Frequently Asked Questions - copssh

The problem can be related to address changes of Windows DLLs after a Windows update operation. That behaviour may create collisions for more static Cygwin DLLs, especially in a 32-bit environment. We suggest to reboot the system as a first measure. You may need to install Copssh again by using our recipe which allows to keep an existing configuration intact. Consider to install the 64-bit version (available only in the product edition) if the problem still persists.

You can use our Win2ban which is a Fail2ban implementation for Windows with Elastic Winlogbeat as the eventlog shipper. Check the related Win2ban FAQ for details: How can I configure Win2ban for brute force attacks against Copssh ?

FAQ

  • Create an ordinary domain user with a non-expiring complex password (example svccopssh)
  • Run the Copssh installer and specify domain\svccopssh as the service account with the password.

 

 

FAQ

 

By default, Copssh uses Windows event log for ssh logging. Sftp logging for isolated home sftp directories doesn't work as expected however. Follow steps below to activate a syslog based logging which works for both ssh and sftp logging:

  • Download SyslogServer-addon-bundle here
    • SHA256: 09d764f24f3698dd1c8bde606478ca8770a52295110d65873a1b6b2aec1d8642, PGP Signature - Our PGP public key is available here.
  • Run the installer appropriate for your installation (x86/32-bit, x64/64-bit). It will automatically update your Copssh installation by installing a syslog service.
  • Start SyslogServer service (it will create the socket /dev/log for syslog operations)
  • Make sure that both ssh and sftp logging are set to eventlog via Copssh Control Panel
  • Restart the service via Copssh Control Panel
  • Default syslog configuration sends all log messages to /var/log/messages. Syslog configuration file is located at /etc.

FAQ

The problem may be related to the potentially incompatible changes introduced in OpenSSH 6.7 (link is external) (included in Copssh 5 and higher) to remove unsafe algorithms.

If you run Copssh 5.8.1 or higher, you can update the configuration via GUI:

Copssh Control Panel with advanced server options

  • Alternatively, you can add following line to the [server] section of the configuration file bin/copsshcp.config before starting Copssh Control Panel:

Ciphers=+aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

  • Restart the service via Copssh Control Panel

FAQ

The problem may be related to the potentially incompatible changes introduced in OpenSSH 6.7 (included in Copssh 5 and higher) to remove unsafe algorithms.

  • Add following line to the [server] section of the configuration file bin/copsshcp.config:

KexAlgorithms=curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

  • Restart the service via Copssh Control Panel

FAQ

 

In some situations, it may be necessary to make a clean install to make an upgrade work. You can do it by following steps below:

  • Backup your host keys in etc directory (etc/ssh_host*)
  • Uninstall the existing version of Copssh
  • Remove remnants of the installation directory except home directories if they exist
  • Make sure that the service account and the sshd account are removed
  • Install new Copssh
  • Restore host keys back to etc directory
  • Start Copssh Control Panel and verify that the service is running
  • Activate your users again and specify their existing home directories as the home directory during the activation

Creation of a dedicated service account for Copssh became necessary when the built-in SYSTEM account lost some required privileges as of Windows 2003. By default, the Copssh installer creates the local account SvcCOPSSH  (24-char complex password, no password expiration) with following privileges:

  • Member of local Administrators group
  • User rights for proper operation:
    • SeCreateTokenPrivilege
    • SeAssignPrimaryTokenPrivilege
    • SeIncreaseQuotaPrivilege
    • SeServiceLogonRight
  • User rights for better security:
    • SeDenyBatchLogonRight
    • SeDenyInteractiveLogonRight
    • SeDenyNetworkLogonRight

Copssh installer will also try to apply all those above, if you have specified an existing account during the setup.

More info:

SSHD, Cygwin and Windows 2003

 

**NB: This FAQ doesn't apply to Copssh 4.3.1 and up as they handle the problem automatically.

By default, normal users are not allowed to log on locally on domain controllers. Same restrictions may also apply for other Windows systems . User right Allow log on locally needs to be delegated for proper login.

One-time procedure:

  1. Create a security group for COPSSH users.
  2. Add your group to the list of authorized credentials for the required user right:

Administrative Tools--> Domain Controller Security Policy for domain controllers or Local Security Policy for other Windows systems) --> Local Policies--> User Rights Assignment--> Allow Log on locally

For every ordinary copssh user:

  1. Make the user a member of the group mentioned above.
  2. Activate user in Copssh control panel

 

  • Activate a user via Copssh control panel
  • Import your public key via Control Panel:

Import a public key via Copssh control Panel

  •  Your Copssh server is ready to accept PKA based on your keys.

There will be a shortcut in the user's copssh home directory, pointing to the user's windows home.The way it's done is using a soft link:

  1. Start a bash shell, locally or remotely
  2. Change to the user's home directory if it is not already done
  3. Link a directory or network share to a local name by using ln command


Examples:

ln -s "/cygdrive/d/pub/" "pub"

 creates a link from D:\pub to pub in the user's home directory.

 ln -s "//myserver/netdata" "netdata"

 creates a link from \\myserver\netdata to netdata in the user's home directory.


Now, the user can use pub and netdata to access D:\pub and/or \\myserver\netdata respectively.

Can I change the location of my home directory?

Copssh Control Panel User activation wizard allows you to specify a home directory of your own choice:

 

Copssh Control Panel User Activation Wizard Home Directory

 

 

 

  • Activate a user and create a PKA key pair with empty passphrase via Copssh control panel:

Create a PKA key pair with empty passphrase via Copssh Control Panel

 

  • You can take your private key with you and initiate passwordless connections from other machines. An example to start ssh shell:

ssh -i privatekey user@copssh_host

 

NB! Your private key is NOT protected by a passphrase and can be used by anyone. Keep it safe!

How can I limit users' access to their home directories only ?

  • Activate a user and select access type Sftp via Copssh control panel:

Copssh Control Panel User Activation Wizard Sftp access

 

  • Access type Sftp instructs Control Panel to make required arrangements for a chrooted environment. You can also specify an alternative home directory.

**UPDATED** Copssh Control Panel introduced in version 4 has solved that problem. Previous Copssh versions and copsshadm command line tool still have that problem.

This is a known error related to the localized names of the groups administrators and users. There is no solution yet. However, You can use the workaround below:

  •  Rename localized equivalents of the groups administrators and users to something readable in latin (can be done via Administrative Tools->Computer Management->Local Users and Groups for example)
  • Run copssh installer
  • Rename the groups above back to their original values.

**UPDATED ** Sometimes it may be necessary to see directly how the openssh daemon reacts to startup or connection requests, to be able to locate daemon-related problems. 

 

  • Stop Openssh SSHD (system name:OpenSSHServer) service
  • Right click Start a Unix Bash Shell from Copssh start menu (assuming that you have admin privileges)
  • Enter the following command from the bash prompt:

/bin/sshd -p <listening port> -D -d -e

This will start openssh daemon in standalone debug mode and messages will be displayed on the screen. You may specify up to three -d for increased output verbosity.

  • Try to initate a putty session and watch messages at the server side.

 

 Dependent on software or configuration issues on your PC, copssh service may sometimes not start properly. The problem can be a service, a device helper, anti virus, firewall and so on, interferencing operations of the copssh service.

 A possible solution is to delay the service startup until the problem services are started successfully. You can use the procedure below to make copssh service dependent on MyService:

 

  • Create the following REG_MULTI_SZ value in the registry if it doesn't exist before:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OpenSSHServer\DependOnService

  • Add MyService to the registry value created above. It is possible to specify multiple entries separated by space.
  • Restart your PC.

 

Copssh can be installed silently by using the switches below:

Copssh_x.x.x_Installer.exe /u=user /p=password /S

where user/password specify the service account credentials

 

You can also specify a new installation directory by the /D switch:

Copssh_x.x.x_Installer.exe /u=user /p=password /S /D=C:\test\copssh

Some recommendations (not all of them can be applicable in your case, no sorting by importance):


 

Recommendation Benefits/Side effects How
Change port 22 to something non-standard Reduces your vulnerability surface dramatically by taking a well-known parameter out of equation, not applicable if you have a general purpose server. Security by obscurity ? Yes. However, there are many script kiddies out there bombing port 22 wherever they find. Conf.file etc\sshd_config: port
Reduce the maximum number of concurrent unauthenticated con-
nections
Reduces your vulnerability surface by allowing a smaller number of potentialy dangerous attacks simultaneously. Conf.file etc\sshd_config: MaxStartups (default 10)
Turn off authentication by password. Use public key authentication instead. Eliminates the most widely used technique of potential attacks: cracking passwords.

Conf.file etc\sshd_config: PasswordAuthentication no

PubkeyAuthentication
(default yes)

Restrict access by host Use your firewall setting to limit hosts authorized for access

 

Restrict access by user/group  

Conf.file etc\sshd_config:

AllowUsers
AllowGroups

 

I am fond of fancy and short names :-))

 

Cygwin + OPENSSH is a qualified guess !!