CopSSH 4.2.1 on Windows 7/2008R2
As you might be aware of by now, CopSSH 4.2.1 was the last freely available CopSSH version. Hopefully, I downloaded this version before it was removed from ITeF!x site. CopSSH is still my favorite SSH server for Windows, in the future I’ll likely be more than willing to pay for binary builds but as of now, 4.2.1 is what we’ll be using on our Windows servers for a couple of years.
The objective is to replace CopSSH 1.4.2 – 1.4.6 running on Windows 2003 R2 (x64) with version 4.2.1, which we’ll install on various machines running Windows7 SP1 (x64) and Windows 2008 R2 SP1.
Since CopSSH is mainly used for password-less authentication (remote job execution), I’ll briefly document a PK authentication setup routine for a brand new box.
- take a backup of your existing CopSSH installation directory
- I prefer uninstalling existing CopSSH version instead of upgrading, because I believe CopSSH upgrading setup is broken and not worth the time to troubleshot. Go to Control Panel and deinstall copssh plus ICW related stuff (ICW Base, ICW COPSSHCP and ICW OpenSSHServer).
Check local users accounts, if you find that SvcCOPSSH account is still present after you previously deinstalled CopSSH, you must delete that account before you start with fresh installation!! Also delete %ProgramFiles(x86)%\ICW directory if you used default directory as a target for your old installation.
- install CopSSH 4.2.1, more or less usual “Next-Next” routine
- activate local user that you’ll be using in your batch scripts (I activated my local account: alesk)
- open command line and prepare environment:
cmd> set PATH=%ProgramFiles(x86)%\ICW\bin;%PATH% cmd> set HOME=/cygdrive/c/Program Files (x86)/ICW/home/alesk
- Generate private/public key pair:
cmd> ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/alesk/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again:
When prompted for the passphrase, DO NOT enter password, just hit Enter twice, so that you’ll have no password protected key pair.
Make sure that you’re fully aware of security implications of no password protected key pairs. If you’re not sure about the consequence google around and make sure a proper file permissions are set on those two files! Discussion of security implications is simply above and beyond this topic.
- Append public key (/home/alesk/.ssh/id_rsa.pub in my case) to the server authorized_keys file. Assuming that I have ssh daemon available at server:
- Here is an example where I added some properties to the key on server side, which limits what can owner of the key actually do on the server and from where…
# # example of the key which limits password less execution to particular host and predefined command # from="HP-LAPTOP,ASROCK,!Foo.acme.com",no-port-forwarding,no-X11-forwarding,no-agent-forwarding, no-pty,command="ls -l" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3TwQsIG6uGXGgGVhOgDLEyp33Qu7RqEJpxh1QlQQ4X2 Pdjind4Y6vyG4q0P/VLBisrs7/eC/kr+1mntu2Coh+MyMF2h6w1L+34Z53kpYWJgxv8Uc0qCmTGbPc nDt5xa/bcIYZp6pB2caDGUT+SQ0QAdhbA2Wy+1JIlav6C2GMDGwPPtiWMRJ0dCdczS2SdD8Z6pCib ZLaipnFOsLig93Hk9+AJNpgIhkJ/i03/w+a76aMcv5PEiwsZIk1vJZIXTI8L7eFRz2ICpd4qi6wN690Rtd W73W3zIRTe4HPMx2ESTVS26AHHS8qH0TlZEa3OGKA6a0OGkomdihQD5JpnBE7 alesk@HPWIN7
cmd> scp ~/.ssh/id_rsa.pub myserver:/home/alesk/.ssh/id_rsa.pub.tmp cmd> ssh alesk@myserver ssh> cat /home/alesk/.ssh/id_rsa.pub.tmp >> /home/alesk/.ssh/authorized_keys ssh> rm /home/alesk/.ssh/id_rsa.pub.tmp