Installing a SSH Server on Windows with SUA

Introduction

Microsoft has supported UNIX compatibility and interoperability in one form or another for several years. In Windows Server 2008 this is done with SUA -- Subsystem for UNIX-based Applications -- a feature which creates a POSIX compatibility layer where UNIX applications can be built and run.

The main supporter and contributer to SUA is Interop Systems. They maintain the SUA Community site which includes forums and packaged applications to download.

Prerequisite

Please follow the prereq instructions for setting up a Windows 2008 Server.

Enabling SUA

Though SUA is built in to Windows, it still needs enabled. In the Server Manager, go to Features and choose Add Features.

sua-ssh-1.jpg

Choose Subsystem for UNIX-based Applications, click Next, and then click Install

sua-ssh-2.jpg

Wait for the installation to finish.

sua-ssh-3.jpg

Installing the Standard SUA Utilities

Once the installation is finished, click the link under the new Start Menu item to download the SUA package from Microsoft.

sua-ssh-4.jpg

When the download is finished, decompress it to a local folder. The Installation Wizard automatically starts.

sua-ssh-5.jpg

Choose a Custom Install and select both the GNU Utilities and GNU SDK.

ssh-sua-6.jpg

Enable all 3 options in the next screen, but be aware of potential problems when using the Case Sensitive option.

sua-ssh-7.jpg

I received the below error, but I just chose Ignore.

sua-ssh-8.jpg

When the installation is finished, choose Yes to restart.

sua-ssh-9.jpg

Installing the SUA Community Package

SUA Community provides several packages, depending on your needs, available to download. For this article, I'm going to use the standard Power User package which is linked to at the bottom of the SUA Community page. Download it and save it to your Desktop. When it's finished, double-click on it to run. Note that if you have not done the above steps, the package will fail to run when executed.

I chose all default options during the install.

sua-ssh-10.jpg

Installing and Configuring sshd

The SUA Community package also installs several package management commands. To install the OpenSSH server, start a C Shell and run the following:

pkg_update -L openssh

The command will end with the following:

Starting sshd daemon
sshd started
Done.

You can manage the sshd service using normal SysV Init-style commands:

/etc/init.d/sshd stop
/etc/init.d/sshd start

Configuring the Windows Firewall

The standard Windows firewall is on by default. You can either turn it off completely or add an exception for Port 22. To do this, start by going to the Control Panel, changing to Classic View, and then going to Windows Firewall.

sua-ssh-11.jpg

Choose Change Settings.

sua-ssh-12.jpg

Under the Exceptions tab, choose Add port....

ssh-sua-13.jpg

Call the option SSH, use port 22, and TCP for the Protocol.

ssh-sua-14.jpg

Home Directories

Check to make sure a valid home directory is set for the Administrator's account. You can use the finger command through a C Shell to do this:

windows$ finger -l Administrator

If the Directory line just as a /, then no home directory has been set. Open up a normal cmd.exe window and run the following:

c:> net user Administrator /HOMEDIR:C:UsersAdministrator

Verify the directory was set by running the finger command again.

You will now be able to remotely log in to your Windows server through SSH.

sua-ssh-15.jpg

Retrieving Information

One use of enabling SSH on a Windows server is to remotely retrieve server information. The following will return the time the server was started:

client$ ssh administrator@192.168.1.20 /dev/fs/C/Windows/System32/systeminfo.exe | 
        grep "Boot Time"
administrator@192.168.1.20's password: 
System Boot Time:          11/23/2008, 3:31:40 PM

Password-less Login

A popular use of SSH is to use public-key authentication so no passwords are needed. This is possible to do with Windows, however, there is a huge caveat: sshd does not want the home directory to be group-writable. By default, Windows grants the Administrators and System groups write access to the Administrator home directory. You can turn this off by doing the following as Administrator:

windows$ chmod g-w ~/

Though I have not personally run into any problems by doing this, in my opinion, this is a bad idea. As an alternative, you can create a separate local user account (possibly called SSH) dedicated to running SSH tasks. And just because nothing is perfect, you will need to disable UAC in order for this to work. If you'd like to use this method, follow the next section. If you still want to use the Administrator account, skip the next section. The rest of the instr

Begin Creating a Secondary Account

Create a new user in the Server Manager under Configuration and Local Users and Groups.

sua-ssh-16.jpg

Add it to the Administrators group.

sua-ssh-20.jpg

Then disable UAC by going into the Control Panel and User Accounts.

sua-ssh-17.jpg

Click the Turn User Account Control on or off link.

sua-ssh-18.jpg

Remove the check box. Confirm all changes and Restart.

sua-ssh-19.jpg

After rebooting, log on locally with the account to have the home directory created.

Make sure the home directory is set correctly as described previously.

Finally, remove group-writable permissions on the secondary account's home directory:

windows$ chmod g-w ~/

End Creating a Secondary Account

The rest of the instructions can be used with either the Administrator's account or the secondary account.

Make sure a .ssh directory exists in the account's home directory and it has permissions of 0700:

windows$ mkdir ~/.ssh
windows$ chmod 0700 ~/.ssh

Generate a public/private keypair on the computer you are connecting with:

client$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/joe/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/joe/.ssh/id_rsa.
Your public key has been saved in /Users/joe/.ssh/id_rsa.pub.

Using scp, copy the newly generated public key, id_rsa.pub, to the Windows server as the authorized_keys file:

client$ scp ~/.ssh/id_rsa.pub administrator@192.168.1.20:.ssh/authorized_keys

Finally, make sure the authorized_keys file has permissions of 0600:

windows$ chmod 0600 ~/.ssh/authorized_keys

You will now be able to use SSH from the client computer to the Windows server without entering a password.

Troubleshooting

If you are having any type of connection problems, you can run sshd in debug mode to see why:

/etc/init.d/sshd stop
/usr/local/sbin/sshd -d

Disabling the Secondary Account

If you chose to disable UAC and create a secondary account, you can now disable that account. SSH will still work, but no one will be able to log on locally using it.

Conclusion

This article explained how to set up a SSH server on Windows Server 2008 using the SUA subsystem. By doing this, you will be able to manage your Windows Server 2008 installations remotely using SSH. This would be beneficial to an environment currently utilizing command-line based management such as an existing UNIX or Linux infrastructure.

Unfortunately, this method of installing sshd is not perfect -- you have to either modify the Administrator's home directory or disable UAC and create a secondary account. There are pros and cons to each method.

Links and References