Cygwin auto started sshd service as single user on Windows 8

On a single user desktop, you might want to run cygwin sshd autostarted as a specific user, without privilege separation. Here’s a short reference:

  1. Disable UAC
  2. Open a Cygwin terminal
  3. ssh-host-config
  4. Select “no” on privilege separation
  5. Enter nothing, [], as the value of CYGWIN for the daemon
  6. Select “yes” to use a different username than cyg_server
  7. Enter your username, twice
  8. Enter your password, twice
  9. Edit (with your favorite editor) /etc/sshd_config
  10. Edit the UsePrivilegeSeparation line to say UsePrivilegeSeparation no (why the hell didn’t step 4 do this?)
  11. Go to the windows firewall settings (just type “firewall” into the start menu search – look under “settings”)
  12. Go to “advanced settings”
  13. Go to “Inbound rules”
  14. Add a new rule
  15. Select “Port”
  16. Select “TCP” and enter “22” as the specific local port
  17. Select “Allow the connection”
  18. Select when to apply the rule (default all cases)
  19. Give it a name, like “SSH”
  20. Reboot

If you later change your password, you will have to start services.msc, find the Cygwin ssh service and change your credentials on it as well.

6 Comments

  • Bobrob says:

    On my Win8 non-pro, I had to follow your guide to disable UAC first (thanks for that), and then the service didn’t start so I checked /var/log/sshd.log in cygwin and it said the key file permissions were too open. chmod 600 /etc/*_key fixed that and the service started.

    • Giovani says:

      I had the same problem, and the chmod trick you described solved it. Thank you bob 😉

  • max says:

    dude, thank you so much…I’ve been trying to get Cygwin on Windows 8.1 to work for like 3 hours…THANK YOU. I only had to do steps 1-8, but it seems to be working now…finally.

  • Yepeng says:

    I followed the instructions. I used ssh-keygen to generate a key without password, and copy the public key to authorized_keys. Run “ssh 127.0.0.1”, it returns “connection closed by 127.0.0.1”. That means the installation is not successful.

    • bolt says:

      Try verifying that the service is actually listening on that address. Use netstat to see your listening ports, and verify in the services.msc tool that the service is OK.

  • Superstar says:

    On newer versions of Cygwin, privilege separation can not be disabled. It should be left as “sandbox” now.

Leave a Reply

Your email address will not be published. Required fields are marked *