In a previous post I showed how to configure a service to allow for remote access using PowerShell Remoting. Another way of achieving the same goal is to use SSH.
SSH is capable of more than just remote access – copying files and tunneling are a few of the extra features. I’ll show how to get a SSH daemon working and how to connect to it for a remote session. I haven’t tested other features, let me know if you try anything else.
There are many SSH servers available for Windows. I will use the OpenSSH from Cygwin in this post.
The first task is to install Cygwin. It’s better to install it locally and package Cygwin in the Azure deployment package or create a zip file of the local installation and upload it to your Azure Storage account. The only extra package required is “openssh”.
There are a few steps to configure a role to run the SSH service. I’ll describe only the main ones here, refer to the sample project at the bottom of the post for a complete working example.
The default SSH port is 22 hence the role must define the following endpoint:
<InputEndpoint name="SSH" protocol="tcp" port="22" localPort="22" />
You need an account to log in via SSH. Since this account will also be used to run the SSH Windows Service it must be in the Administrators Group.
net user <username> <password> /add
net localgroup Administrators <username> /add
The user account you created must have the required privileges to be used by a Windows Service. I used ntright.exe for granting the SeServiceLogonRight privilege.
Because Cygwin was copied to the VM instead of installed the Unix permissions for a few critical files must be fixed. This must be done from within Cygwin via a script.
The user account you previously created must be added to the Cygwin users list. Once again this must be done from the Cygwin environment.
Cygwin includes a script to configure SSH as a Windows Service - ssh-host-config. After running this script a new service will be available and can be started the regular way or using the cygrunsrv command from Cygwin. These commands must be run using the account created in step 2 .
With the SSH enabled service deployed it’s time to connect to it. Using PuTTY simply enter the DNS name of your deployment in the Host Name field:
And if you want to avoid being disconnected because of timeouts you can set PuTTY to keep a heartbeat using any value under 60 seconds:
Then opening a connection will get you access to the VM:
SSH will actually allow you to connect to a service with multiple instances. You will not be able to specify the exact instance though, every new connection will be established to any one of the instances in the service.
This project creates a service with SSH enabled. It expects to find a zip file called cygwin.zip in your storage account. The zip file should contain the Cygwin install directory (e.g. C:\Cygwin).
Before you publish the project you must edit the EnableSSH.cmd and startSSH.sh files and enter the new username and password at the top of both files. There was no easy way to share that information between the Windows batch and the Shell script so it must be entered twice. You must also edit the DownloadBlob.ps1 file and enter your storage account information in the second to last line. You will also need to enter the container name in the same line.
i try and could not get to work. can you provide detail step
I have tried and the ssh connection starts, but the window shuts down directly. I have tried to connect from the VM using localhost, same thing.
However, when I use Tunnelier and set up some tunnels, the tunnels work, but again I can't get a command line window to open.
Would that be related to mintty on windows server 2008?
Since you can't connect locally I would suspect your SSHd install, you might want to run it locally on your desktop first. Another thought is to confirm the password you are using for the SSH user conforms with the complexity requirements. The remote user won't be created otherwise.