A Minimal SSH Client for Windows 2000 |
Plan B SecurityTod Beardsley, Feb 16, 2002Austin, Texas info@planb-security.net |
I often find myself in front of Windows 2000 machines and needing to talk to Linux machines running SSH. I happen to know Cygwin's SSH implementation pretty well, and prefer the command line interface over puTTY's GUI. I wrote this doco for my reference, and I figure others might find themselves in a similar predicament.
When I get a minute, I'd like to document exactly how to run a minimal SSH server. So far, all the HOWTOs and documentation I can find is either for pay-fer SSH implementations, or include all the extra Cygwin cruft. Ickiness -- but so far, I haven't looked to see exactly what's needed. If you know about a stripped down Cygwin install for sshd, drop me a line, por favor.
First off, you'll need a mess of directories created:
| C:\temp | for some temporary storage |
| C:\etc | for your passwd file |
| C:\ssh | for your ssh binaries |
| C:\ssh\.ssh | for your known_host file |
Note that you can't create a directory with a period as the first character using Explorer. This is, of course, dumb, but hey, you're looking to use a command shell anyway, right? So, use mkdir to create the \ssh\.ssh dir, and move on.
In the end, all you'll want is cygwin1.dll, cygz.dll, cygcrypt.dll, cygregex.dll and ssh.exe. Bless the RedHat Corporation for making these binaries available for free under the GPL; curse them for making them so hard to get at. C'est la vie. Security is hard.
If you don't particularly care about getting the latest versions, you can download all the stuff you need in evil proprietary Zip format here. These were fetched from the Cygwin project on Feb 16, 2002. Of course, use at your own risk, GPL, blah blah blah.
Otherwise, go to RedHat's Cygwin website is http://sources.redhat.com/cygwin/. Go there, and hit the Install Now! button to run setup.exe.
Then, select the following:
You'll need some software that can handle the GNU compression formats. UnxUtils from http://unxutils.sourceforge.net does the trick.
Once they're all extracted, hunt around for cygwin1.dll, cygz.dll, cygregex.dll, cygcrypto.dll, and ssh.exe. Copy these over to C:\ssh. You're welcome to delete everything else in C:\temp, now.
Believe it or not, making it all work is the simple part, compared to the above. There's no registration of DLL's, no install hoops to jumpthrough -- just some trivial copying and text file creation.
First, go to C:\etc, and make your passwd file, like so:
echo Username:x:1:10:Username:/ssh/:/winnt/system32/cmd.exe >> passwd
Username should be your actual NT logon name. This tells ssh where you created your .ssh directory (that's important, later).
Now, flip over to C:\ssh, and type "ssh." If you have everything, it should spit out the minimal help.
At this point you'll probably want to drop C:\ssh in your %PATH% by editing My Computer | Properties | Advanced | Environment Variables, shown here:
To open an ssh session run:
ssh -l username ssh.example.com
The first time you connect anywhere, you'll get hit with the warning that the host isn't known. If you're reasonably certain you're connecting to the right machine, just answer the warnings affirmatively, and the host's key will be added to your .ssh/known_hosts file.
Once you have this going, there's not much reason to use your most common insecure, plaintext protocols ever again. For example, to encrypt your POP3 traffic, just use ssh port tunnelling, like so:
ssh -l username -L 110:ssh.example.com:110 ssh.example.com
Fetch your mail from localhost, and you'll be forwarding all your traffic along to your real ssh host, all safe and snug in swaddling of strong cryptography.
I presume this all works on NT 4.0, and should work with only slight modification under Windows 9x. If you can confirm this, let me know.
These simplified instructions assume you're the only user on your workstation. If that's not the case, you'll want to edit the passwd file to reflect the reality of multiple home directories, NTFS permissions, etc.
I also assume that you don't want the full-blown Cygwin environment from RedHat. Installing the full package set is certainly easier, but if all you want is ssh capabilities, this will do a body good. Of course, if you ever want to upgrade these binaries, you'll have to do all this hunting around all over again, but hey. You're worth it.
Finally, if you want a GUI interface for some reason, don't bother with any of this. Download PuTTY instead . It's swell if you're into buttons and popup windows and stuff.