by Rich Chesavage, Tower Systems

The purpose of this exercise is to create a situation whereby a user uses SSH telnet (Secure Shell telnet) to receive a d3 logon on a d3/NT machine. Using SSH telnet for d3/NT connections is desired because SSH connections are passing encrypted data. Normal telnet is passing clear text. Do not get lulled into a false sense of security that SSH solves all security problems, it does not. Normal telnet traffic can be sniffed out and viewed by anybody on the internet with a packet sniffer and time. SSH traffic is encrypted which makes it a lot harder to view the data as it passes over the internet. Someone can still intrude into your machine if they have a username and password. SSH does nothing to solve that problem.

***Note: If you have problems with how I put this server together, fine, whatever. Remember that you paid nothing for this help and perhaps you got what you paid for. If you want to take these instructions further and make it better, by all means have at it.

Prologue

We are a d3 VAR that has some customers who are “Redmond Only” houses. We needed a connection that was more secure and private than normal telnet and SSH is acceptable. I initially tried to install only the OpenSSH server to make an SSH connection to a Windows®machine but was unable to make the 2nd leg which was a connection to d3. Maybe you can get there, I couldn’t. So I un-installed OpenSSH and installed the full version of Cygwin which includes the OpenSSH server. In this environment, I could modify the SSH user profile, insert statements to connect to d3 and automate the d3 connection as one would with Linux. Once I figured out the needed bits, I uninstalled everything and installed the default Cygwin package plus the package needed for SSH and Cygwin telnet.

Instructions

SSH is not a native service available for Windows®. However, there is an open source SSH server available through Cygwin. I installed it on Win2003 Server and had no major problems. I’m not that bright so if I can do it, so can you.

  • From the home page there is an “Install or Update Now!” link that downloads a setup.exe file. This is a little program that you use to decide which cygwin applications you want to install.
  • Run setup.exe. *Note that if you wish to later upgrade your SSH server to a newer version, you do it here through setup.exe*
  • Choose “Install from Internet”. C:\cygwin is the default directory. I’ve read of some people running into problems if they use different directories/drives other than the default. I guess you have to ask yourself if you feel lucky. It also asks if you want to install it for “All users” or “Just Me”. Since this server is just serving up d3 and not part of the domain, I chose “All users”. Again, whatever floats your boat in your particular pond. I left the default file type as “Unix” & <next>.
  • Local package directory can be whatever you want. This is where the source files will be downloaded. Select Internet Connection type and continue. You will be presented with a list of download sites, take a WAG and choose one that sounds like it might be near you.
  • Select Packages. This next part might be a bit time consuming. The easy way is to install everything which speeds things up. I wanted to install the minimum required to make it possible to SSH directly to d3. So I clicked on the “view” button (with curr radio button on) and went through the packages leaving the default install alone (anything that was marked “Base” or “Utils” already marked for installation) The only packages you need to find and select are “inetutils” & “openSSH” (& openssl). OpenSSH contains the SSH bits and inetutils contains interestingly enough, telnet. We use the Cygwin telnet to connect to the d3 server. The NT telnet doesn’t work in this environment. Once you click “next” you hopefully will get 3 sets of progress bars to keep the cat amused or minimize it like I did.
  • You will be presented with an option to “Create icon on Desktop” and/or “Add icon to Start Menu” Go wherever your conscience takes you with this one. You will get a message (hopefully) that says “Installation complete” (Ha! It’s not really complete though.)
  • You might consider creating an unprivileged local Windows® user(s) for your SSH logins. Go ahead and create that user now if you wish. NOTE. I found it to be a pain in the backside to provide ssh access to Windows user created after cygwin was set up. You might consider doing it now.
  • Go to Start -> Programs -> Cygwin and run the “Cygwin Bash Shell”. It will finish some post install work and then bring you to a $ prompt.
  • You will need to change directories to the root directory. Type cd / Just like I typed it.
  • Type ssh_host-config at the command line. You are asked “Should privilege separation be used? <yes/no>. Choose yes.
  • “Should this script create a local user ‘sshd’ on this machine? <yes/no> Choose yes.
  • Do you want to install sshd as service? Choose yes (unless you want to manually/stop start it at the command line).
  • If you are running Win2003 (like me), it will ask if you want to create a local account ‘sshd_server’. Answer yes if you want to enable passwordless logins at some time in the future or No if you do not. I answered Yes even though I probably won’t set up the passwordless logon. If yes, it will ask you for your password for this account.
  • When the script asks you for “CYGWIN=”, your answer should be ntsec tty If all goes well, you will see a series of messages explaining what is going on and how to start the SSH service.
  • From within the cygwin shell window, type “net start sshd” (no quotes) to test the SSH server.
  • If you are logged into Windows as administrator, log off and back in as the Windows user you will be using for ssh. Click on the Cygwin icon and at the prompt type “ssh-user-config”.
  • You will be led through a series of questions regarding the setup. Answer them as you feel appropriate.
  • Create an SSH session locally or from a client (AccuTerm, etc) and try to connect to the server. You may be presented with a statement asking if you trust this server, blah, blah, blah. I find it curious that the server trusts the incoming connection yet the person connecting is supposed to be wary of this machine. One would think it should be the other way around and this is one of the weaknesses of SSH, but I digress. Answer “Yes” You should be able to use your Windows® username and password to connect. I wouldn’t worry too much about term type being off at this point.
  • If you are successful, type telnet localhost or telnet <ip> to see if you get a d3 logon. If so, exit out of d3 and your SSH session. If not successful, then you get to Google up the error message that is returned.
  • We’re going to edit the .bash_profile file of the users you want to connect directly to d3. Navigate to the cygwin\home\<desired username> folder. You should see a file named .bash_profile You can open it in Notepad & struggle a little or open it in Wordpad and it makes more sense. Go to the end of the file and insert a line that says “telnet localhost” (no quotes) or “telnet hostname” or whatever syntax you want to use you can have it point to a different machine if you wish. Insert a second line which says “exit” (again, no quotes). Save the file and close it.
  • Make sure d3 is running wherever and initiate an SSH session to the server. Login and you should see your d3 login. When you go to exit, the “exit” you put in the .bash_profile closes your SSH session behind you. You will need to edit the .bash_profile file of any user you wish to send straight to d3. You now have an d3/NT server running SSH.

Return to Technical Articles