Difference between revisions of "Windows Domain SSH"

From Stadm
Jump to navigationJump to search
 
(One intermediate revision by one other user not shown)
Line 4: Line 4:
 
*Create a service domain account that we will used to be able to login through ssh from a domain joined  computer
 
*Create a service domain account that we will used to be able to login through ssh from a domain joined  computer
  
*on the local computer
+
*Making the passwd file for Domain users:
*regedit
+
mkpasswd -d > /etc/passwd
 +
mkgroup -g > /etc/group
 +
 
 +
*Making the passwd file for local users:
 +
mkpasswd -cl > /etc/passwd
 +
mkgroup -cl > /etc/group
 +
 
 +
*Now you'll need to edit the passwd file and remove the hostname and/or domain name from the beginning of each user you'd like to be able to ssh into the system with.
 +
 
 +
*on the local computer we need to add the Domain service account to certain groups
 +
*Go to Administrative tools  in the Control Panel and open the Local Security Policy
 +
*Navigate to
 
  Local Security Policy => Security Settings => Local Policies => User Rights Assignment  
 
  Local Security Policy => Security Settings => Local Policies => User Rights Assignment  
 
*add domain user to these groups
 
*add domain user to these groups
Line 16: Line 27:
 
*Setup sshd
 
*Setup sshd
 
  ssh-host-config
 
  ssh-host-config
*We are going to answer yes to most of the default configuration, below shows a summary of what we ill be saying yes and no too as long as with output from a setup
+
*We are going to answer yes to most of the default configuration, Except we will replace the user which is the service account used to run cygwin
 +
*By default it creates this user under the name cyg_server, when asked if we would like to create this user we will say no and give the ssh-host-config script another user which has the appropriate permission to allow domain logins
 +
*In our domain the user created for this purpose is cyg_service
 +
*below shows a summary of what we will be saying yes and no too as long as with output from a setup
 
  Should privilege separation be used(yes/no)? Yes
 
  Should privilege separation be used(yes/no)? Yes

Latest revision as of 14:25, 10 July 2015


  • Install Cygwin, for openssh you only need the openssh package but a few other tools will probably help(vim,wget,shutdown,rsync)
  • Create a service domain account that we will used to be able to login through ssh from a domain joined computer
  • Making the passwd file for Domain users:
mkpasswd -d > /etc/passwd
mkgroup -g > /etc/group
  • Making the passwd file for local users:
mkpasswd -cl > /etc/passwd
mkgroup -cl > /etc/group
  • Now you'll need to edit the passwd file and remove the hostname and/or domain name from the beginning of each user you'd like to be able to ssh into the system with.
  • on the local computer we need to add the Domain service account to certain groups
  • Go to Administrative tools in the Control Panel and open the Local Security Policy
  • Navigate to
Local Security Policy => Security Settings => Local Policies => User Rights Assignment 
  • add domain user to these groups
Act as part of the operating system
Create a token object
Deny log on through remote desktop services
Log on as a service
Replace a process level token
  • Setup sshd
ssh-host-config
  • We are going to answer yes to most of the default configuration, Except we will replace the user which is the service account used to run cygwin
  • By default it creates this user under the name cyg_server, when asked if we would like to create this user we will say no and give the ssh-host-config script another user which has the appropriate permission to allow domain logins
  • In our domain the user created for this purpose is cyg_service
  • below shows a summary of what we will be saying yes and no too as long as with output from a setup
Should privilege separation be used(yes/no)? Yes