Configuring SSH on Windows 2003

When you configure OpenSSH on the Tivoli^® Intelligent Orchestrator server on a Windows 2003 environment, SSH is installed, when Cygwin is installed.

To configure SSH on Windows 2003:

1. Log on as tioadmin.
2. Invoke a Cygwin window.
3. Type the following command in the Cygwin window: /usr/bin/ssh-host-config -y. After typing this command, the following functions occur:
   • Host keys are generated. This command generates three different keys-DSA, RSA, RSA1, each corresponding to a different encryption algorithm. These keys allow a system to establish SSH sessions with systems requiring any one of these encryption algorithms.
   • Privilege separation is enabled.
   • sshd is installed as a service.
   • Passwordless logon is enabled.
   • New user account is created.
4. You will then be prompted for a password for the new user account that has been created. Enter a password for the new user and ensure that this password matches the password rules given on your system. Output should be similar to this:

   $ ssh-host-config -y
   Generating /etc/ssh_host_key
   Generating /etc/ssh_host_rsa_key
   Generating /etc/ssh_host_dsa_key
   Overwrite existing /etc/ssh_config file? (yes/no) yes
   Generating /etc/ssh_config file
   Overwrite existing /etc/sshd_config file? (yes/no) yes
   Privilege separation is set to yes by default since OpenSSH 3.3.
   However, this requires a non-privileged account called 'sshd'.
   For more info on privilege separation read
   /usr/share/doc/openssh/README.privsep.
   Should privilege separation be used? (yes/no) yes
   Generating /etc/sshd_config file Added ssh to /etc/inetd.conf Warning:
   The following functions require administrator privileges!
   Do you want to install sshd as service?
   (Say "no" if it's already installed as service) (yes/no) yes
   
   You appear to be running Windows 2003 Server or later. 
   On 2003 and later systems, it's not possible to use the
   LocalSystem account if sshd should allow passwordless logon
   (e. g. public key authentication). If you want to enable that functionality,
   it's required to create a new account sshd_server' with special privileges,
   which is then used to run the sshd service under.
   
   Should this script create a new local account 'sshd_server' which has
   the required privileges? (yes/no) yes
   Please enter a password for new user 'sshd_server'. Please be sure that this
   password matches the password rules given on your system. Entering no password
   will exit the configuration. 
   
   PASSWORD=
   
   User 'sshd_server' has been created with password 'xxxxx'.
   
   If you change the password, please keep in mind to change the password
   for the sshd service, too. Also keep in mind that the user sshd_server
   needs read permissions on all users'.ssh/authorized_keys file to allow
   public key authentication for these users!. 
   
   (Re-)running ssh-user-config for each user will set the required
   permissions correctly.

5. Accept the default value for the environment variable CYGWIN, when sshd is started and press Enter. Output should be similar to this:

   Which value should the environment variable CYGWIN have when sshd starts?
   It's recommended to set at least "ntsec" to be able to change user context
   without password.
   Default is "ntsec".  CYGWIN=
   
   The service has been installed under sshd_server account.
   To start the service, call `net start sshd' or `cygrunsrv -S sshd'.
   
   Host configuration finished. Have fun!

6. If the user account created by Cygwin was not automatically added to the Administrators group, then you will get a warning similar to this:

   WARNING: Adding user sshd_server to local group root Administrators failed!
   Please add sshd_server to local group root Administrators before starting
   the sshd service!

7. To manually add the user account created by Cygwin to the Administrators group, go to My Computers > Manage and then add the user account to the Administrators group.
8. Ensure that the newly created user account has been added to the Administrators group by typing the following command in DOS window:

   net localgroup administrators

9. Start the sshd service by running the following command (it will automatically start when rebooted) :

   cygrunsrv -S sshd

10. Verify that tioadmin has a password in /etc/passwd. If no password is found, then you must generate one by running the command:

    cat /etc/passwd | grep tioadmin || mkpasswd -l > /etc/passwd

11. Configure SSH for tioadmin, by typing the following command:

    ssh-user-config

12. When prompted to created the identity files, choose your option for the ssh version that will be used. This is a configuration example for using SSH2 (which is recommended). Press Enter when prompted for a passphrase. Output should be similar to this:

    Shall I create an SSH1 RSA identity file for you? (yes/no) no
    Shall I create an SSH2 RSA identity file for you? (yes/no)  (yes/no) yes
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Do you want to use this identity to login to this machine? (yes/no) yes
    Shall I create an SSH2 DSA identity file for you? (yes/no)  (yes/no) no
    
    Configuration finished. Have fun!

13. Switch to the .ssh directory by typing: cd .ssh. Press Enter.
14. The user key must be put into the authorized_keys file of the user account on the server. To perform this task, run the command:

    cat id_rsa.pub >>authorized_keys

15. To configure SSH to accept connections from new hosts without prompting for confirmation, create a file in /home/tioadmin/.ssh called config.
    Note: This directory depends on how you have set up your system. To confirm where /home directory is, look at /etc/passwd.
    Run the command:

    echo "StrictHostKeyChecking no" > config

    The file should contain the value of

    StrictHostKeyChecking no

16. To verify that SSH is configured properly, do the following:
    1. Ensure the Cygwin service is started.
    2. To log on to the local host through SSH, type ssh tioadmin@, where is your host name. If SSH is properly configured you will see the following message:

       Fanfare!!!
       You are successfully logged in to this server!!!

    3. Exit the sshd session by typing exit.
       Note: Ensure that the sshd service is set to automatic startup. To verify that the service is set to automatic:

       1. Open the Services window.
       2. Select sshd.
       3. Right-click Properties then Start Mode. Automatic should be selected.
17. Copy the id_rsa.pub file, which contains the public keys, into the authorized keys file of the administrative account of any server in the data center that the Tivoli Intelligent Orchestrator server must communicate with or manage. Include any servers in the data center that Tivoli Intelligent Orchestrator is managing.
    1. Ensure that the managed server has an administrative account for which the SSH RSA keys (id_rsa, id_rsa.pub, and authorized_keys) have already been generated and should be contained into the .ssh directory of the respective administrative account home directory.
    2. Append the content (a single line of text) of the id_rsa.pub file which contains the public key from the server that will initiate the SSH session to the authorized_keys file of the administrative account of any target server in the data center that the Tivoli Intelligent Orchestrator server must communicate with or manage. Include any servers in the data center that Tivoli Intelligent Orchestrator will be managing.
    3. To verify, on the Tivoli Intelligent Orchestrator server, type:

       ssh @

       There should be no password prompt, followed by the prompt on the remote machine. After a successful logon, an entry for the communication partner will be created into a known_hosts file. As a troubleshooting step, sometimes this file may contain old or invalid entries associated with the managed server IP address or name. Deleting that entry should fix the connection problem.

SSH is configured for Windows 2003.