792456 - setup ssh on Windows 8

Status: RESOLVED FIXED

Description

[Amy Rich [:arr] [:arich]]

Based on conversation in email, it sounds like we do not have a complete set of requirements for automating the windows 8 testers.  Specifically, there's some question about which ssh/scp server should be used.  Armen, could you modify one of the HPs running w8 to test out which ever ssh/scp server releng would like to use and let us know what works for you?  We can then automate that process with whatever software you specify.  


I know that the current windows machines are using kpyM-sshd, but you seem to indicate interest in copssh (I'm not sure what the desire to switch is motivate by).  If you decide on copssh, I'm sure we can obtain a license for that since it's only $400 for unlimited use.  Is the desire also to use a different ssh server on the other platforms moving forward?

Comment 1

[Armen [:armenzg]]

(In reply to Amy Rich [:arich] [:arr] from comment #0)
> Based on conversation in email, it sounds like we do not have a complete set
> of requirements for automating the windows 8 testers.  Specifically, there's
> some question about which ssh/scp server should be used.  Armen, could you
> modify one of the HPs running w8 to test out which ever ssh/scp server
> releng would like to use and let us know what works for you?  We can then
> automate that process with whatever software you specify.  
> 
I will.

> 
> I know that the current windows machines are using kpyM-sshd, but you seem
> to indicate interest in copssh (I'm not sure what the desire to switch is
> motivate by).  If you decide on copssh, I'm sure we can obtain a license for
> that since it's only $400 for unlimited use.  Is the desire also to use a
> different ssh server on the other platforms moving forward?

kpyM-sshd seems to have stopped development [1].
it does not allow us to ssh into the machine without having to type a password.
We cannot scp files into a Windows host.
We cannot execute commands remotely (e.g. ssh host "command")

[1] http://www.kpym.com/2/kpym/download.htm

Comment 2

[Hal Wine [:hwine] (use NI)]

fwiw, I've had success with cygwin's sshd, but that was most recently with win2k. The setup instructions have to be followed carefully to get all the windows permissions correct, but scp & ssh both worked "just like *nix"

Comment 3

[Armen [:armenzg]]

I have dropped pursuing copSSH on Windows 8.
I have 2 machines for others to try if you would like.

Here are the steps I followed:
* production-opsi.build.mozilla.org:~cltbld/Copssh_4.4.0_Installer.zip
* as Administrator, install in default location
* C:\Program Files (x86)\ICW\bin\copsshcp.exe to start the GUI
** Users tab, add both cltbld and Administrator, then Apply
** copy the authorized_keys file from another host into C:\Program Files\ICW\home\cltbld\.ssh

Comment 4

[Armen [:armenzg]]

I have managed to install Bitvise SSH Server.
I have not managed to install CygWin + OpenSSH

The problem is that is pricey, does not have rsync (not a blocker), I cannot determine how often they release.

The advantage is that it meets what I believe are our must:
* password less login
* scp

It integrates better than copSSH on Windows XP as far as I can tell.

################################################
== CygWin + OpenSSH ==
NOTE: I could not get it going. Perhaps someone else is luckier.
This instructions [1] might be for older versions since tty ntsec was complaining.
I was getting "Error 1069: The service did not start due to a logon failure" (IIRC) when running "cygrunsrv -S sshd"
* Using reading this http://www.noah.org/ssh/cygwin-sshd.htm
* The most recent version of the Cygwin DLL is 1.7.16-1.
** Install it by running setup.exe.
* Select installation from the internet
* You have to choose one of the mirrors
* search for the following packages
** openssh     6.1p1-1
** cygrunsrv   1.40-2
* click "Next" all the way
* run the Cygwin terminal as "Administrator"
** a cyg_server user gets created and you have to give it a password

NOTE: end of the notes as I did not succeed

################################################
== Bitvise SSH Server ==
Bitvise SSH Server installer - version 5.56, size 7.7 MB
* http://dl.bitvise.com/BvSshServer-Inst.exe
* Install all the defaults
* Once the installation finishes you will see an "easy settings" with 3 tabs.
* On the 2nd tab, add "cltbld" and import the keys
** import from "authorized_keys" from another slave
** NOTE: Placing the file directly on C:\Users\cltb\.ssh does not seem to do the trick
* Open the admin interface (C:\Program Files\Bitvise SSH Server\BssCtrl.exe)
** Click on "Activity tab"
** Click on hyperlink besides "Popup notifications" and select "Never".
*** Otherwise SSH activity would show up on the desktop and could interfere with tests
### Features ###
* password less login works
* scp file cltbld@10.12.40.72:/c/Users/cltbld works (no password)
* Scriptable configuration with BssCfg is available and .vbs
** http://www.bitvise.com/files/WinsshdCfgManip.txt
** http://www.bitvise.com/files/WinsshdCfgManip-PubKey.txt
** http://www.bitvise.com/ssh-server-guide-scriptable
** http://www.bitvise.com/ssh-server-guide-advanced
### Disadvantage ###
* it is pricey $99.95 
* it does not seem to support rsync
Armens-MacBook-Air:tools armenzg$ rsync ~/moz/temp cltbld@10.12.40.72:/c/Users/cltbld
'rsync' is not recognized as an internal or external command,                                   
operable program or batch file.                                                                 
rsync: connection unexpectedly closed (0 bytes received so far) [sender]                        
rsync error: error in rsync protocol data stream (code 12) at /SourceCache/rsync/rsync-42/rsync/io.c(452) [sender=2.6.9]

Comment 5

[Wes Kocher (:KWierso)]

I get a different error when trying to start sshd within cygwin:
KWierso@KWWin8Dell ~
$ cygrunsrv -S sshd
cygrunsrv: Error starting a service: QueryServiceStatus:  Win32 error 1062:
The service has not been started.

Comment 6

[Armen [:armenzg]]

KWierso, that's right. I think that is the error I was getting. I think I got the next error when I tried using "cltbld" instead of "cyg_server" user.

FTR the criteria I'm using is:
* does it allow password-less login?
* can we scp files into it? (password-less)
* does it inherit the PATH set on the system?
* can I use mozilla-build tools? (e.g. wget, rm, mv, ls, cp, vim, etc)
* can I reboot the host? (shutdown -f -r -t 0)
* changing the password of "cltbld" does not affect the password-less login
* password-less login is managed through ~/.ssh/authorized_keys

I don't see this as a blocker
* rsync support

Bitvise meets all of that criteria.

WRT to Bitvise I see it recommended at the top of this stackoverflow thread:
http://stackoverflow.com/questions/18292/what-are-some-good-ssh-servers-for-windows
* I have also noticed that we can export the settings which means we could import it
* Instead of adding "cltbld" + importing the keys; I have removed it and added the feature "Advanced settings > Access control > Synchronize with authorized_keys."
** I believe this means that it will read authorized_keys rather than maintaining its own internal
** This requires placing authorized_keys under C:\Users\cltbld\.ssh
* I have also found that there is wiki documentation: http://www.bitwiseim.com/wiki/index.php?title=BitWise_DocuWiki

Comment 7

[Armen [:armenzg]]

dustin: I didn't see an IT bug for ssh so I'm reusing this.

I will also follow up with Q to see when we can get into it.

Comment 8

[Q]

FreesshD will wokr and I have a working test. However, when using shared keys the user operates as "SYSTEM" not as the user. If NT authentication is used (password required)  things work as expected. I have setup bitvise and got it to work however, there are licensing costs for anything outside of "personal" or non profit use. A site license for bitvise is $10,000

Comment 9

[Q]

After conversations with Armen It looks like our best option for a quick setup that will meet the majority of needs is kypM-ssh. I have a method of deploying it and setting up key and user authentication with it for the cltbld user. We already own a license for this product and it operates within user security context. I am going to have Armen this on one of the slaves as soon as I track down the key pair for the cltbld user.

Comment 10

[Q]

kypM-ssh  now has an install that is ready to go out via gpo Files_sshd_testers. The files will live in c:\program files\KTS on the slaves. The current cltbld authorized_keys file has been run through a simple python script that creates a publickey_logon.ini file that gets distributed to c:\program files\KTS\ . This allow the same key based access as the Linux slaves for the cltbld users. This process will need to be automated in the near future but for now a new file can be generated with fair ease and setup for distribution.

Comment 11

[Q]

Things to keep in mind for the next revolution of ssh on windows:
* SCP
* Non interactive shell support ( ssh direct command line) 
* Automation, automation, automation

Comment 12

[Q]

Per Armen's go ahead SSH is deploying on win 8 now. This will also deploy to the ix win 7 setup as well.

Comment 13

[Q]

Known issue if users have thier ssh clients setting ServerAliveInterval set users will experience very short timeouts

Comment 14

[Q]

SSH is now deployed on all Windows 8 domain machines with authorized keys. I will be attaching the somewhat complicated GPO to this bug.

Comment 15

[Q]

Created attachment 727531 [details]
Files_sshd_testers GPO for deploying SSHD to windows