医药CRM系统开发

自已做医药CRM系统有四年了,终于可以算个产品了,努力市场化,今年重种将医药营销的理念加入CRM

导航

How to setup the secure shell daemon on a Windows 2003 server

Note : This set of instructions has worked for me at our institution. You should read /usr/share/doc/Cygwin/openssh.README after installing cygwin and check the cygwin mailing list if you encounter problems.

Installing and Testing cygwin

  • Create the destination folder (C:\cygwin or D:\cygwin as appropriate). Default permissions will be for administrators and SYSTEM only. Add SERVER\Users with modify control to the list. These permissions will be inherited to the rest of the folder as it is populated.
  • Create a directory to locally store the cygwin packages e.g. C:\temp\cygwinarchive. Open a browser window to the following URL http://www.cygwin.com/setup.exe and save the installation file setup.exe to the archive directory just created (C:\temp\cygwinarchive in this example)
  • Double click on the downloaded cygwin setup program. The current version is 2.510.2.2 (February 3rd, 2006). Click 'Next' and answer the prompts :
    • Leave default "install from internet"
    • Install to root directory c:\cygwin
    • leave default "install for all users"
    • leave default text file type "unix / binary"
    • Set local package directory to c:\temp\cygwinarchive (the directory created in the previous step). This should be the default.
    • Leave the default "direct connection"
    • Select a mirror (any of the ones with starting with http://mirror in the name). The package list will be downloaded.
    • The 'Select Packages' window can be stretched. Click on the plus sign to expand the categories. Install at least the following list of packages.
      • From Admin, select all packages.
      • From Archive, select unzip and zip packages.
      • From Base, leave the default, select all packages.
      • From Doc, leave the default, man and 'cygwin doc' packages.
      • From Editors, select vim package.
      • From Net, select openssh (openssl will get checked automatically), rsync and tcp_wrappers packages.
    • When you've selected these packages, click 'Next'. The installation tells you which packages it is installing as it progresses.
    • Uncheck 'Create desktop icon'. Leave default 'Add to start menu'. Click 'Finish'.
    • A post install script runs a few final commands. Then you should see a message saying 'Installation complete'. Click 'OK'.
  • Edit C:\cygwin\cygwin.bat. Make sure it contains these lines - you will need to add the line setting the CYGWIN environment variable.
    @echo off
        set CYGWIN=binmode tty ntsec
        C:
        chdir \cygwin\bin
        bash --login -i
        
  • Test cygwin to make sure it works. Start, Programs, Cygnus Solutions, Cygwin Bash Shell - should get a command window with a prompt saying 'Administrator@servername'. This is a bash shell and you can use unix or DOS / NT type commands e.g.
    • 'ls /bin' to see the cygwin bin directory
    • 'dir c:' to see the contents of the C: directory
    Type "control d" or "logout" to exit the shell.
  • If you get a message saying 'cannot create /home/userid', run this command from the cygwin window "mkpasswd -l >/etc/passwd".
  • While you're in the cygwin shell window, run this command to change the mount prefix from "/cygdrive" to "/". You should logout and back in again after running this command in order to reset your PATH environment variable properly.
    mount -s --change-cygdrive-prefix /
        
  • Also, create a home directory where you can place user startup files. The default location is the "Documents and Settings" folder. Creating a /home directory and using the -p switch to assign the home directory when adding a new user keeps all the cygwin files under the c:\cygwin directory.
    mkdir -p /home
        

Installing the SSH daemon service

  • From a cygwin prompt (Start, All Programs, Cygwin ?), run ssh-host-config to create the service, set up the ssh host keys and create the sshd_config file in /etc/. Note that 2 local users are created, one called sshd to handle privilege separation and one that is required on Windows 2003 called sshd_server that runs the service in order to use public key authentication. You should see output like this:
  • 增加以下命令,不然无法进行安装,全出现权限不够的问题

  • chmod +r /etc/group
    chmod +r /etc/passwd
    chmod +rwx /var
  • $ ssh-host-config
        Generating /etc/ssh_host_key
        Generating /etc/ssh_host_rsa_key
        Generating /etc/ssh_host_dsa_key
        Overwrite existing /etc/ssh_config file? (yes/no) yes
        Generating /etc/ssh_config file
        Overwrite existing /etc/sshd_config file? (yes/no) yes
        Privilege separation is set to yes by default since OpenSSH 3.3.
        However, this requires a non-privileged account called 'sshd'.
        For more info on privilege separation read
        /usr/share/doc/openssh/README.privsep.
        Should privilege separation be used? (yes/no) yes
        Warning: The following function requires administrator privileges!
        Should this script create a local user 'sshd' on this machine? (yes/no) yes
        Generating /etc/sshd_config file
        Added ssh to C:\WINDOWS\system32\drivers\etc\services
        Warning: The following functions require administrator privileges!
        Do you want to install sshd as service?
        (Say "no" if it's already installed as service) (yes/no) yes
        You appear to be running Windows 2003 Server or later.  On 2003 and
        later systems, it's not possible to use the LocalSystem account
        if sshd should allow passwordless logon (e. g. public key authentication).
        If you want to enable that functionality, it's required to create a new
        account 'sshd_server' with special privileges, which is then used to run
        the sshd service under.
        Should this script create a new local account 'sshd_server' which has
        the required privileges? (yes/no) yes
        Please enter a password for new user 'sshd_server'.  Please be sure that
        this password matches the password rules given on your system.
        Entering no password will exit the configuration.  PASSWORD=xxxxxxx
        User 'sshd_server' has been created with password 'xxxxxxxx'.
        If you change the password, please keep in mind to change the password
        for the sshd service, too.
        Also keep in mind that the user sshd_server needs read permissions on all
        users' .ssh/authorized_keys file to allow public key authentication for
        these users!.  (Re-)running ssh-user-config for each user will set the
        required permissions correctly.
        Which value should the environment variable CYGWIN have when
        sshd starts? It's recommended to set at least "ntsec" to be
        able to change user context without password.
        Default is "ntsec".  CYGWIN=binmode ntsec tty
        The service has been installed under sshd_server account.
        To start the service, call net start sshd' or cygrunsrv -S sshd'.
        Host configuration finished. Have fun!
        
  • You can start the service from the services MMC panel, or using either of the commands listed above ("net start sshd" or "cygrunsrv -S sshd").

Generating public/private SSH keys for a user

  • If you need to generate ssh public and private keys for a user on this machine who will be uploading data or logging in to a remote machine, you will need to carry out this step. Sign on as the user who needs the keys created. They will automatically be in their home directory. Run ssh-user-config to setup the ssh keys. Create only an SSH2 RSA identity (use a null passphrase - just press return). Output should be similar to this :
       cygwinadmin@HICKORY ~
        $ ssh-user-config
        Shall I create an SSH1 RSA identity file for you? (yes/no) no
        Shall I create an SSH2 RSA identity file for you? (yes/no)  (yes/no) yes
        Generating /home/pswander/.ssh/id_rsa
        Enter passphrase (empty for no passphrase):Press ENTER
        Enter same passphrase again:Press ENTER
        Do you want to use this identity to login to this machine? (yes/no) yes
        Shall I create an SSH2 DSA identity file for you? (yes/no)  (yes/no) no
        Configuration finished. Have fun!
        
  • Update the file /home/userid/.ssh/authorized_keys with any public keys from other users who you wish to be able to connect to this user's account. Refer to this document for more information. Make sure each entry you add is all on one line.
  • Make sure the service is running (state 4 = running)
    $ sc query sshd
        SERVICE_NAME: sshd
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
        (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN))
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        
  • Test the service from the cygwin prompt using "ssh -v localhost". You will get challenged with the new host key and will have to enter your password as you connect. You should see output like this:
    The authenticity of host 'localhost (127.0.0.1)' can't be established.
        RSA key fingerprint is 75:8a:67:20:0d:75:dd:06:64:04:d0:ac:23:c7:74:ba.
        Are you sure you want to continue connecting (yes/no)? yes
        Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
        The last line is:
        You are successfully logged in to this server!!!
        
  • Test the service from a remote host. You can now update the authorized_keys file with the public key file from the user and host you want to connect from. Then test your connection from that host by issuing the command "ssh userid@servername dir c:\"

Adding and removing users from the passwd file

  • You can add domain or local users using the mkpasswd command. Test what would be added for a domain user with this command:
    mkpasswd -d domain_name -u joeuser
        
  • You can add an ads domain user to the passwd file and give him a home directory in /home with this command:
    mkpasswd -d ads -p /home -u kscully >>/etc/passwd
        
  • You can add local users using the -l switch instead of the -d switch. Be careful not to use the -d domain_name switch without specifying a user or you will get entries for ALL doamin users in the passwd file.
  • Users can be removed and both users and groups can be updated by starting a cygwin shell and using vi to edit the /etc/passwd and /etc/group files.

Restricting SSH access to specific servers

Working on a netsh script to restrict access to specific servers.

cygrunsrv --install sshd --path '/usr/sbin/sshd' --env 'PATH=/bin;/sbin' --env 'CYGWIN=ntsec tty' -a -D

Switching the user who runs the service

In a normal installation, the ssh-host-config script creates a local user called sshd_server under whose credentials the ssh daemon runs. This is fine for local shell access to the server and secure file transfers to and from the server, but it is not possible to access any network resources while the service is running under the local user account.

The solution is to run the service under a domain user account - one that has access to the shares or servers remote from the server running sshd. In order to switch the service to run under a different user, these steps must be carried out :

  • Open "Computer Management", open the Services tab, right click on the "Cygwin sshd" service and stop the service.
  • Right click on the "Cygwin sshd" service again and select properties. Under the 'Log On' tab, switch the name of the account the service is running from ".\sshd_server" to domain\userid, where domain and userid correspond to a userid with access to the resources you require in the domain. You will be prompted for this user's password.
  • Open Control Panel -> Administratice Tools -> Local Security Settings -> Local Policies. Then click on 'User Rights Assignment'. Make sure the domain user you specified in step one is in the list for these 4 rights :
    1. Adjust memory quotas for a process
    2. Create a token object
    3. Log on as a service (already granted if you completed step 1)
    4. Replace a process level token
  • Add the domain user to the local password file
        mkpasswd -d domain -u userid >> /etc/passwd
        
  • Change to ownership of the files required by the sshd service owner. Open a cygwin bash session and run these commands for your userid
        $ chown userid /var/log/sshd.log
        $ chown -R userid /var/empty
        $ chown userid /etc/ssh*
        
  • In the services tab again, right click on the 'Cygwin sshd' service and select 'start'. Check the event log for a successful start, or for errors in case the service does not start successfully.

以下是我的windows 2003 sp2的安装过程

 

Administrator@zgsj-afa4d5d977 ~
$ ssh-host-config
*** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes
*** Info: Creating default /etc/ssh_config file
*** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
*** Info: Creating default /etc/sshd_config file
*** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
*** Info: However, this requires a non-privileged account called 'sshd'.
*** Info: For more info on privilege separation read /usr/share/doc/openssh/READ
ME.privsep.
*** Query: Should privilege separation be used? (yes/no) yes
*** Warning: The file /etc/passwd is not readable by all.
*** Warning: Please run 'chmod +r /etc/passwd'.
*** Warning: The file /etc/group is not readable by all.
*** Warning: Please run 'chmod +r /etc/group'.
*** ERROR: Problem with LocalSystem or Adminstrator IDs

Administrator@zgsj-afa4d5d977 ~
$ dir

Administrator@zgsj-afa4d5d977 ~
$ chmod +r /etc/group

Administrator@zgsj-afa4d5d977 ~
$ ssh-host-config
*** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes
*** Info: Creating default /etc/ssh_config file
*** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
*** Info: Creating default /etc/sshd_config file
*** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
*** Info: However, this requires a non-privileged account called 'sshd'.
*** Info: For more info on privilege separation read /usr/share/doc/openssh/READ
ME.privsep.
*** Query: Should privilege separation be used? (yes/no) yes
*** Warning: The file /etc/passwd is not readable by all.
*** Warning: Please run 'chmod +r /etc/passwd'.
*** ERROR: Problem with LocalSystem or Adminstrator IDs

Administrator@zgsj-afa4d5d977 ~
$ chmod +r /etc/passwd

Administrator@zgsj-afa4d5d977 ~
$ ssh-host-config
*** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes
*** Info: Creating default /etc/ssh_config file
*** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
*** Info: Creating default /etc/sshd_config file
*** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
*** Info: However, this requires a non-privileged account called 'sshd'.
*** Info: For more info on privilege separation read /usr/share/doc/openssh/READ
ME.privsep.
*** Query: Should privilege separation be used? (yes/no) yes
*** Warning: The permissions on the directory /var are not correct.
*** Warning: They must match the regexp d..x..x..[xt]
*** ERROR: Problem with /var directory. Exiting.

Administrator@zgsj-afa4d5d977 ~
$ chmod +r +w  /etc/passwd
chmod: cannot access `+w': No such file or directory

Administrator@zgsj-afa4d5d977 ~
$ chmod
chmod: missing operand
Try `chmod --help' for more information.

Administrator@zgsj-afa4d5d977 ~
$ chmod --help
Usage: chmod [OPTION]... MODE[,MODE]... FILE...
  or:  chmod [OPTION]... OCTAL-MODE FILE...
  or:  chmod [OPTION]... --reference=RFILE FILE...
Change the mode of each FILE to MODE.

  -c, --changes           like verbose but report only when a change is made
      --no-preserve-root  do not treat `/' specially (the default)
      --preserve-root     fail to operate recursively on `/'
  -f, --silent, --quiet   suppress most error messages
  -v, --verbose           output a diagnostic for every file processed
      --reference=RFILE   use RFILE's mode instead of MODE values
  -R, --recursive         change files and directories recursively
      --help     display this help and exit
      --version  output version information and exit

Each MODE is of the form `[ugoa]*([-+=]([rwxXst]*|[ugo]))+'.

Report bugs to <bug-coreutils@gnu.org>.

Administrator@zgsj-afa4d5d977 ~
$ chmod +rw  /etc/passwd

Administrator@zgsj-afa4d5d977 ~
$ chmod +rw  /var

Administrator@zgsj-afa4d5d977 ~
$ ssh-host-config
*** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes
*** Info: Creating default /etc/ssh_config file
*** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
*** Info: Creating default /etc/sshd_config file
*** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
*** Info: However, this requires a non-privileged account called 'sshd'.
*** Info: For more info on privilege separation read /usr/share/doc/openssh/READ
ME.privsep.
*** Query: Should privilege separation be used? (yes/no) yes
*** Warning: The permissions on the directory /var are not correct.
*** Warning: They must match the regexp d..x..x..[xt]
*** ERROR: Problem with /var directory. Exiting.

Administrator@zgsj-afa4d5d977 ~
$ chmod -r 777 /var
chmod: cannot access `777': No such file or directory

Administrator@zgsj-afa4d5d977 ~
$ ssh-host-config
*** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes
*** Info: Creating default /etc/ssh_config file
*** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
*** Info: Creating default /etc/sshd_config file
*** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
*** Info: However, this requires a non-privileged account called 'sshd'.
*** Info: For more info on privilege separation read /usr/share/doc/openssh/READ
ME.privsep.
*** Query: Should privilege separation be used? (yes/no) yes
*** Warning: The permissions on the directory /var are not correct.
*** Warning: They must match the regexp d..x..x..[xt]
*** ERROR: Problem with /var directory. Exiting.

Administrator@zgsj-afa4d5d977 ~
$ ssh-host-config -y
*** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes
*** Info: Creating default /etc/ssh_config file
*** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
*** Info: Creating default /etc/sshd_config file
*** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
*** Info: However, this requires a non-privileged account called 'sshd'.
*** Info: For more info on privilege separation read /usr/share/doc/openssh/READ
ME.privsep.
*** Query: Should privilege separation be used? (yes/no) yes
*** Warning: The permissions on the directory /var are not correct.
*** Warning: They must match the regexp d..x..x..[xt]
*** ERROR: Problem with /var directory. Exiting.

Administrator@zgsj-afa4d5d977 ~
$ ssh-host-config -y
*** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes
*** Info: Creating default /etc/ssh_config file
*** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
*** Info: Creating default /etc/sshd_config file
*** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
*** Info: However, this requires a non-privileged account called 'sshd'.
*** Info: For more info on privilege separation read /usr/share/doc/openssh/READ
ME.privsep.
*** Query: Should privilege separation be used? (yes/no) yes
*** Warning: The permissions on the directory /var are not correct.
*** Warning: They must match the regexp d..x..x..[xt]
*** ERROR: Problem with /var directory. Exiting.

Administrator@zgsj-afa4d5d977 ~
$ chmod --help
Usage: chmod [OPTION]... MODE[,MODE]... FILE...
  or:  chmod [OPTION]... OCTAL-MODE FILE...
  or:  chmod [OPTION]... --reference=RFILE FILE...
Change the mode of each FILE to MODE.

  -c, --changes           like verbose but report only when a change is made
      --no-preserve-root  do not treat `/' specially (the default)
      --preserve-root     fail to operate recursively on `/'
  -f, --silent, --quiet   suppress most error messages
  -v, --verbose           output a diagnostic for every file processed
      --reference=RFILE   use RFILE's mode instead of MODE values
  -R, --recursive         change files and directories recursively
      --help     display this help and exit
      --version  output version information and exit

Each MODE is of the form `[ugoa]*([-+=]([rwxXst]*|[ugo]))+'.

Report bugs to <bug-coreutils@gnu.org>.

Administrator@zgsj-afa4d5d977 ~
$ chmod +rwx /var

Administrator@zgsj-afa4d5d977 ~
$ ssh-host-config -y
*** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes
*** Info: Creating default /etc/ssh_config file
*** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
*** Info: Creating default /etc/sshd_config file
*** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
*** Info: However, this requires a non-privileged account called 'sshd'.
*** Info: For more info on privilege separation read /usr/share/doc/openssh/READ
ME.privsep.
*** Query: Should privilege separation be used? (yes/no) yes
*** Info: Note that creating a new user requires that the current account have
*** Info: Administrator privileges.  Should this script attempt to create a
*** Query: new local account 'sshd'? (yes/no) yes
*** Info: Updating /etc/sshd_config file
mv: try to overwrite `/etc/sshd_config', overriding mode 0000 (---------)? yes
*** Info: Creating default /etc/inetd.d/sshd-inetd file
mv: try to overwrite `/etc/inetd.d/sshd-inetd', overriding mode 0000 (---------)
? yes
*** Info: Updated /etc/inetd.d/sshd-inetd


*** Warning: The following functions require administrator privileges!

*** Query: Do you want to install sshd as a service?
*** Query: (Say "no" if it is already installed as a service) (yes/no) yes
*** Info: Note that the CYGWIN variable must contain at least "ntsec"
*** Info: for sshd to be able to change user context without password.
*** Query: Enter the value of CYGWIN for the daemon: [ntsec] ntsec
*** Info: On Windows Server 2003, Windows Vista, and above, the
*** Info: SYSTEM account cannot setuid to other users -- a capability
*** Info: sshd requires.  You need to have or to create a privileged
*** Info: account.  This script will help you do so.

*** Info: You appear to be running Windows 2003 Server or later.  On 2003 and
*** Info: later systems, it's not possible to use the LocalSystem account
*** Info: for services that can change the user id without an explicit password
*** Info: (such as passwordless logins [e.g. public key authentication] via sshd
).

*** Info: If you want to enable that functionality, it's required to create a ne
w
*** Info: account with special privileges (unless a similar account already exis
ts).
*** Info: This account is then used to run these special servers.

*** Info: Note that creating a new user requires that the current account have
*** Info: Administrator privileges itself.

*** Info: No privileged account could be found.

*** Info: This script plans to use 'cyg_server'.
*** Info: 'cyg_server' will only be used by registered services.
*** Query: Do you want to use a different name? (yes/no) yes
*** Query: Enter the new user name: sshd_server
*** Query: Reenter: sshd_server

*** Query: Create new privileged user account 'sshd_server'? (yes/no) yes
*** Info: Please enter a password for new user sshd_server.  Please be sure
*** Info: that this password matches the password rules given on your system.
*** Info: Entering no password will exit the configuration.
*** Query: Please enter the password:
*** Query: Reenter:

*** Warning: Creating the user 'sshd_server' failed!  Reason:
密码不满足密码策略的要求。检查最小密码长度、密码复杂性和密码历史的要求。

请键入 NET HELPMSG 2245 以获得更多的帮助。


*** Info: Please enter a password for new user sshd_server.  Please be sure
*** Info: that this password matches the password rules given on your system.
*** Info: Entering no password will exit the configuration.
*** Query: Please enter the password:
*** Query: Reenter:

*** Warning: Creating the user 'sshd_server' failed!  Reason:
密码不满足密码策略的要求。检查最小密码长度、密码复杂性和密码历史的要求。

请键入 NET HELPMSG 2245 以获得更多的帮助。


*** Info: Please enter a password for new user sshd_server.  Please be sure
*** Info: that this password matches the password rules given on your system.
*** Info: Entering no password will exit the configuration.
*** Query: Please enter the password:
*** Query: Reenter:

*** Info: User 'sshd_server' has been created with password '1qaz@8073'.
*** Info: If you change the password, please remember also to change the
*** Info: password for the installed services which use (or will soon use)
*** Info: the 'sshd_server' account.

*** Info: Also keep in mind that the user 'sshd_server' needs read permissions
*** Info: on all users' relevant files for the services running as 'sshd_server'
.
*** Info: In particular, for the sshd server all users' .ssh/authorized_keys
*** Info: files must have appropriate permissions to allow public key
*** Info: authentication. (Re-)running ssh-user-config for each user will set
*** Info: these permissions corrently. [Similary restrictions apply, for
*** Info: instance, for .rhosts files if the rshd server is running, etc].


*** Info: The sshd service has been installed under the 'sshd_server'
*** Info: account.  To start the service now, call `net start sshd' or
*** Info: `cygrunsrv -S sshd'.  Otherwise, it will start automatically
*** Info: after the next reboot.

*** Info: Host configuration finished. Have fun!

Administrator@zgsj-afa4d5d977 ~
$