersey g for the link.


Once you have a sshd working and you can ssh into the machine (from LAN or WAN), there are many things you can do with it.
For example,  (now absorbed by Microsoft )
has many console mode utilities you can use.

Other very, very useful things you can do with ssh is to tunnel tcp applications under the
ssh protocol, giving them a strong cryptographic protection while traveling over the insecure public network.

openSSH [which uses openSSL] has strong encryption capability.
The encryption used by openSSH can be either AES-128, AES-192, AES-256, 3DES, Blowfish, cast-128, arcfour (RC4)
The default encryption algorithm (cipher) is AES-128-CBC.
You can force a particular encryption algorithm preference (cipher) by adding a line such as
Ciphers   blowfish-cbc,aes128-cbc,3des-cbc
  to /etc/sshd_config (Blowfish runs faster than AES-128)

tunnel tcp traffic using ssh

Below are some popular plain-text, pure TCP protocols that are unfortunately still in common use today.
Fortunately these protocols can benefit from the protection of a ssh tunnel:
POP3
(tcp port 110) 
IMAP (tcp port 143) 
SMTP (tcp port 25) 
TELNET (tcp port 21) 
VNC (tcp port 5900)
Print server traffic (typically tcp port 9100)
Windows Share, or Samba Share, SMB protocol (tcp port  445)

Note:
The world is moving away (rather slowly) from plain text protocols by hardening them with TLS or SSL:
newer versions of POP3 servers have TLS support at port 110; and SSL support at port 995
newer versions of IMAP servers have TLS support at port 143; and SSL support at port 993
newer versions of SMTP servers have TLS support at port 25
A version of "smtps" uses port 465 with SSL support, now it becomes legacy (depreciated).
SMTP can also use port 587 in plain text or TLS.

newer versions of telnet servers have SSL support at port 992

See.
See
See at your home office or main office.
See traffic under ssh.

Sometimes, there are applications such as midnight back-up of files to a remote Linux server using "rsync encrypted with ssh", 
you want to be able to ssh from one machine to another machine (without a person sitting at a console to type the password).
on how to ssh from one machine into another machine without typing a password, i.e,
how to use public key authentication.

Once you can ssh from one machine to another machine without typing a password, your task of doing rsync over ssh
is practically 90% done. Furthermore, creating a batch file and invoke the batch file using Control Panel's "Schedule Tasks" (Task Scheduler)
will do "secure backup" automatically to a remote server. In Linux world, add a cron job to invoke "rsync -e ssh"

public-key-authentication


How to install a ssh client (called ssh)
for a tutorial on how to setup a ssh client on Windows 2000 or Windows XP g

How to install a smtp server [exim] on a Windows machine
for a tutorial on how to setup exim, a mail transfer agent
on Windows 2000 or Windows XP g as a learning exercise

Note 25: if you run ssh-host-config when sshd is installed, ssh-host-config will not ask for the CYGWIN value.
In that case,  stop and remove the sshd service, then run the ssh-host-config script again, see below.

cygrunsrv  --stop  sshd
cygrunsrv  --remove sshd
ssh-host-config
cygrunsrv  --start sshd

Go to Control Panel, Classic View, Administrative Tools, Computer Management,
or click Start...Run...compmgmt.msc
delete the sshd user account.

Thanks to Dave Abrahams of Boost Consulting for the sshd user account deletion hint.


Reference: 

by ITeF!x is another implementation of cygwin-openssh server for Windows.

Thanks to Mike Skallas for his tips on "privilege separation" during the setup script.
Thanks to Jan Haul of Hamburg, Germany g for his WinSCP link.
Thanks to Brad Erdman, Institute for Advanced Computer Studies, University of Maryland, USA g
for his confirmation of cygwin-sshd working on Windows Server 2003
Thanks to Richard Goodman of UK g for his tips on the order of CYGWIN variable.
is the link to install Cygwin with Xfree86. Thanks to Richard Ward for this link.

© 2003-2009 Nicholas Fong

Last revised:  March 10, 2009


阅读(11220) | 评论(1) | 转发(0) |
给主人留下些什么吧!~~

chinaunix网友2009-04-13 16:58:08

the other bash for windows: http://win-bash.sourceforge.net/ http://www.steve.org.uk/Software/bash/