Re: Openssh for Windows - openssh

This is a discussion on Re: Openssh for Windows - openssh ; The only other OpenSSH based server would be part of Cygwin. Otherwise VanDyke has a nice native commerical SSH server. - Ben On Sun, 27 Jul 2008, Patel Dippen-CDP054 wrote: > Is there a OpenSSH server version for Windows 2003 ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Re: Openssh for Windows

  1. Re: Openssh for Windows


    The only other OpenSSH based server would be part of Cygwin. Otherwise
    VanDyke has a nice native commerical SSH server.

    - Ben

    On Sun, 27 Jul 2008, Patel Dippen-CDP054 wrote:

    > Is there a OpenSSH server version for Windows 2003 Server? The only
    > OpenSSH server for Windows I found is version v3.8.1p1-1. However, this
    > is ONLY supported on Windows NT.
    > Is there any other openware SSH Server for Windows 2003 Server?
    > _______________________________________________
    > openssh-unix-dev mailing list
    > openssh-unix-dev@mindrot.org
    > https://lists.mindrot.org/mailman/li...enssh-unix-dev
    >

    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  2. RE: Openssh for Windows

    Hi Patel,

    On Mon, 28 Jul 2008, Patel Dippen-CDP054 wrote:

    > I have Windows Services running on different Windows machines and they
    > talk to each other. I need to protect the communication between these 2
    > services. One approach is using SSL. I am trying to investigate the
    > feasibility of using SSH tunnels so that I do NOT have to modify the
    > Applications.


    IPSec is probably the best tool for this job. Adding SSH tunneling and
    port forwarding to the mix will only complicate matters, probably not
    perform as well, and subtly changes semantics of things like connect()
    which could break your application in odd ways.

    Cheers, Chris.
    --
    _____ __ _
    \ __/ / ,__(_)_ | Chris Wilson <0000 at qwirx.com> - Cambs UK |
    / (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer |
    \ _/_/_/_//_/___/ | We are GNU : free your mind & your software |
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  3. Re: Openssh for Windows

    On Mon, Jul 28, 2008 at 10:01:51AM -0400, Patel Dippen-CDP054 wrote:
    ... Cygwin / VanDyke
    >
    > Could I use either of these on high security/ mission critical systems?


    One advantage for the open source alternative is that you are able to
    find the answer for this question out for yourself, rather than
    having to rely on what a vendor tells you.


    > I have Windows Services running on different Windows machines and
    > they talk to each other. I need to protect the communication
    > between these 2 services.


    As others mentioned, an actual VPN product is much more suitable for
    this task. I recommend the open source product OpenVPN which runs
    very well also on Windows. Please see http://openvpn.net/


    //Peter
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  4. Re: Openssh for Windows

    On Jul 28 11:08, Patel Dippen-CDP054 wrote:
    > Chris,
    >
    > Agree. Our proposal is to use SSL natively (IPSec creates other problems
    > for us). However, I have to provde some analysis on why SSH is not
    > suitable. Believe the lack of a openware, stable and secured SSH server
    > for Windows itself suffices.


    Cygwin uses global shared memory for sharing not very security relevant
    stuff. Otherwise all datastructures are secured by security descriptors
    which only the user, administrative accounts and the system itself can
    access.

    However, it looks like you're just looking for an excuse not to use
    OpenSSH on Windows anyway, so, never mind.


    Corinna

    --
    Corinna Vinschen
    Cygwin Project Co-Leader
    Red Hat
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  5. RE: Openssh for Windows



    On Mon, 28 Jul 2008, Patel Dippen-CDP054 wrote:

    > So basically, I have to download and install Cygwin from
    > http://cygwin.com/. Does this install the complete Cygwin or just a
    > small portion like the v3.8.1p1-1 below?
    >


    By default you are given a choice as to how much of Cygwin you want to
    install. It is really an attempt to do a full "UNIX-like" environment
    (command line, and library set) within the Windows enviroment.

    > Are there security issues related to using Cygwin itself? The v3.8.1p1-1
    > version has a Readme that states that Cygwin uses shared memory to store
    > process information that is not protected.
    >


    I can't comment on this. Others that have dealt with Cygwin more
    recently can speak for it.

    > How safe is the VanDyke version?
    >


    I've had no problems with VanDyke products so far, and I've been rather
    pleased with their support.

    > Could I use either of these on high security/ mission critical systems?
    >


    If it was me I'd look at the VanDyke solution. One could prototype using
    Cygwin, but.. Well, I've been too close to the patches that flowed in for
    OpenSSH support and some of them still cause me nightmares (Sorry
    Corinna.. I know they are needed, but still doesn't make me comfortable
    =).

    But we'ved drifted off the subject of OpenSSH.. so I'll wander off. =)

    - Ben
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  6. Re: Openssh for Windows

    Circa 2008-07-28 11:08 dixit Peter Stuge:

    : On Mon, Jul 28, 2008 at 10:01:51AM -0400, Patel Dippen-CDP054 wrote:
    : .. Cygwin / VanDyke
    : >
    : > Could I use either of these on high security/ mission critical systems?

    [...]

    : > I have Windows Services running on different Windows machines and
    : > they talk to each other. I need to protect the communication
    : > between these 2 services.
    :
    : As others mentioned, an actual VPN product is much more suitable for
    : this task. I recommend the open source product OpenVPN which runs
    : very well also on Windows. Please see http://openvpn.net/

    As no one else has mentioned yet, if the services in question talk to
    each other via TCP, then a number of solutions are available, including
    OpenSSH with a minimal Cygwin environment (see Corinna Vinschen's
    response in this thread for info about OpenSSH's security under Cygwin).
    Stunnel is another potential solution ; it
    appears to have a Microsoft-native installer (and can allegedly install
    as a Microsoft Windows service).

    However, if the services communicate via UDP, then you *must* use a
    different solution, as neither OpenSSH nor stunnel will tunnel UDP
    traffic. OpenVPN, as Peter mentions, is a high-quality SSL-based VPN
    solution that works natively on Microsoft OSes and handles UDP. As
    mentioned previously, IPsec is another candidate.

    Of course, there are other ways to handle this as well, including
    putting VPN appliances in between the Microsoft systems (this includes
    using, say, a Linux or OpenBSD system as a VPN gateway). That could
    bring you more flexibility.

    Also, depending on the physical proximity of the systems, you may be
    able to simply use a physically separated network to connect them (for
    example, dedicated network ports connected via a separate switch or a
    crossover cable).

    Good luck,
    jim

    --
    jim knoble | jmknoble@pobox.com | http://www.pobox.com/~jmknoble/
    (GnuPG key ID: C6F31FFA >>>>>> http://www.pobox.com/~jmknoble/keys/ )
    (GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA )
    +----------------------------------------------------------------------+
    |[L]iberty, as we all know, cannot flourish in a country that is perma-|
    | nently on a war footing, or even a near-war footing. --Aldous Huxley|
    +----------------------------------------------------------------------+
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  7. Re: Openssh for Windows

    On Jul 28 10:45, Ben Lindstrom wrote:
    > If it was me I'd look at the VanDyke solution. One could prototype using
    > Cygwin, but.. Well, I've been too close to the patches that flowed in for
    > OpenSSH support and some of them still cause me nightmares (Sorry
    > Corinna.. I know they are needed, but still doesn't make me comfortable
    > =).


    Which ones?

    The file system related tests? The default installation on an NTFS
    drive will use all security it can get. The extra code is just
    necessary for users who install on FAT or FAT32 with no security at all,
    or users who explicitely switched off all permission checking. And then
    there are still Windows 95/98/Me users out there, hard as it is to
    imagine it...

    The disabled root user tests? There's no such thing as a single user
    with uid 0 having the necessary rights to run OpenSSH and switch the
    user context on Windows. I already suggested more than once in the last
    years to replace the `if (pw_uid == 0)'-like tests in OpenSSH with a OS
    dependent function call. On Cygwin (well, Windows) this would mean to
    check for specific user rights as the right to act on behave of the
    operating system, stuff like that. On most POSIX systems that would be
    a simple test for uid 0. I even created a patch for this but
    unfortunately it hasn't been accepted.

    The disabled test for being able to revert a seteuid in
    permanently_drop_suid? That's something I have no control over.
    Windows NT has a means to do that, but that function was never intended
    to be called by a Win32 process to switch its own user token permanently
    and it doesn't work as expected. I tried to use it but I never got it
    working on some OS versions. Eventually Microsoft disabled this
    function entirely when called from a Win32 process starting with Windows
    Vista. Interix OTOH may call this function because it's not a Win32
    process like Cygwin but an entirely different subsystem.
    However, that's really not a problem. When the user process is started
    by sshd, this *is* done by a function call which actually switches the
    the user token permanently (CreateProcessAsUser). There's no way for
    the user process to re-gain root privileges anymore.

    Anything else?


    Corinna

    --
    Corinna Vinschen
    Cygwin Project Co-Leader
    Red Hat
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


+ Reply to Thread