Installing WinSSHD to support WiSSH Clients
WinSSHD is an excellent SSH Server Daemon that runs on Windows. Running directly on Windows keeps your network homogenous and you will not have to introduce Linux or UNIX servers into the mix of systems you already need to support. This also makes it very easy to keep your remote access passwords in synch with your standard Windows network passwords. WinSSHD uses standard Windows authentication and/or private/public keys for two factor authentication.
This how-to will quickly get your system installed and will show you the fastest way to get your remote access solution in production.
Install your server hardware and operating system. This server should be fully patched and secured. SSH tunneling requires very little system horsepower, and it is usually acceptable to run on older hardware.
You must secure this system from the Internet! If you leave the system unprotected, you will be compromised. The only requirement is that you leave the SSH port (22 tcp) open to the internet, and the RDP (3389 tcp) and DNS (53 udp) ports open to the internal network. If you have a DMZ, this is optimal. However, even software based local firewalls will help. Please see our technology documents for more information as to what requirements for your firewalls. Depending on if you want to allow domain or Active Directory authentication, you may need to allow additional ports to your internal network, usually NetBIOS (137 tcp).
 WinSSHD Control Panel |
First, download the current release of WinSSHD.
Run the installation on the server. Once it completes, run the WinSSHD Control Panel. You will be able to start the service from the Control Panel. It is also set to start automatically when you restart your server. From here, you are also able to view event logs that WinSSHD generates. On other screens, you may customize exactly which logs are generated for the application. |
 WinSSHD Server Settings |
On the Settings Tab, click Edit/View Settings. You will be shown this screen. Usually accept all the default options. |
 WinSSHD Access Control - Template |
On the Access Control - Template screen, you can turn off several options to make your system more
secure when you are only running with WiSSH. You can turn off "Permit Terminal Shell", "Permit SFTP", "Permit Exec Requests", and "Permit S2C Port Forwarding" options. More information about these options are provided with WinSSHD should you wish to utilize them. Only "Permit C2S Port Forwarding" is required, as this is what WiSSH uses to connect. C2S means Client to Server. |
 WinSSHD Access Control - Accounts |
This screen will allow you to configure your remote access accounts. If everyone who has an
account on the Windows server will have access, you do not have to do anything further. Any users
that will log in require the "Log On Locally" right. If you use a workstation operating system,
this is usually built in. Server type operating systems usually require you to make this change. To enable only certain users access, change the <<all others>> status to Deny. Then add the individual users who are allowed access and change their status to Allow. |
Private/Public Keys and WinSSHD
You can also add public keys on the accounts screen. Allowable options are to allow either a password or
a private key to give you access, or require both a private key authentication sent to the server from WiSSH, and
then require a password also. If you use private key authentication, WiSSH requires you to change the Auth
Type to Pwd AND Key. When WiSSH is in private key mode, typically the password is used to unlock the
private key, which is sent to the server for authentication. Certain SSH servers can allow or require you
to send both. The password is sent only by WiSSH when it is requested by the server in addition to the private
key authentication.
If you use this option, WiSSH requires you to use the same password to unlock the private key and authenticate against
the server. You need to keep these passwords synchronized manually by changing the private key password
in WiSSH when your network password changes.
On this screen, you can select add a public key to the <<all others>> account, which will then be able to be used by anyone who can unlock the other half of the key pair. Or you can add individual accounts and add a public key for each user so that they can be disabled individually.
WiSSH Connection
WiSSH should now connect successfully to the server. If you have issues, please view both the WiSSH client log and the WinSSHD log on the server. You may need to verify that the necessary ports are available on the server, and that the server can resolve the client hostnames. Remember, the Hostname entered in WiSSH is from the point of view of the SSH server.
For more information on WinSSHD, please view their Usage FAQ. It should answer many of your questions about the software and help you to further configure it to meet your needs.
