How to run sshd as a windows service ?

[imjakey]

Steps to reproduce:

step 1:
start bash

step 2:
start sshd server
sudo /etc/init.d/ssh start

step 3:
connected to sshd server from xshell (a powerful terminal emulator which better than windows cmd line).
if you don't have xshell , use putty or any other client instead

step 4:
closed the bash cmd window , xshell connection is also closed.

Question:
how do I run sshd as a windows service ?

thanks !

[fpqc]

I would suggest instead running urxvt in xming, because sshd needs to be run as root, and there are annoying problems that can arise with that.

Right now there is no support for running daemons as windows services because WSL is meant for developer workstations rather than servers, although some unprivileged daemons (like urxvtd) can be run silently with a little bit of workaround.

[therealkenc]

That is not even remotely accurate. There are no annoying problems with running sshd as root (sudo service ssh start); and even if there were, you can run sshd on an unprivileged port no different than urxvtd. For people uninterested in inviting all of X11 to the party, PuTTY and a dozen other SSH clients are lighter weight and make more sense. I use the Chrome Secure Shell Extension. Indeed, X clients have been explicitly identified as low priority for the WSL project, but do run, happily, as a side effect of coincidental socket and pty improvements.

[fpqc]

Yeah, but I run urxvtd on startup with run.exe, whereas to start the sshd service you have to type a p/w (because you are sudoing it "superuser do", i.e. running it as the root user). I have a shortcut that does

run.exe bash.exe -c "urxvtd -q -o -f ; bash"

in the startup folder for my Windows user (in addition to running Xming on startup), so I can launch urxvtc whenever I want, with the daemon running totally silently with
bash.exe -c urxvtc

I'm not saying you can't run sshd, just that you can't do it silently so it "appears like" a Windows service, and the reason why is that you have to type in your sudo password.

Sure, I guess you could get around this maybe with some kind of batch file that types in your sudo password?

[aseering]

Or you could modify your sudoers file to not require a password for that command.

[fpqc]

Yeah, that works too! Good idea!

Edit: How did you do it? I set NOPASSWD mode for /bin/service and it still asks me for a pw.

[aseering]

Make sure you have the syntax right? Test it on an actual Ubuntu machine if you have one available; the sudoers file format can be finicky to get right.

(Disclaimer: I haven't actually tried this particular command. I've run other commands with passwordless sudo under WSL, though.

[fpqc]

@therealkenc @aseering, @Manouchehri says in the cmake thread that you also need to star the sshd service in a bash.exe terminal that also has Windows admin credentials in order to open up a socket for sshd. Have you guys found a way around that?

[Manouchehri]

Can a normal user can ever bind on a system port on Windows?

[fpqc]

@Manouchehri I think so. Bittorrent clients can, and they can even make UPnP requests, I think.

[Manouchehri]

BitTorrent (shouldn't) run on system ports (0-1024). Most clients bind on a UDP port in the dynamic port range.

[aseering]

@fpqc -- could you run on a higher port? The problem is that the default sshd port is in the system-port range, as @Manouchehri said. I often bind servers to port 2222, or some other higher-numbered port, to work around that limitation.

[therealkenc]

@fpqc, I'm not running WSL in terminal with Windows admin privileges. It binds to 22 fine with sudo service ssh start or however you feel like starting the daemon. You can also start it on 2222 like @aseering says, but there's a minor issue with perms on /dev/tty so you still have to run it as root.

[Manouchehri]

@therealkenc Permission issues on the Windows or Linux side? /dev/tty shows as owned by the user to me.

ubuntu@DESKTOP-3RQO5S5:~$ ls -l /dev/tty
crw------- 1 ubuntu tty 4, 1 Jul  2 22:23 /dev/tty

[fpqc]

@therealkenc It seems to work for me too doing that, but I have a problem connecting to it with PuTTY, and if I open another terminal and try to connect it appears to connect but then dies.

fpqc@FPQC-PC:~|⇒  ssh -vvv 127.0.0.1 
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/fpqc/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/fpqc/.ssh/id_rsa type 1
debug1: identity file /home/fpqc/.ssh/id_rsa-cert type -1
debug1: identity file /home/fpqc/.ssh/id_dsa type -1
debug1: identity file /home/fpqc/.ssh/id_dsa-cert type -1
debug1: identity file /home/fpqc/.ssh/id_ecdsa type -1
debug1: identity file /home/fpqc/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/fpqc/.ssh/id_ed25519 type -1
debug1: identity file /home/fpqc/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH_6.6.1* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "127.0.0.1" from file "/home/fpqc/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug1: SSH2_MSG_KEXINIT sent
Connection closed by 127.0.0.1

[Manouchehri]

Looks like we actually can bind to 22/TCP without Windows admin privs?

ubuntu@DESKTOP-3RQO5S5:~$ sudo strace netcat -l -p22 -w5
sudo: unable to resolve host DESKTOP-3RQO5S5
execve("/bin/netcat", ["netcat", "-l", "-p22", "-w5"], [/* 14 vars */]) = 0
brk(NULL)                               = 0x1441000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
# ...snip...
brk(0x1462000)                          = 0x1462000
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
bind(3, {sa_family=AF_INET, sin_port=htons(22), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
listen(3, 1)                            = 0
accept(3, {sa_family=AF_INET, sin_port=htons(16627), sin_addr=inet_addr("127.0.0.1")}, [16]) = 4
close(3)                                = 0
poll([{fd=4, events=POLLIN}, {fd=0, events=POLLIN}], 2, 5000) = 1 ([{fd=4, revents=POLLIN}])
read(4, "Yep, this works.\n", 2048)     = 17
write(1, "Yep, this works.\n", 17Yep, this works.
)      = 17
poll([{fd=4, events=POLLIN}, {fd=0, events=POLLIN}], 2, 5000) = 0 (Timeout)
close(4)                                = 0
close(3)                                = -1 EBADF (Bad file descriptor)
close(3)                                = -1 EBADF (Bad file descriptor)
exit_group(0)                           = ?
+++ exited with 0 +++

[therealkenc]

@Manouchehri - I see what's going on with my /dev/tty now. I start bash.exe with user root and then su ken in root's .bashrc. WSL seems to set the /dev/tty owner to the bash.exe user. So my /dev/tty is root:tty not ubuntu:tty. But the real problem is perms 600 instead of 666. Anyway you can set phasers on ignore here. sshd on 2222 will work just fine as user ubuntu if you start bash.exe as user ubuntu.

@fpqc - dunno what exactly is going on there. I just followed the secret handshake in #300 and never really looked back since then. In short:

ListenAddress 0.0.0.0
UsePrivilegeSeparation no
PasswordAuthentication yes

[fpqc]

@therealkenc Yeah that works, but any idea why adding my PuTTY key to known_hosts doesn't allow me to connect password-free from PuTTY?

[therealkenc]

Follow these instructions (or others like it) and you should be good.

[qris]

I was able to make sshd run automatically as a foreground task, but only after login. After many failed attempts I set my computer to login automatically as the user I wanted. Here is the process that I used:

Add the following line to /etc/sudoers (using sudo visudo for safety):

%sudo ALL=(ALL) NOPASSWD: /usr/sbin/sshd -D

And then use the Task Scheduler to create a new basic task with these settings:

• Run: When the computer starts,
• Action: Start a program,
• Program: c:\Windows\system32\bash.exe,
• Arguments: -c "sudo /usr/sbin/sshd -D"

Test it by clicking on the Task Scheduler LIbrary, selecting your new task and clicking Run on the right-hand side. A command prompt window should open and remain open.

If you want to hide the window, I think you can tick the Hidden box in the scheduled task properties.

[fpqc]

@qris I would also suggest running it with run.exe (available on the xming project page) to hide the console if necessary.

[imjakey]

Thank you everyone, you have helped me a lot.

I use two scripts to achieve my goals:

script 1 named startssh.bat, the contents is :
cd C:\Windows\System32
bash.exe -c "/usr/sbin/sshd -D"

script 2 named autostartssh.vbe, the contents is :
set ws=wscript.createobject("wscript.shell")
ws.run "startssh.bat /start",0

the script 2 can run script 1 like a deamon, then I add scipt 2 to a Windows Task Scheduler, it will run on the computer starts.
Now, I can connected to my sshd server from xshell, it works well !

[rodrymbo]

@qris - When I change the setting to "Run whether the user is logged in or not," the task no longer starts, (at least when I click on it and choose "Run"). It works fine when set to "Run only when user is logged on". Any thoughts? Can anyone else replicate this behavior in Task Scheduler, or make a task start properly with "whether user is logged on or not"?

[qris]

@fpqc @rodrymbo Sorry, I posted my comment too soon. My suggestion of running the process regardless of whether the user is logged in or not did not work, as you discovered, and I have not been able to make it work. I have edited my post to avoid suggesting this option.

[jaydenn]

Thanks for the help, but I'm having an odd problem.. When I try to ssh in from my remote ubuntu laptop, it does not recognize my credentials. However, somehow it recognizes my windows user credentials, and when I ssh in I am dropped into a cmd shell - not bash.. I'm very confused, any help would be appreciated.

EDIT: fixed my problem, someone had enabled an ssh daemon in windows already which was conflicting with the WLS one, so I moved it to a different port. They both work now.

[hacnet]

@rodrymbo I've been able to autostart sshd whether user is logged on or not but only by stopping lxssmanager first, i.e. point taskschd to a batch script with the following content:

sc stop lxssmanager
c:\Windows\System32\bash.exe -c "/usr/sbin/sshd -D"

but (!) after my subsequent login, I cannot start bash unless I issue the same stop command.
It's feels really messy and I'm wondering why this is such a headache? sshd should be up by default It's almost quicker to install Cygwin.

[fpqc]

@hacnet I mean, it's software in development that has only been publicly available for 3 or 4 months (over which time it has advanced in leaps and bounds). I think you have to accept that there will be rough edges for some time into the future.

(For example, you may remember testing Mozilla Firebird back a million years ago, and that took quite a while to reach maturity (before falling off a cliff and murdering the interface (and version numbering system) in recent years), and that project wasn't a quarter as ambitious as this one.)

[hacnet]

@fpqc while I appreciate that dev environments may have some rough edges, you don't start off the project by breaking the fundamental access method to the brand new shell you're announcing.

[fpqc]

@kabinpokhrel Either use vbscript or run.exe to start bash.exe as a hidden window, and have it launch with a script that starts your daemons.

[rodrymbo]

There are multiple solutions to having sshd (and other services/daemons) start when the user logs in. They stay running as long as you don't close the last bash.exe window (easiest if you use one of the tricks to hide it) or log out. Start them manually with one or more bash scripts (such as can be found in /etc/init.d) since upstart/systemd isn't running and the service command gives errors (but sort of works).

There seem to be no reasonable solutions (yet) to having sshd start before the user logs in (that is, just after the system boots, as if it were a real system service) or (probably) to allow a different user's WSL environment to run a script while the first user is still logged in. For that we need to wait until @benhillis and the other devs figure out (a) if they want to allow that and (b) what the best way is to provide the feature. They keep teasing us, but so far haven't committed one way or another.

[fpqc]

@rodrymbo There is a good solution imo for that. Create a second unprivileged user, set up WSL, and then start WSL for that user as a task on system startup.

When you want to use WSL, connect to the sshd with PuTTY.

[kabinpokhrel]

SSH into "Bash on Ubuntu on Windows"

Steps

1. First uninstall the openssh-server

   In order to SSH into the Windows Subsystem for Linux (WSL), we start off with uninstalling the openssh-server.

   sudo apt-get remove openssh-server

2. Reinstall the same program (openssh-server)

   sudo apt-get install openssh-server

3. Configure the SSH default installation to

   sudo nano /etc/ssh/sshd_config and disallow root login by setting PermitRootLogin no

4. Then add a line beneath it that says:

   AllowUsers yourusername

   and make sure PasswordAuthentication is set to yes if you want to login using a password.

5. Disable privilege separation by adding/modifying:

   UsePrivilegeSeparation no

6. Restart the ssh service with full restart flag, like so

   sudo service ssh --full-restart

7. Connect to your Linux subsystem from Windows using a ssh client like PuTTY.

[ylluminate]

Nice steps there @kabinpokhrel. Can we get some instructions on how to make the filesystem appear as a unix fs? Eg, I'd like to be able to: scp something me@hostname:/mnt/d/some_dir/

[qris]

Note that Windows now runs an SSH server on port 22, so it may not be possible to get OpenSSH running on that port too. So you may have to change the Port in /etc/ssh/sshd_config to some other port number, such as 23 or 2222.

You can tell if this is happening because you will need to log in using your Windows username and password (not your UNIX username and password) and when you do, you'll get a cmd.exe command prompt, not a Bash prompt.

[rodrymbo]

@ylluminate - Are you saying that the standard ssh server that is part of WSL doesn't do SCP for you?

I'm pretty sure I've used SCP with WSL's ssh server and it looked like the FS layout you describe.

Remember, the "other" ssh server is not the same as the ssh server within WSL. If you don't like how that other server behaves, you'd need to complain somewhere else. And, as @qris says, they can't both be running on the same port at the same time. But then no ssh server should listen on port 22 anyway.

[gdh1995]

On the newest WSL, -D can be removed and sudo /usr/sbin/sshd is just OKay.

So run.exe is not required if I want to hide the console window which would be opened when running a system task.

[fpqc]

@gdh1995 Even if you drop your last bash.exe Window? That has always been the problem.

[gdh1995]

@fpqc you are right.

Oh my god, the single sshd process exits at once if I exit bash.exe.

[fpqc]

@gdh1995 Yeah, that was always the problem. I didn't even know about the sshd -D thing.

[CPrescher]

When I follow kabinpokhrel's steps, I am not able to login into my computer it always give me
"Permission denied, please try again." Even though I am 100% sure that the passowrd is correct, I created new Users and it still did not work. What is the reason for this?

[rodrymbo]

@Luindil - sounds like something odd is going on. You can try ssh -v -p [portnumber] [username]@localhost from a different bash.exe window to see more info, maybe it will tell you at what point it is failing. (Spelling everything out on the command line helps check assumptions, and -v adds information that might be helpful.)

To confirm the password, you could try su - [username] which will ask for the password, unless you are root. Or, it should be asking for the password when you use sudo (until you added the NOPASSWD: setting with visudo). (You do know it is not necessarily the password you use to log in to Windows, right?) To reset the password, you can use lxrun /setdefaultuser root before logging in, then the passwd command, then /setdefaultuser back again. Or set up public keys and authenticate that way.

If the permission denied error is from something else, e.g. a file permission, knowing which file, might make solving the issue easier, though if you used sudo to start it that shouldn't be a problem.

If you don't get enough information with ssh -v, or from up to three of the -v's, you might need to look into ways to get sshd to put its log somewhere useful, like see if it puts its log to stdout if you run sshd in the foreground. I've still not gotten syslog (or systemd's journal) working...

The service command isn't really supported completely (currently), so you could bypass that and just run the bash script sudo /etc/init.d/ssh {start|stop|restart}. Service usually works to start that bash script, but by going directly to the script you bypass one possible source of errors. You could also make a copy of the script and add command line options (e.g. logging?) to troubleshoot.

[lypanov]

@Luindil Make sure you disable the SSH related Windows Services that appear to be installed by default (namely, SSH Broker and SSH Proxy). Another option is to switch port.

[CPrescher]

Thank you both for answering, I just figured out that it is because the port is already used by windows. When I use e.g. 23 as a port it works like a charm. @qris already mentioned it in an above post.

[fpqc]

@luindil isn't port 23 something super important like smtp?

[sysworx]

This methods are not working for starting a apache2 for example...cause it starts and get closed after start...?

[aseering]

@sysworx -- there's more discussion of this approach here: https://wsl-forum.qztc.io/viewtopic.php?f=6&t=10 . Read through the comments; in particular, if you have a command that exits immediately, you have to somehow artificially add another command that doesn't exit immediately.

[repalash]

I also had to enable the ssh port in Windows Firewall for all incoming connections to allow remote logins.

[rickywu]

Hi all,
I found this tool is very useful and can run ssh server without any window in background

https://github.com/131/dispatcher

[fenchu]

Gentlemen, We have for years been running sshd under cygwin. We use a cygrunserv process that runs as local administrator and map all registry settings. Cant we just get a local admin that starts the cron scheduler/services.

[fpqc]

@fenchu not yet. since distros are installed at the user rather than computer level, running as local admin will work weird. Running as your own user but with local admin permission could work but comes with its own problems.

[therealkenc]

sshd and other processes not attached to a tty now persist in WSL as of April Update.