Windows

How do I add secure shell login to a Windows System with WinSSHD?

WinSSHD allows users to remotely log into a console or, with the right tool, run a remote application or administer a machine.

One tool that I have always found missing from Windows installations is an SSH daemon that allows users to remotely log in to a console or, with the right tool, run a remote application or administer a machine. Some tools for this job either are too complicated or simply don't work. There is a solution, WinSSHD, that is as robust and reliable as it is easy to install.

WinSSHD works with all NT-series Windows operating systems, including:

  • Vista
  • XP
  • 2000
  • NT4

Although not listed as being supported, I have successfully installed and used WinSSHD on Windows 7 as well.

This blog post is also available in PDF format in a free TechRepublic download.

Features

WinSSHD includes the following features:

  • Secure remote console access
  • vt100, xterm, bvterm support
  • Remote desktop and WinVNC support
  • Secure file transfer with SFT and SCP
  • Secure TCP tunneling
  • 30-day demo available
  • Simple to install
  • User-friendly management console

Getting and installing

Installing WinSSHD is as simple as any Windows application installation. There are two screens, however, that will need attention. Before you get to that point, you will first need to download the installer from the Bitvise Web site and double-click the saved file to begin the installation process.

As I mentioned, there are two "steps" in the installation process that will not be familiar. The first step (Figure A) will require you to agree to the license terms as well as determine what you want to install.

Figure A

Each WinSSHD installation is considered a "site."

You will also have to select what you are doing with this installation. The options are:

  • Replace existing WinSSHD site: This option will be available only if you already have a WinSSHD installation.
  • Install new WinSSHD site: If this is your first installation, this is what you want to select.
  • Install new default site: If you are going to have only one WinSSHD installation, select this option.
  • Install new named site: If you know you are going to have multiple instances of WinSSHD, select this option.
  • Run WinSSHD Control Panel when done: If you want to start working with WinSSHD immediately, check this option.
The next step in the installation (Figure B) requires you to choose one of the types of installations. The possibilities are
  • Standard Edition: This is the 30-day demo you downloaded. With this installation you will have full functionality, but it will expire unless you purchase a license.
  • Personal Edition: Free, but with restrictions (see Figure B).

Figure B

If you need access to only one machine with one group and 10 accounts, the Personal edition is perfect.

The remainder of the installation is simple. Once you have completed the installation, the WinSSHD Control Panel will open and you can start working with WinSSHD.

Using WinSSHD

From the WinSSHD Control Panel you can manage all aspects of the application. The first tab in this control panel that you should visit is the Server tab (Figure C). From here you can activate your copy of WinSSHD, start/stop the server, manage your Host Keys, and configure WinSSHD.

Figure C

This tab will inform you how many days you have left on your evaluation.
Out of the box, WinSSHD works perfectly for a single-session SSH connection. If you decide the default settings won't work for you or if you know you have a network/setup that demands specific configurations, such as needing to open the Windows Firewall to your local network or configuring your proxy settings, click on the Settings link near the bottom. From within the Settings window (Figure D), there are a number of options you can configure.

Figure D

Although the default settings should work, WinSSHD allows you to get fairly granular with your configurations.

Any options you may need/want to configure within the settings will be determined by your particular network topography as well as your user needs.

When you have WinSSHD set up, you will want to make sure it works. The first test you will want to run is from localhost. So open an instance of your SSH client (such as PuTTy) on the machine with WinSSHD installed and attempt to log in. That should work without a problem.

Now move over to another machine on your network and attempt the same login. If this fails most likely you will need to adjust some of the security parameters within WinSSHD. The first place to look is in the Server section of the Settings window. In that section you will want to click on the Firewall section and then make sure the Open Ports to Local Subnet option is selected from the dropdown.

Once you are able to log in from another machine on your network, you will want to do a bit of securing.

Securing WinSSHD

Once you have WinSSHD set up and working, it's time to secure your WinSSHD installation. Really there are only three items to secure:

  • What services are made available
  • What users can gain access
  • When to use strong authentication

Let's examine services first. There are three services to either enable or disable:

  • File transfer
  • Console
  • Routing TCP connections
You want to shut off the features you know you will not use. To do this, you have to edit the only existing group in the installation (you can add new groups for further control if needed). From within the Settings window, go to the Access Control section and click on the Windows Groups entry (Figure E).

Figure E

This is also the same window where you can add groups.
Select the Everyone group and click the Edit button. From this window, you will need to scroll down to the section where you can see Permit Terminal Shell (Figure F).

Figure F

Remember, this is the default group, so you might want to keep strong control over this group.

This section is where you will want to disable the services you do not need. Once you have deselected those features, click the OK button to save the settings and dismiss the window.

Now, let's say you want to limit access to only certain users on the machine. You will first need to disable login access to the Everyone group you were just working with. Once you do that, you can configure a user account for logging in. To do this, go back to the settings window and then click on the Windows Accounts section under Access Control. Here you want to add an account, so click the Add button. In this window, you will want to configure the options you need and, most importantly, add the actual user name associated with the account you want to enable (Figure G).

Figure G

I have labeled the section USERNAME_HERE where you need to add the actual user name.

Follow those same steps for all users you want to be able to log in to this machine.

The final piece of advice is to make sure all users are using strong passwords. Because WinSSHD is opening a Windows machine for remote access, you will want to ensure that the users all are using strong passwords so those accounts are harder to crack. Make sure your user passwords are at least 15 characters long and have a combination of alpha and numeric characters. If your users are using simple passwords, the likelihood of this machine being cracked becomes much greater.

Final thoughts

I can highly recommend WinSSHD to anyone needing SSH access to a Windows machine. And not only would I recommend this application to single users, but to small and large businesses as well. WinSSHD is very simple to use and allows you to configure your SSHD server to very specifically meet your needs.

Stay on top of the latest XP tips and tricks with TechRepublic's Windows XP newsletter, delivered every Thursday. Automatically sign up today!

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

9 comments
thomas.wilson
thomas.wilson

I have used Symantec pcAnywhere for remote access and control since some of my PCs were running DOS and connected through phone modems. I'm currently using Version 11.5, which runs on Windows through WinXP, current version 12.5 runs on Vista (as much as anything runs on Vista ;-). My 11.5 discs also have a Red Hat install, I'm not a Linux user myself yet (too freaking much to do) but my Linux buddies say the Red Hat install will probably work with CentOS as well. Buying pcAnywhere from Symantec is Way Too Expensive, but for reasons I don't understand new sealed copies of the software regularly turn up on eBay for less than $50 (I saw a copy of Ver 12.5 this morning for $23.99). This is not free but probably trivial compared to the cost your time. I bought 10 copies this way so I'm set. Thanks to all you posters for a wealth of information, hope my $0.02 is useful to someone.

mmelvis
mmelvis

Does this company make an rsh daemon? Great write-up on this product. Keep the articles coming

Photogenic Memory
Photogenic Memory

There are so many remote clients to access different operating systems such as SSH, VNC, MSTC, Rdesktop,..etc. But none of these are truly cross platform. I guess what I'm asking is for Christmas( I already have my two front teeth ) is an application that can log in remotely, securely,provide GUI or shell access if supported by the OS, share files, and be able to talk to more than one machine at time. I wonder what the future will bring. I guess I should just create my own program? LOL!

Mark W. Kaelin
Mark W. Kaelin

Are you using WinSSHD for remote connections in your organization?

ctimjones
ctimjones

Cygwin also allows you to setup a Windows PC as a SSH server. Cygwin may be overkill if all you want is a SSH server, but it's fairly easy to install and configure. http://www.cygwin.com/ I use Cygwin on a daily basis. It's a great tool.

CameronY
CameronY

Have been using WinSSHD for a little over two years now in a commercial environment for a number of our global customers. We had originally started using ver-3.(something) and earlier this year upgraded to ver-5.05. (it's now ver-5.10) The Virtual File System and use of multiple mount points per logon has made my life incredibly easier. With over 1200 logins, managing the various customer logins is a much easier task than it would have been without. The Tunnelier client is very, very useful and we have woo'ed many customers away from using WinSCP to use the Bitvise Tunnelier client. Automating transfers using this product is very easy and setup is simple. I was even able to convert users on the otherside of the world to swap to the Tunnelier client and have them using key authentication in the space of a dozen emails one evening - the ease of use is very attactive to end users. Host and user key management is a breeze and executing automated backups of keys and or configuration was a snap. When we upgraded to ver-5.05, we also undertook an infrastructure upgrade at the same time. The support team were very helpful and interested in seeing our transition proceed smoothly. All went well and not one of our customers noticed the upgrade. I personally rate the product 10 / 10 rubber chickens ;-) Cheers, Cameron

Aaron McV
Aaron McV

I use SSH in the opposite manner. I like to connect to my home machine (Windows 7) from work. I've installed and have great success with CopSSH. The setup is a bit more complicated, but not overly so. One thing I highly recommend is to modify the configuration file to a port other than port 22. Oh... and it's free!

Aakash Shah
Aakash Shah

I've been using WinSSHD for a few years to access my home computer via a secure tunnel (the personal edition is free). I also purchased a copy to use at work for secure file transfers. It's a very powerful yet nimble product. They also offer good support via their forums.

Editor's Picks