Just finished standing up an OpenSSH server on a Windows box mostly just to do it for once. I know, I know, it should be Linux. But I firmly believe this is a Windows world and like it or not, this request will someday come up just like this. I’ll put a Linux one up on my next box.

All told, there are plenty of sites around that walk through setting up SSHD and Cygwin on Windows. Sadly, they all seem to leave the unsuspecting user very insecure. These commands are always listed:

mkpasswd -cl > /etc/passwd
mkgroup –local > /etc/group

These commands copy Windows users and groups over to the cygwin environment. Yes, that includes accounts like Administrator and any other group that exists. There is a reason that “root” is and should be denied login via SSH: it is an ultimately predictable account to brute! Well, I would bet that on many Windows SSH installations, Administrator is likely pretty predictable. To get around this, I just remove those users in /etc/passwd.

This just reminds me that security is not something everyone thinks about. And too often instructions that get passed around are not the most prudent instructions. That’s great that a lot of people who likely shouldn’t be allowed to, can now set up SSH servers on Windows and plop them onto the Internet and they work just fine. I guess it just takes a little more knowledge to know about the potential issues and then to solve them. I hear a lot about how security needs to be baked in, and while I agree, I think it will be a long time coming and will always cost either time and effort or money. (The same holds true for physical home security…)