
OpenSSH for Windows update - ghurlman
http://blogs.msdn.com/b/powershell/archive/2015/10/19/openssh-for-windows-update.aspx
======
nailer
> Leverage Windows crypto api’s instead of OpenSSL/LibreSSL and run as Windows
> Service

Was wondering about that. I'm surprised the OpenBSD team is accepting the
commits - something so fundamental and Windows specific doesn't seem like
their kind of thing - but great!

PS. If you're coming from a Unix background and interested in learning posh:
[https://certsimple.com/rosetta-stone](https://certsimple.com/rosetta-stone)

~~~
daguava
Was just coming here to voice my concerns over this choice as well, wondering
what their reasoning is for changing crypto systems.

~~~
DonnyV
I really don't like that there replacing an open source crypto with a closed
source one. Putting on my tin foil hat but didn't Microsoft hand over a back
door to the NSA already.

~~~
ionised
They collaborated with the NSA to develop an exploit in the SSL implementation
used in Outlook.com.

From the Snowden documents;

 _July 31, 2012

Microsoft (MS) began encrypting web-based chat with the introduction of the
new outlook.com service. This new Secure Socket Layer (SSL) encryption
effectively cut off collection of the new service for FAA 702 and likely 12333
(to some degree) for the Intelligence Community (IC). MS, working with the
FBI, developed a surveillance capability to deal with the new SSL. These
solutions were successfully tested and went live 12 Dec 2012._

~~~
schoen
It's not clear this should be called an "exploit". It sounds like Microsoft in
its capacity as a cryptographic endpoint turning over either plaintext or
session keys (or in the severely worst case, long-term private keys). It
doesn't make much sense to me to refer to that as an "exploit".

------
kasabali
> Address POSIX compatibility concerns

Best way to address POSIX compatibility concerns is implementing a proper
POSIX layer in Windows (and not in a half-baked manner like the now deprecated
SUA). I can't imagine how it would hurt anybody.

~~~
antics
SUA was not half-baked, this is a very, very hard problem. There is a very
serious difference in the way POSIX and Windows model a lot of really
important OS primitives, from asynchronicity model in signals, to the
semantics of syscalls like `fork`. Every process using these primitives on
POSIX has specific behavior defined under those primitives, and if you don't
choose _exactly_ the right behavior on the POSIX subsystem in Windows you will
definitely break programs.

So, no. You can't "just" implement a POSIX subsystem correctly. These systems
are just not compatible. It will always be half broken.

~~~
teacup50
Microsoft does control the kernel, and given that, none of this stuff is
particularly complicated.

As for choosing "_exactly_ the right behavior" ... the whole _point_ of POSIX
is to clearly define the exact right behavior!

~~~
dragonwriter
Sure, its "easy" if Microsoft wants to redefine Windows in POSIX terms; iits
not easy to keep Windows functioning as Windows _and_ provide a POSIX
compatibility layer, since Windows _isn 't_ designed around POSIX
expectations.

~~~
teacup50
Do you actually have specifics, here? I'm happy to discuss things like how to
model fork() in-kernel.

------
ryanprichard
Will this OpenSSH server be able to run interactive console programs (like
cmd.exe or python.exe), or will it be limited to (say) PowerShell?

Windows doesn't have a good API for hosting a console--it's not like Unix,
where a pty has a master end and a slave end. Trying to run a console program
in mintty.exe
([https://github.com/mintty/mintty/issues/56](https://github.com/mintty/mintty/issues/56))
or Cygwin SSHD fails for this reason. I wrote a tool, winpty, that makes a
best-effort attempt to emulate a Unix pty master by scraping the console
buffer, but it has some limitations, so I'm not sure Microsoft would want to
use it. Maybe they would expand the console API?

~~~
asveikau
I too was very skeptical. Something about posts from "The Powershell Team"
about porting sshd makes me deeply cynical that they would get the integration
right from a layering perspective, i.e. as if they would make it support
powershell and nothing else.

Fortunately this example shows it going straight into cmd and then they invoke
powershell as a next step:

    
    
        C:\Master>ssh.exe -l user@127.0.0.1
        user@127.0.0.1's password: **********
        Microsoft Windows [Version 10.0.10566]
        (c) 2016 Microsoft Corporation. All rights reserved.
        user@DEV-10566-829 C:\Users\user>powershell -File -
    

\- [https://github.com/PowerShell/Win32-OpenSSH/wiki/ssh.exe-
exa...](https://github.com/PowerShell/Win32-OpenSSH/wiki/ssh.exe-examples)

That gives me some hope that it's being done right.

~~~
geofft
There are these two interesting commits, "Add pty mode support code":

[https://github.com/PowerShell/Win32-OpenSSH/commit/55f2ec682...](https://github.com/PowerShell/Win32-OpenSSH/commit/55f2ec6825e720e1395d77ece55fb411c861bb18)

and "Add ANSI parsing engine and console draw support to SSH client":

[https://github.com/PowerShell/Win32-OpenSSH/commit/7aac59e52...](https://github.com/PowerShell/Win32-OpenSSH/commit/7aac59e524e6dc9f1c1faed18340cff7dfd9a47c)

Something about this reminds me of ANSI.SYS.

~~~
est
you could run ANSI.sys in modern cmd.exe, sadly there's no ANSI.sys in Win7
anymore.

[https://groups.google.com/forum/#!topic/alt.msdos.batch.nt/Y...](https://groups.google.com/forum/#!topic/alt.msdos.batch.nt/YZnoq80Mcds)

~~~
geofft
Cool. Looks like that is essentially listing DEVICE=ANSI.SYS in config.nt?
Google results imply some things about 16-bit emulation here -- was that post
about running actual DOS ANSI.SYS in a VDM running actual DOS COMMAND.COM,
within a native Windows terminal?

~~~
est
IIRC, the command.com only bootstrap the ANSI coloring, after that you can run
anything in cmd.exe

------
martin1975
Never was much of a windows fan, so a (slightly ignorant) question for someone
who is a Win admin - can most administrative things nowadays be done via the
command line on Windows (like we've been able to do in *nix land) or is there
a gap between what can be done via the GUI vs the command line?

~~~
rodgerd
Microsoft are pushing the command line to the point that:

a) Many operations in newer bits of Windows have simple-mode available in the
GUI, but more sophisticated options must be scripted. StorageSpaces has a few
examples of this, where some of the options around tiered storage, SSD
caching, and the layout of pools can only be accessed via posh.

b) Microsoft are pushing completely headless versions of Windows Server for
2016.

~~~
0xFFC
About headless version , it is so great to hear that , although I am not using
windows , but hearing that is good news overall , it seems with new CEO
Microsoft back on truck . I would not remember with ballmer they released
windows server with Metro UI . WTF !

------
DiabloD3
This is very goddamned awesome. All I hope is I can set the default user shell
for my account. I already use msys2's zsh for my shell (because I use zsh
everywhere, on all OS), and being able to ssh into my Windows machine
'normally' (for me, anyways) would be extremely useful.

------
mavhc
I suggest making Update update, ie lower case, I was confused as to why
Windows Update was getting ssh

~~~
mhurron
I thought standard title rules were every word other than words like 'and' and
'is' were capitalized.

~~~
bradjohnson
I don't believe there is a hard rule for titles that should take precedence
over clarity.

------
e12e
The more things change..., from:

[https://github.com/PowerShell/Win32-OpenSSH/wiki/Deploy-
Win3...](https://github.com/PowerShell/Win32-OpenSSH/wiki/Deploy-
Win32-OpenSSH)

"If you need key-based authentication:

Install key-auth package

run setup-ssh-lsa.cmd

 _reboot_ "

Reboot?

And this gem: "SSH daemon needs to run as System to support key-based
authentication".

Which means, either use weak authentication, or run the daemon as system. I
don't even understand why, it's not like the public keys are particularly
sensitive (certainly much less sensitive than being able to check passwords
for validity)?

~~~
kohenkatz
Have you checked what user OpenSSH usually runs as on a linux machine in order
to allow key-based authentication? I'll give you a hint: it's root. That's no
different than running as SYSTEM on Windows.

~~~
e12e
As a sibling comment mentioned, it makes perfect sense that the ability to
create a user session requires a certain privilege. What struck me as odd, was
that it only needed this on Windows when using key-based authentication - not
when allowing password-based login.

AFAIK ssh needs access to /etc/shadow on Linux, if you want to use system
passwords. But also, AFAIK, nothing stops you from running ssh in a chroot,
without any such access (well, access to _a_ /etc/shadow under the chroot
probably).

------
csours
Very off topic - I thought that publically was a mis-spelling, but apparently
it may be acceptable now!

[http://english.stackexchange.com/questions/45136/difference-...](http://english.stackexchange.com/questions/45136/difference-
between-publicly-and-publically)

------
alpb
For those interested the source code is here:
[https://github.com/PowerShell/Win32-OpenSSH/](https://github.com/PowerShell/Win32-OpenSSH/)

------
gionn
I am waiting the moment when I can throw away WinRM and SSH to all the
servers.

~~~
switch007
You have to create a god damn scheduled task to do Windows Updates over WinRM.
And it takes ages for Powershell to realise the task is running, and polling
the status of the job is a PITA.

Took me days to automate Windows 2012 with Packer. Ugh

~~~
jdub
For others facing a similar situation, I very strongly recommend starting here
instead of DIY. :-)

[https://github.com/joefitzgerald/packer-
windows](https://github.com/joefitzgerald/packer-windows)

------
cakes
I'm interested in how this is going to work in PowerShell with the way
everything works now, if there happen to be any details about that (whether
here, somewhere else, or a past link)?

~~~
daveloyall
I don't know anything about PowerShell, but I have a similar question, I
think: how is this going to work? Will I be able to do something like this
command line (from my *nix machine)?

    
    
        ssh user@windows.machine.local dir d: | less

~~~
joosters
You should be able to do that just fine. 'dir d:' runs on the windows box and
'less' on the unix box.

~~~
daveloyall
Excellent. That's very useful!

------
andrewstuart
It would be good if there was a good free terminal for Windows. The only
option is putty.

~~~
teh_klev
Check out MobaXTerm:

[http://mobaxterm.mobatek.net/](http://mobaxterm.mobatek.net/)

I don't work for them, I just think it's a nice tool, so much so I paid for
the Pro version.

------
int_handler
This is exciting to hear.

I might be overly nitpicky, but holy inconsistent coding styles Batman:
compare
[https://github.com/PowerShell/Win32-OpenSSH/blob/bafc1df7c5c...](https://github.com/PowerShell/Win32-OpenSSH/blob/bafc1df7c5c15dbdd2e0c0112936a74d97d9f327/contrib/win32/win32compat/cng_cipher.c)
to the other source files.

~~~
lukeh
Ugh. And calling strcpy() with user-supplied data inside a SSP of all
places... :-(

------
doxcf434
What's the plan for supporting OpenSSH in the long run? Or is this just a one
off port that will become stale after a few years?

------
ams6110
I've been running OpenSSH on Windows servers for years, using Cygwin.

------
j_s
I'm a fan of Bitvise SSH for a Windows SSH server; it's been enough to replace
Terminal Services when each employee has their own work machine to remote
desktop into.

It's nice that Microsoft recognizes the need for this functionality; I wonder
how they will approach the potential per-client licensing issues they like to
bring up with their server OS's.

[https://www.bitvise.com/ssh-server](https://www.bitvise.com/ssh-server)

------
angersock
Out of curiosity...why run this as a service?

EDIT: I misread this and though it was only a _client_. Geez. If it's a
server, then of course it should be a service.

~~~
duskwuff
How else would you expect an SSH server to run? As a desktop application?

~~~
angersock
Oh, I thought this was just a _client_.

------
rm1999
A great openssh for windows for the time being. Being using this and it is
great, only thing is not able to do powershell from it once connected to host.

[http://www.mls-software.com/opensshd.html#botpage](http://www.mls-
software.com/opensshd.html#botpage)

------
phippsbrad
I have had really good luck with this open source, native windows, ssh server.
[http://www.kpym.com/2/kpym/index.htm](http://www.kpym.com/2/kpym/index.htm) I
have no affiliation with the project, i just thought i'd mention that it is a
nice alternative i found.

~~~
drzaiusapelord
Why does this support telnet? Just seems crazy to me. Is it on by default?
That would be a violation of any sane security policy pretty much anywhere.
Seems like a serious edge case requirement and odd to bundle with SSH. This is
like buying a new car but then having the dealer give you a free horse with
your purchase.

~~~
mschuster91
Telnet has the unique advantage of having an implementation for the opposite
part on any TCP/IP compatible system without external libraries, crypto etc.
and that you can recreate both a server and a client in literally an hour with
nothing but a C compiler and an ordinary libc.

------
callesgg
That is great, i have tried some ssh servers for windows they have all been
constantly crashing or not working with ssh keys.

------
jamiesonbecker
Cool. Looks like Userify.com (SSH Key management) will support yet another
platform sometime next year.

(disclaimer: I work there.)

------
voltagex_
Interesting, they're still using MinGW. I wonder if they'll ever get it to
build under MSVC?

------
meneses
That's a good engineering project. Lucky team working on it!

------
switch007
The comment submit button doesn't even work in Safari. That must have taken
some effort to break.

