SSH public keys on Windows using Cygwin --------------------------------------- 10-12-2005 MJL (http://shootingstarbbs.us) (These notes use SSHWindows as an example but the same concept should apply to other Cygwin-based SSH builds. File names/paths used below should be changed accordingly.) After installing SSHWindows, changes are required to enable public key authentication. The following steps must be completed: * Change ownership of OpenSSH folder/subfolders to Administrators using Windows Explorer (client and server.) * Grant Administrators full control of the OpenSSH folder. From a command prompt, type "cacls c:\program files\openssh /t /e /c /g Administrators:F" (client and server.) * On server, edit sshd_config file and set StrictModes to "no". * Under the user's profile, grant Administrators (and only Administrators) full control of the .ssh folder and files. If this folder does not exist, it can be created by establishing an SSH connection to another box (client and server.) * On clients, copy the private RSA key to the local .ssh folder and name it "id_rsa". Copy the client's public RSA key to the desired server(s) by adding it to an "authorized_keys" text file located under the server's .ssh folder. * To use publickey authentication, use the SSH command line switch "-o PreferredAuthentications=publickey". Alternately, you can modify the ssh_config file to make this the default. Important note for Windows 2003 Server users: --------------------------------------------- 2003 Server has a funny new feature. When starting services under SYSTEM account, these services have nearly all user rights which SYSTEM holds... except for the "Create a token object" right, which is needed to allow public key authentication :-( There's no way around this, except for creating a substitute account which has the appropriate privileges. Basically, this account should be member of the Administrators group, plus it should have the following user rights (some of these should already be assigned to Administrators): Create a token object Logon as a service Replace a process level token Adjust memory quotas for a process The ssh-host-config script asks you, if it should create such an account, called "sshd_server". If you say "no" here, you're on your own. Please follow the instruction in ssh-host-config exactly if possible. Note that ssh-user-config sets the permissions on 2003 Server machines dependent of whether a sshd_server account exists or not. * Restart sshd service.