SSH and Rsync within Cygwin (Unix - Windows)

This post documents the steps I have used to setup SSH and Rsync within a Cygwin Windows environment.

Cygwin Setup

This is not an in-depth guide for installing Cygwin; although, installing Cygwin is a fairly simple process. In or to implement SSH and rsync functionality, a few non-default Cygwin packages will need to be installed.

1. Download and run the Cygwin setup.exe program from http://cygwin.com/install.html
   If you already have Cygwin installed, that should not be a problem. You can still run setup.exe to install additional Cygwin packages.
2. Proceed through the Cygwin setup process until you get to the "Select Packages" screen. From there, make sure the following packages are selected:
• Net -> openssh
• Net -> rsync
• Admin -> cygrunsrv
• Editors -> nano (optional, but I find it to be a very simple text editor to use in place of vi or emacs)
• Web -> wget (optional, but useful for downloading files without a browser)
3. Finish the Cygwin setup wizard allowing the selected packages, including any required dependency packages, to be installed.

SSH Setup

1. Right-click the Cygwin Terminal icon and then click "Run as Administrator".
   Note: On older versions of Windows such as XP and Windows Server 2003, the "Run as Administrator" option may not be available. In that case, simply double-click the Cygwin Terminal shortcut.
2. In the Cygwin terminal, enter ssh-host-config and then press Enter. This should start an SSH setup script that will guide you through the rest of the setup.
3. The SSH setup script should ask you a series of questions. Answer the questions as follows:
• Should privilege separation be used? – yes
• Should this script attempt to create a new local account ‘sshd'? – yes
• Do you want to install sshd as a service? – yes
• Enter the value of CYGWIN for the daemon – tty ntsec
• Do you want to use a different name? – no
• Create new privileged user account ‘cyg_server'? – yes
• Enter a password for the cyg_server account. -- Enter a new password of your choice.
• Re-enter the password for the cyg_server account. -- Enter the password again.
4. Start the SSH service by entering net start sshd into the Cygwin terminal and pressing Enter.
5. At this point, you should be able to connect to the Windows computer via SSH. To test it out, use an SSH capable terminal program such as Putty. When logging in, use a local Windows user name and password.

Cygwin Users

Cygwin users are defined in the /etc/passwd file. Local users are added to this file by default when Cygwin is first installed. To add additional users to this file, including local and domain users, Cygwin includes a nifty utility called mkpasswd. To add a new Cygwin user, follow these steps:

1. If the local or domain Windows user does not already exist, go ahead and create it first.
2. Open a Cygwin terminal window and run the following command to add a local user:

mkpasswd -l -u [user] >> /etc/passwd

Or, to add a domain user, run the following command:

mkpasswd -d [domain] -u [user] >> /etc/passwd

3. If you'd like to verify the contents of the /etc/passwd file, you can view it by running the following command:

cat /etc/passwd

4. To test out the new account, try to make an SSH connection with it.

SSH Passwordless Login (Public/Private Key Pair)

It is possible to a create public/private key pair with which an SSH user can be authenticated without having to use a password. This can be useful when automating rsync connections over SSH. Otherwise, a password would need to be entered manually. In order to create and setup a public/private key pair for use with SSH and rsync, follow these steps:

1. Login in to a terminal session of the client computer that will be connecting to the Cygwin server via SSH. This could be a Linux server, an AIX server, or possibly another Cygwin server (although not confirmed by me).
2. On the client computer, run the following command:

ssh-keygen -t rsa

3. Accept the default location for the key by pressing Enter and make note of it for future reference. NOTE: don't change name of public/private key. Keep it as original id_rsa.pub and id_rsa. Otherwise, you will not be able to passwordless login from Unix -> Cygwin (Win Server 2008)
4. When prompted for a passphrase, just press Enter. Then, press Enter again when prompted for the passphase a second time.
5. On the Cygwin server, make sure the .ssh sub-directory exists in the user's home directory. If it does not exist, create it.
6. Copy the public key file from the client computer to the Cygwin server. The public key file on the client computer should be named id_rsa.pub and should be located in the .sshsub-directory of the user's home directory if you accepted the default location. On the Cygwin server, the public key file should be copied to the user's .ssh sub-directory. There are multiple ways to copy the file. To copy the public key file using scp, use a command similar to this:

scp /home/[local user]/.ssh/id_rsa.pub [remote user]@[Cygwin server IP]:/home/[remote user]/.ssh/id_rsa.pub

Note: The local user and remote user do not need to match.

7. On the Cygwin server, rename the id_rsa.pub file to authorized_keys. If theauthorized_keys already exists, simply append the contents of the id_rsa.pub to the end of it instead.
8. On the Cygwin server, edit /etc/ssh_config and etc/sshd_config to enable passwordless login. For example: 

File sshd_config:

 RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile .ssh/authorized_keys

File ssh_config:

RhostsRSAAuthentication yes

RSAAuthentication yes

PasswordAuthentication yes

9. At this point you should be able to make an SSH connection from the client computer to the Cygwin server without using a password. To test this, run the following command from the client computer:

ssh [user]@[Cygwin server IP]

Note: You should not be prompted for a password. If you are, review the prior steps to make sure no mistakes were made.

10. Now it should be possible to make an rsync connection to the Cygwin server over SSH. For example, run a command similar to the following from the client computer:

rsync -r -t /src/ [Cygwin user]@[Cygwin server IP]:/dst/

This command should copy the contents of the source directory on the client computer (/src in this example) to the destination directory on the Cygwin server (/dst in this example) without prompting for a password.

Running Rsync Daemon (service) in Cygwin

When running rsync as a daemon, "modules" must be setup on the server which are mapped to a specific directory. Then, rsync clients connect to a specific module. There can be multiple modules setup on a single rsync server. The rsync "module" concept is somewhat similar to the "share" concept in Windows networking.

Unlike when using rsync over SSH, authentication is NOT based on Cygwin users. Instead, a file containing user/password combinations is used and the configuration file determines which users are allowed to connect to each rsync module.

1. Create a file named /etc/rsyncd.conf to be used as the configuration file for the rsync daemon. Refer to man rsyncd.conf for complete details on the contents and syntax of this file. Here is an example file to help get you started:

use chroot = yes
max connections = 4
log file = /var/log/rsyncd.log

[rsync_test]
path = /cygdrive/c/rsync_test
comment = Rsync Test
auth users = rsync_user
secrets file = /etc/rsyncd.secrets
write only = false
read only = false
list = true

This example defines one rsync module named rsync_test that is mapped to the/cygdrive/c/rsync_test directory which equates to C:\rsync_test in Windows terminology. Only one user, rsync_user, is permitted to use this module. Rsync user names and passwords are stored in the /etc/rsyncd.secrets file.

Note: Make sure the directory referenced in the path exists. Otherwise, attempts to connect to the rsync server will fail.

2. Create a file named /etc/rsyncd.secrets to be used as the user/password file for the rsync daemon. This file should contain one user and password per line separated by a colon. Refer to man rsyncd.conf for more details. Here is an example file to help get you started:

rsync_user:password

In this example, there is one one user named rsync_user with a password ofpassword.

3. Now you must change the permissions on the /etc/rsyncd.secrets file so that "other" has no access. Otherwise, attempts to connect to the rsync server will fail. To change permissions, run the following command on the Cygwin server:

chmod o-rwx /etc/rsyncd.secrets

4. On the Cygwin server, create a new local Windows user under which the rsync service will run. The password should be set to never expire.
5. Grant the "Log on as a service" permission to the user that was created in the previous step.
1. On the Cygwin server, go into the Windows Control Panel -> Administrative Tools -> Local Security Policy.
2. Navigate to Security Settings -> Local Policies -> User Rights Assignment.
3. Locate and double-click the "Log on as a service" policy.
4. Add the new user that was created, save the changes, and then close the Local Security Policy
6. Create the rsync service by running a command similar to the following:

cygrunsrv -I "Rsync" -p /cygdrive/c/cygwin/bin/rsync.exe -a "--config=/cygdrive/c/cygwin/etc/rsyncd.conf --daemon --no-detach" -f "Rsync daemon service" --user rsyncd --passwd rsyncd_password

In this example, the service will run under a user account named rsync with a password of rsyncd_password. These parameters should be changed to match the user/password that you created.

7. Start the rsync service by running the following command:

net start rsync

8. If you wish to run rsync from the client computer without supplying a password manually, the password must be stored in a file. This file can be named anything, but must not have any permissions for "other". To create a file containing the password "password" and then remove permissions for "other", run the following commands on the client computer:

echo password > /etc/rsync.password
chmod o-rwx /etc/rsync.password

9. Now, you should be able to connect to rsync on the Cygwin server. To test, run a command similar to the following:

rsync -r -t --password-file=/etc/rsync.password /src/ rsync_user@[Cygwin server IP]::rsync_test/dst/

This command will copy files in the /src directory on the client computer to the /dst sub-directory within the directory mapped to the rsync_test module on the Cygwin server.

Note: In the preceding command example, two colons separate the Cygwin server IP address from the module name/path. This notation is used for a connection to an rsync daemon whereas a single colon is used for a connection via SSH.

File Permissions

When using an NTFS file system, Cygwin will, by default, apply posix-style file permissions using NTFS file permissions. In some cases this may not be desirable as this can make it difficult to work with the files on the Windows server outside of Cygwin. This behavior can be altered by modifying the /etc/fstab file. Simply add/edit the line in this file to read as follows:

none /cygdrive cygdrive user,noacl,posix=0 0 0

The key is this example is the "noacl" parameter.