Copssh Control Panel User activation wizard allows you to specify a home directory of your own choice:
The problem may be related to the potentially incompatible changes introduced in OpenSSH 6.7 (included in Copssh 5 and higher) to remove unsafe algorithms.
- If you run Copssh 5.8.1 or higher, you can update the configuration via GUI - Configuration -> Advanced -> KexAlgorithms, set value to +diffie-hellman-group1-sha1
- Alternatively, you can add following line to the section of the configuration file control/bin/copsshcp.config before starting Copssh Control Panel:
KexAlgorithms=+diffie-hellman-group1-sha1
- Restart the service via Copssh Control Panel
The problem may be related to the potentially incompatible changes introduced in OpenSSH 6.7 (included in Copssh 5 and higher) to remove unsafe algorithms.
If you run Copssh 5.8.1 or higher, you can update the configuration via GUI:
- Alternatively, you can add following line to the section of the configuration file control/bin/copsshcp.config before starting Copssh Control Panel:
Ciphers=+aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
- Restart the service via Copssh Control Panel
The problem may be related to the potentially incompatible changes introduced in OpenSSH 6.7 (included in Copssh 5 and higher) to remove unsafe algorithms.
- If you run Copssh 5.8.1 or higher, you can update the configuration via GUI: Copssh Control Panel - Configuration - Advanced - HostKeyAlgorithms or alternatively, you can add following line to the section of the configuration file control/bin/copsshcp.config:
HostKeyAlgorithms=+ssh-rsa,ssh-dss
- Restart the service via Copssh Control Panel
The problem can be related to address changes of Windows DLLs after a Windows update operation. That behaviour may create collisions for more static Cygwin DLLs, especially in a 32-bit environment. We suggest to reboot the system as a first measure. You may need to install Copssh again by using our recipe which allows to keep an existing configuration intact. Consider to install the 64-bit version (available only in the product edition) if the problem still persists.
- Activate a user and select access type Sftp via Copssh control panel. Access type Sftp instructs Control Panel to make required arrangements for a chrooted environment.
- Activation of a new user with access type SFTP:
- Change access type of an already activated user to SFTP (You may need to restart the service in some occasions)
In some situations, it may be necessary to make a clean install to make an upgrade work. You can do it by following steps below:
- Backup your host keys in etc directory (etc/ssh_host*)
- Uninstall the existing version of Copssh
- Remove remnants of the installation directory except home directories if they exist
- Make sure that the service account and the sshd account are removed if they exist
- Install new Copssh
- Restore host keys back to etc directory
- Start Copssh Control Panel and verify that the service is running
- Activate your users again and specify their existing home directories as the home directory during the activation
You can use our Win2ban which is a Fail2ban implementation for Windows with Elastic Winlogbeat as the eventlog shipper. Check the related Win2ban FAQ for details: How can I configure Win2ban for brute force attacks against Copssh ?
-
Sometimes it may be necessary to see directly how the openssh daemon reacts to startup or connection requests, to be able to locate daemon-related problems.
- Stop Openssh SSHD (system name:OpenSSHServer) service
- Right click Start a Unix Bash Shell from Copssh start menu (assuming that you have admin privileges)
- Enter the following command from the bash prompt:
/bin/sshd -p <listening port> -D -d -eThis will start openssh daemon in standalone debug mode and messages will be displayed on the screen. You may specify up to three -d for increased output verbosity.
- Try to initate a putty session and watch messages at the server side.
- Start a bash shell, locally or remotely
- Change to the user's home directory if it is not already done
- Link a directory or network share to a local name by using ln command
Examples:
creates a link from D:\pub to pub in the user's home directory.
ln -s "//myserver/netdata" "netdata"
creates a link from \\myserver\netdata to netdata in the user's home directory.
Now, the user can use pub and netdata to access D:\pub and/or \\myserver\netdata respectively.
-
Some recommendations (not all of them can be applicable in your case, no sorting by importance):
Recommendation Benefits/Side effects How Change port 22 to something non-standard Reduces your vulnerability surface dramatically by taking a well-known parameter out of equation, not applicable if you have a general purpose server. Security by obscurity ? Yes. However, there are many script kiddies out there bombing port 22 wherever they find. Conf.file etc\sshd_config: port Reduce the maximum number of concurrent unauthenticated con-
nectionsReduces your vulnerability surface by allowing a smaller number of potentialy dangerous attacks simultaneously. Conf.file etc\sshd_config: MaxStartups (default 10) Turn off authentication by password. Use public key authentication instead. Eliminates the most widely used technique of potential attacks: cracking passwords. Conf.file etc\sshd_config: PasswordAuthentication no
PubkeyAuthentication
(default yes)Restrict access by host Use your firewall setting to limit hosts authorized for access Restrict access by user/group Conf.file etc\sshd_config:
AllowUsers
AllowGroups
-
Dependent on software or configuration issues on your PC, copssh service may sometimes not start properly. The problem can be a service, a device helper, anti virus, firewall and so on, interferencing operations of the copssh service.
A possible solution is to delay the service startup until the problem services are started successfully. You can use the procedure below to make copssh service dependent on MyService:
- Create the following REG_MULTI_SZ value in the registry if it doesn't exist before:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OpenSSHServer\DependOnService- Add MyService to the registry value created above. It is possible to specify multiple entries separated by space.
- Restart your PC.
-
**UPDATED** Copssh Control Panel introduced in version 4 has solved that problem. Previous Copssh versions and copsshadm command line tool still have that problem.
This is a known error related to the localized names of the groups administrators and users. There is no solution yet. However, You can use the workaround below:
- Rename localized equivalents of the groups administrators and users to something readable in latin (can be done via Administrative Tools->Computer Management->Local Users and Groups for example)
- Run copssh installer
- Rename the groups above back to their original values.
**NB: This FAQ doesn't apply to Copssh 4.3.1 and up as they handle the problem automatically. You may still need to fix it on DCs for example.
By default, normal users are not allowed to log on locally on domain controllers. Same restrictions may also apply for other Windows systems . User right Allow log on locally needs to be delegated for proper login.
One-time procedure:
- Create a security group for COPSSH users.
- Add your group to the list of authorized credentials for the required user right:
Administrative Tools--> Domain Controller Security Policy for domain controllers or Local Security Policy for other Windows systems) --> Local Policies--> User Rights Assignment--> Allow Log on locally
For every ordinary copssh user:
- Make the user a member of the group mentioned above.
- Activate user in Copssh control panel
Activate a user and create a PKA key pair with empty passphrase via Copssh control panel:
- You can take your private key with you and initiate passwordless connections from other machines. An example to start ssh shell:
ssh -i my.key user@copssh_host
NB! Your private key is NOT protected by a passphrase and can be used by anyone. Keep it safe!
- Activate a user via Copssh control panel
- Import your public key via Control Panel (your public key must have three fields - key type, key itself and a comment):
- Your Copssh server is ready to accept PKA based on your keys.
Copssh versions 7 and higher use local system account as the service account and no further adjustments are necessary.
However, you may still prefer to use a dedicated service account (domain account for example). Make sure that the service account is member of local Administrators group and have following user rights:
SeCreateTokenPrivilege
SeAssignPrimaryTokenPrivilege
SeIncreaseQuotaPrivilege
SeServiceLogonRight
Tools to set user rights: Domain Group Policy Management for domain members, Local Security Policy (secpol.msc) for local computers
-
I am fond of fancy and short names :-))
Cygwin + OPENSSH is a qualified guess !!