SFTP Server installation on Windows
2008 R2 64bit Domain Environment
1. Install Win 2008 R2 64bit standard Domain controller – ygnopadif501
2. Install Win
2008 R2 64bit standard Server (Join to the DC) – ygnopsftpif501
3. Install Win 7
64bit Professional (Client Test) – ygnoppc01
6. You will need
internet connection to download installer
7. I made secondary partition on ygnopsftpif501 put Cygwin on d:\cygwin
7. I made secondary partition on ygnopsftpif501 put Cygwin on d:\cygwin
11. vi
/etc/sshd_config and paste the following, yes.. Need to delete previous
contents.
# This sshd was
compiled with PATH=/bin:/usr/sbin:/sbin:/usr/bin
#Port 22
#AddressFamily
any
#ListenAddress
0.0.0.0
#ListenAddress ::
#Protocol 2
#HostKey
/etc/ssh_host_key
#HostKey
/etc/ssh_host_rsa_key
#HostKey
/etc/ssh_host_dsa_key
#HostKey
/etc/ssh_host_ecdsa_key
#HostKey
/etc/ssh_host_ed25519_key
#KeyRegenerationInterval
1h
#ServerKeyBits
1024
Ciphers
aes256-cbc,aes128-cbc,blowfish-cbc,3des-cbc,arcfour,cast128-cbc
MACs hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
#SyslogFacility
AUTH
#LogLevel INFO
#LoginGraceTime
2m
#PermitRootLogin
yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
RSAAuthentication
yes
PubkeyAuthentication
yes
AuthorizedKeysFile
.ssh/authorized_keys
#AuthorizedKeysFile %h/.ssh/authorized_keys
#AuthorizedPrincipalsFile
none
#AuthorizedKeysCommand
none
#AuthorizedKeysCommandUser
nobody
#RhostsRSAAuthentication
no
#HostbasedAuthentication
no
#IgnoreUserKnownHosts
no
#IgnoreRhosts yes
#PasswordAuthentication
yes
PasswordAuthentication no
#PermitEmptyPasswords
no
ChallengeResponseAuthentication no
#KerberosAuthentication
no
#KerberosOrLocalPasswd
yes
#KerberosTicketCleanup
yes
#KerberosGetAFSToken
no
#GSSAPIAuthentication
no
#GSSAPICleanupCredentials
yes
#UsePAM no
#AllowAgentForwarding
yes
#AllowTcpForwarding
yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset
10
#X11UseLocalhost
yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation
yes
#PermitUserEnvironment
no
#Compression
delayed
#ClientAliveInterval
0
#ClientAliveCountMax
3
#UseDNS yes
#PidFile
/var/run/sshd.pid
#MaxStartups
10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum
none
#Banner none
#Subsystem sftp
/usr/sbin/sftp-server
Subsystem
sftp internal-sftp
# Example of
overriding settings on a per-user basis
#Match User
anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
12. mkpasswd >
/etc/passwd
13. mkgroup >
/etc/group
14. vi /etc/passwd and
change the User ID / Group ID of the administrator
Administrator:*:0:0:U-DOMAIN\ Administrator,S-1-5-21-2764008837-3433102739-348656545-500:/home/tanlcl:/bin/bash
15. vi /etc/group
and add
root:S-1-5-32-544:0
16. Exist from Cygwin and run again with admin account.
cd /
mkdir sandbox
chmod 755 sandbox
chown
Administrator.root sandbox
mkdir
sandbox/home
chmod 755
sandbox/home
chown
Administrator.root sandbox/home
ls -las /
0 drwxr-xr-x+ 1
Administrator root 0 Apr 14 16:13
sandbox
cd sandbox
ls -las
0 drwxr-xr-x+ 1
Administrator root 0 Apr 14 16:13 home
E.g.
cd /
chown
Administrator.root cygdrive
chown
Administrator.root cygdrive/d [if cygwin is installed to D:]
chown
Administrator.root cygdrive/d/cygwin64
chown
Administrator.root cygdrive/d/cygwin64/sandbox
17. Create sftp
login account at DC.
$ mkpasswd -l
--username ygn001 >> /etc/passwd (If user is local)
$ mkpasswd -l -u ygn001 -D DOMAIN >> /etc/passwd
(if domain account)
$ mkdir
/sandbox/home/ygn001
$ chmod 700
/sandbox/home/ygn001
$ chown ygn001
/sandbox/home/ygn001
$ mkdir
/sandbox/home/ygn001/.ssh
$ chown ygn001
/sandbox/home/ygn001/.ssh
18. On client PC
run the followings.
19. Copy the
id_rsa.pub from client pc to ygnopsftpif501.
scp
~/.ssh/id_rsa.pub ygn001@10.10.10.2:/sandbox/home/ygn001/.ssh
20. cat
id_rsa.pub >> authorized.keys
chown ygn001
authorized.keys
chgrp “Domain
Users” authorized.keys
chmod 700 ~/.ssh
chmod 600
~/.ssh/authorized_keys
Or
You have to use
ssh-copy-id -i
/home/ygn001/.ssh/id_rsa.pub 10.10.10.2 <- authorized.keys="" automatically.="" command="" create="" file="" span="" this="">
cygrunsrv --start
sshd (You can start/stop sshd service from Windows services)
#ps -ef | grep sshd
#tail –f
/var/log/sshd.log
#ssh –v ygn001@10.10.10.2
#ssh –vvv –i
id_rsa ygn001@10.10.10.2
Uninstall the
SSH-service
If you want to uninstall the SSH-service, open up Cygwin and execute commands:
cygrunsrv --remove sshd
If you want to uninstall the SSH-service, open up Cygwin and execute commands:
cygrunsrv --remove sshd
Restrict User to
a directory
Open etc folder in your cygwin installation. Two file need a edit to to implement chroot jail for user.
1. sshd_config
2. passwd
in sshd_config change below conigurtions
# override default of no subsystems
Subsystem sftp internal-sftp
ChrootDirectory /cygdrive/d/inetpub/ftproot
# Example of overriding settings on a per-user basis
Match User administrators
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
in passwd file
manually edit root user to change the group id (usually 544) to 0
for example as below :
SvcCOPSSH:unused_by_nt/2000/xp:0:545:U-WINDOWS-AU90FH5\SvcCOPSSH,S-1-5-21-2943273595-299576109-709065550-1031:/var/:/bin/false
Restart OPENSSH service and Enjoy !
Open etc folder in your cygwin installation. Two file need a edit to to implement chroot jail for user.
1. sshd_config
2. passwd
in sshd_config change below conigurtions
# override default of no subsystems
Subsystem sftp internal-sftp
ChrootDirectory /cygdrive/d/inetpub/ftproot
# Example of overriding settings on a per-user basis
Match User administrators
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
in passwd file
manually edit root user to change the group id (usually 544) to 0
for example as below :
SvcCOPSSH:unused_by_nt/2000/xp:0:545:U-WINDOWS-AU90FH5\SvcCOPSSH,S-1-5-21-2943273595-299576109-709065550-1031:/var/:/bin/false
Restart OPENSSH service and Enjoy !
scp
~/.ssh/id_rsa.pub ygnopr1@10.10.10.2:/sandbox/home/ygnopr1/.ssh
Steps to use local Linux admin to configure
new FatPC SFTP user who is a domain user:
=====================================================================================
1. Capture the
domain user's SID into /etc/passwd (only a domain user can do this step. Use
your domain account to login FatPC, then run the Linux command)
mkpasswd -l -u ygnopr1
-D DOMAIN >> /etc/passwd
2. Edit the
/etc/passwd file to make this entry follow the format for local
users (refer to the xls sheet for instructions).
3. mkdir
/home/ygnopr1
4. mkdir
/home/ygnopr1/.ssh
5. cp the shared
id_rsa & id_rsa.pub files to /home/ygnopr1/.ssh
6. chgrp
"Domain Users" /home/ygnopr1/.ssh ************NOTE
7. chgrp
"Domain Users" /home/ygnopr1
8. Give ownership
for /home/ and /home//.ssh to the domain user. This
can't be done at the Linux command line by the local admin, but can be done
using your AD account.
So use Windows
explorer to give ownership. You will need to enter your domain credentials when
prompted.
************NOTE
If there is an
error about group "Domain Users" not existing, then it means
"Domain Users" doesn't exist inside /etc/group.
You should login
Windows using your domain account, run Linux Terminal & then the command
mkgroup -c >> /etc/group. After that,
logout &
login as Local Windows Admin & continue the config using Linux Terminal.
1.
Login
with ygnopr1 domain account, it will
create the home folder under /home/ygnopr1
2.
mkdir /home/ygnopr1/.ssh
3.
logoff
and login with zawhtet domain account
4.
copy
/home/zawhtet/.ssh/id_rsa and id_rsa.pub to /home/ygnopr1/.ssh
5.
change
permission for .ssh folder (chown – R ygnopr1 .ssh) (chgrp -R “Domain Users” .ssh)
6.
Login
with zawhtet domain user and check the /etc/passwd file
7.
If
there’s no record for ygnopr1 user you need to run this command
8.
mkpasswd
-l -u ygnopr1 -D DOMAIN >> /etc/passwd
9.
the
test login to sftp ygn001@10.10.10.2
On Client Side id_rsa private key should be 600. 
No comments:
Post a Comment