Wednesday, April 15, 2015

Cygwin Linux SFTP Server installtion on Windows 2008 R2



SFTP Server installation on Windows 2008 R2 64bit Domain Environment

1. Install Win 2008 R2 64bit standard Domain controller – ygnopadif501
2. Install Win 2008 R2 64bit standard Server (Join to the DC) – ygnopsftpif501
3. Install Win 7 64bit Professional (Client Test) – ygnoppc01
4. Download Cygwin installer from http://www.cygwin.com/ -> setup-x86_64.exe
5. Copy installer file to ygnopsftpif501 and run by local administrator rights.
6. You will need internet connection to download installer
7. I made secondary partition on ygnopsftpif501 put Cygwin on d:\cygwin






11. vi /etc/sshd_config and paste the following, yes.. Need to delete previous contents.

# This sshd was compiled with PATH=/bin:/usr/sbin:/sbin:/usr/bin
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#Protocol 2
#HostKey /etc/ssh_host_key
#HostKey /etc/ssh_host_rsa_key
#HostKey /etc/ssh_host_dsa_key
#HostKey /etc/ssh_host_ecdsa_key
#HostKey /etc/ssh_host_ed25519_key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
Ciphers aes256-cbc,aes128-cbc,blowfish-cbc,3des-cbc,arcfour,cast128-cbc
MACs hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
#SyslogFacility AUTH
#LogLevel INFO
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile   .ssh/authorized_keys
#AuthorizedKeysFile   %h/.ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
#RhostsRSAAuthentication no
#HostbasedAuthentication no
#IgnoreUserKnownHosts no
#IgnoreRhosts yes
#PasswordAuthentication yes
PasswordAuthentication no
#PermitEmptyPasswords no
ChallengeResponseAuthentication no
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
#Banner none
#Subsystem      sftp    /usr/sbin/sftp-server
Subsystem       sftp    internal-sftp
# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no

12. mkpasswd > /etc/passwd
13. mkgroup > /etc/group
14. vi /etc/passwd and change the User ID / Group ID of the administrator
Administrator:*:0:0:U-DOMAIN\ Administrator,S-1-5-21-2764008837-3433102739-348656545-500:/home/tanlcl:/bin/bash






15. vi /etc/group and add
root:S-1-5-32-544:0





16. Exist from Cygwin and run again with admin account.
cd /
mkdir sandbox
chmod 755 sandbox
chown Administrator.root sandbox
mkdir sandbox/home
chmod 755 sandbox/home
chown Administrator.root sandbox/home
ls -las /
0 drwxr-xr-x+ 1 Administrator root      0 Apr 14 16:13 sandbox
cd sandbox
ls -las
0 drwxr-xr-x+ 1 Administrator root 0 Apr 14 16:13 home

E.g.
cd /
chown Administrator.root cygdrive
chown Administrator.root cygdrive/d [if cygwin is installed to D:]
chown Administrator.root cygdrive/d/cygwin64
chown Administrator.root cygdrive/d/cygwin64/sandbox

17. Create sftp login account at DC.
$ mkpasswd -l --username ygn001 >> /etc/passwd  (If user is local)
$ mkpasswd -l -u ygn001 -D DOMAIN >> /etc/passwd (if domain account)

$ mkdir /sandbox/home/ygn001
$ chmod 700 /sandbox/home/ygn001
$ chown ygn001 /sandbox/home/ygn001
$ mkdir /sandbox/home/ygn001/.ssh
$ chown ygn001 /sandbox/home/ygn001/.ssh
18. On client PC run the followings.

19. Copy the id_rsa.pub from client pc to ygnopsftpif501.
scp ~/.ssh/id_rsa.pub ygn001@10.10.10.2:/sandbox/home/ygn001/.ssh
20. cat id_rsa.pub >> authorized.keys
chown ygn001 authorized.keys
chgrp “Domain Users” authorized.keys
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Or
You have to use
ssh-copy-id  -i /home/ygn001/.ssh/id_rsa.pub 10.10.10.2 <- authorized.keys="" automatically.="" command="" create="" file="" span="" this="">
cygrunsrv --start sshd (You can start/stop sshd service from Windows services)
#ps  -ef | grep sshd
#tail –f /var/log/sshd.log

 Test login to SFTP server via ygn001
#sftp ygn001@10.10.10.2 (should directly reach to /sandbox/home/ygn001)
#ssh –vvv –i id_rsa ygn001@10.10.10.2


Uninstall the SSH-service
If you want to uninstall the SSH-service, open up Cygwin and execute commands:
cygrunsrv --remove sshd

Restrict User to a directory 
Open etc folder in your cygwin installation. Two file need a edit to to implement chroot jail for user.
1. sshd_config
2. passwd

in sshd_config change below conigurtions

# override default of no subsystems
Subsystem    sftp    internal-sftp
ChrootDirectory /cygdrive/d/inetpub/ftproot

# Example of overriding settings on a per-user basis
    Match User administrators
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp


in passwd file
manually edit root user  to change the group id (usually 544) to 0
 for example as below :
SvcCOPSSH:unused_by_nt/2000/xp:0:545:U-WINDOWS-AU90FH5\SvcCOPSSH,S-1-5-21-2943273595-299576109-709065550-1031:/var/:/bin/false

Restart OPENSSH service and Enjoy !


Steps to use local Linux admin to configure new FatPC SFTP user who is a domain user:
=====================================================================================

1. Capture the domain user's SID into /etc/passwd (only a domain user can do this step. Use your domain account to login FatPC, then run the Linux command)
                        mkpasswd -l -u ygnopr1 -D DOMAIN >> /etc/passwd
2. Edit the /etc/passwd file to make this entry follow the format for local users (refer to the xls sheet for instructions).
3. mkdir /home/ygnopr1
4. mkdir /home/ygnopr1/.ssh
5. cp the shared id_rsa & id_rsa.pub files to /home/ygnopr1/.ssh
6. chgrp "Domain Users" /home/ygnopr1/.ssh ************NOTE
7. chgrp "Domain Users" /home/ygnopr1

8. Give ownership for /home/ and /home//.ssh to the domain user. This can't be done at the Linux command line by the local admin, but can be done using your AD account.
So use Windows explorer to give ownership. You will need to enter your domain credentials when prompted.

************NOTE
If there is an error about group "Domain Users" not existing, then it means "Domain Users" doesn't exist inside /etc/group.
You should login Windows using your domain account, run Linux Terminal & then the command mkgroup -c >> /etc/group. After that,
logout & login as Local Windows Admin & continue the config using Linux Terminal.

1.        Login with ygnopr1 domain account, it will create the home folder under /home/ygnopr1
2.        mkdir   /home/ygnopr1/.ssh
3.        logoff and login with zawhtet domain account
4.        copy /home/zawhtet/.ssh/id_rsa and id_rsa.pub to /home/ygnopr1/.ssh
5.        change permission for .ssh folder (chown – R ygnopr1 .ssh) (chgrp -R “Domain Users” .ssh)
6.        Login with zawhtet domain user and check the /etc/passwd file
7.        If there’s no record for ygnopr1 user you need to run this command
8.        mkpasswd -l -u ygnopr1 -D DOMAIN >> /etc/passwd
9.        the test login to sftp ygn001@10.10.10.2
On Client Side id_rsa private key should be 600.