Skip to content

Instantly share code, notes, and snippets.

@mhoyer

mhoyer/single-user-msys-sshd.md

Last active March 11, 2024 09:22
Show Gist options
  • Save mhoyer/1a5febe75258f5620fbd to your computer and use it in GitHub Desktop.
Save mhoyer/1a5febe75258f5620fbd to your computer and use it in GitHub Desktop.
Download ZIP
Install single-user SSH daemon as Windows service with pure msys tools
Raw
single-user-msys-sshd.md

Install single-user SSH daemon as Windows service with pure msys tools

WARNING This approach does not enable impersonation. Thus, only a single user account is able to connect through ssh - the same user we use for running the Windows service. At time of writing it seem to only be possible with cygwin or msys2 to achieve multi-user support for sshd under Windows. E.g. https://ghc.haskell.org/trac/ghc/wiki/Building/Windows/SSHD

Requirements

  • Latest Git for Windows. I tried it with v2.6.0. (Note: with v2.5.3 sshd tried to load authorized keys from /c/.ssh instead of ~/.ssh).

Create unprivileged sshd user

User sshd is required for SSH daemon and MUST be named like so:

:: on Windows command
net user sshd /ADD /ACTIVE:NO
net localgroup Users sshd /DELETE

Create host keys

For sure, the SSH daemon needs keys for securing the connection:

#!/bin/sh
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa
ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa
ssh-keygen -f /etc/ssh/ssh_host_ed25519_key -N '' -t ed25519

Prepare var folder

Required for SSH daemon:

#!/bin/sh
mkdir -p /var/empty
mkdir -p /var/log
touch /var/log/lastlog # to prevent nasty message on ssh client

Add sshd as Windows service

I used nssm to wrap sshd.exe into a windows service:

:: on Windows command
nssm install sshd "C:\Program Files\Git\usr\bin\sshd.exe" -DE \"%APPDATA%\sshd.log\"
nssm set sshd Description SSH Daemon
nssm set sshd AppPriority ABOVE_NORMAL_PRIORITY_CLASS
nssm edit sshd
:: Goto "Log on" tab an change to "This account" using your Windows credentials
nssm start sshd

Disable password auth

Hint: Be sure to first ssh-copy-id your public key to sshd machine.

To deactivate password authentication edit C:\Program Files\Git\etc\ssh\sshdconfig:

- #PasswordAuthentication yes
+ PasswordAuthentication no

Trouble shooting

When sshd service is running as Windows service

If there is any issue while trying to connect, enable debugging for sshd by editing C:\Program Files\Git\etc\ssh\sshdconfig:

- #LogLevel INFO
+ LogLevel DEBUG

Restart sshd and check "%APPDATA%\sshd.log".

Also run ssh client with -v switch to show debug info.

@omaryoussef
Copy link

omaryoussef commented Jul 14, 2017
edited

Thank you!

The instructions are pretty comprehensive however I kept getting "Privilege separation user does not exist" errors in the log, I managed to solve that by following this answer: https://stackoverflow.com/a/24242464

Adding the following line to /etc/passwd got it to work for me:

 sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

@hefangdotcom
Copy link

Thanks for detailed procedures. I'm using company computer that a simple changing of 'etc/passwd' won't work for me. This guide helped me out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment