Difference between revisions of "Windows Domain SSH"
From Stadm
Jump to navigationJump to search (Created page with "Category:Windows") |
|||
| (3 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
[[Category:Windows]] | [[Category:Windows]] | ||
| + | |||
| + | *Install Cygwin, for openssh you only need the openssh package but a few other tools will probably help(vim,wget,shutdown,rsync) | ||
| + | *Create a service domain account that we will used to be able to login through ssh from a domain joined computer | ||
| + | |||
| + | *Making the passwd file for Domain users: | ||
| + | mkpasswd -d > /etc/passwd | ||
| + | mkgroup -g > /etc/group | ||
| + | |||
| + | *Making the passwd file for local users: | ||
| + | mkpasswd -cl > /etc/passwd | ||
| + | mkgroup -cl > /etc/group | ||
| + | |||
| + | *Now you'll need to edit the passwd file and remove the hostname and/or domain name from the beginning of each user you'd like to be able to ssh into the system with. | ||
| + | |||
| + | *on the local computer we need to add the Domain service account to certain groups | ||
| + | *Go to Administrative tools in the Control Panel and open the Local Security Policy | ||
| + | *Navigate to | ||
| + | Local Security Policy => Security Settings => Local Policies => User Rights Assignment | ||
| + | *add domain user to these groups | ||
| + | Act as part of the operating system | ||
| + | Create a token object | ||
| + | Deny log on through remote desktop services | ||
| + | Log on as a service | ||
| + | Replace a process level token | ||
| + | |||
| + | *Setup sshd | ||
| + | ssh-host-config | ||
| + | *We are going to answer yes to most of the default configuration, Except we will replace the user which is the service account used to run cygwin | ||
| + | *By default it creates this user under the name cyg_server, when asked if we would like to create this user we will say no and give the ssh-host-config script another user which has the appropriate permission to allow domain logins | ||
| + | *In our domain the user created for this purpose is cyg_service | ||
| + | *below shows a summary of what we will be saying yes and no too as long as with output from a setup | ||
| + | Should privilege separation be used(yes/no)? Yes | ||
Latest revision as of 14:25, 10 July 2015
- Install Cygwin, for openssh you only need the openssh package but a few other tools will probably help(vim,wget,shutdown,rsync)
- Create a service domain account that we will used to be able to login through ssh from a domain joined computer
- Making the passwd file for Domain users:
mkpasswd -d > /etc/passwd mkgroup -g > /etc/group
- Making the passwd file for local users:
mkpasswd -cl > /etc/passwd mkgroup -cl > /etc/group
- Now you'll need to edit the passwd file and remove the hostname and/or domain name from the beginning of each user you'd like to be able to ssh into the system with.
- on the local computer we need to add the Domain service account to certain groups
- Go to Administrative tools in the Control Panel and open the Local Security Policy
- Navigate to
Local Security Policy => Security Settings => Local Policies => User Rights Assignment
- add domain user to these groups
Act as part of the operating system Create a token object Deny log on through remote desktop services Log on as a service Replace a process level token
- Setup sshd
ssh-host-config
- We are going to answer yes to most of the default configuration, Except we will replace the user which is the service account used to run cygwin
- By default it creates this user under the name cyg_server, when asked if we would like to create this user we will say no and give the ssh-host-config script another user which has the appropriate permission to allow domain logins
- In our domain the user created for this purpose is cyg_service
- below shows a summary of what we will be saying yes and no too as long as with output from a setup
Should privilege separation be used(yes/no)? Yes
