Question:

How to Configure OpenSSH on Windows 2008 for use with eHealth 6.3.x

Step-by-Step description on how to implement secure ftp on Windows 2008 server

Answer:

To configure your central and remote polling sites to communicate using secure FTP, follow this process:

1. Install Secure FTP on both central site and the remote poller sites.
2. Configure OpenSSH on central site and remote poller sites.
3. Generate Authentication keys on the central site.
4. Copy the authentication keys to the remote poller sites.
5. Test the secure FTP connection.

Install OpenSSH on Windows 2008

Download the Cygwin setup.exe from http://cygwin.org Start the setup.exe which presents a list of programs that can be selected for installation.

1. Ssearch for OpenSSH.
2. Select the latest revision, depending packages will be shown and selected automatically.
3. Start the installation, it will download all necessary packages and installs it.
4. Finish the process.

To configure OpenSSH on Windows 2008

1. Ensure that the directory name in which you installed OpenSSH does not contain any spaces.
2. Open a command prompt window and enter the command, sftp, to confirm that the command exists and that the PATH environment variable is configured correctly.
   If it is not configured correctly, add the c:\cygwin\bin directory to the PATH environment variable.
3. Navigate to the OpenSSH bin directory, for example: c:\cygwin\bin.
4. Enter the following commands from the windows command prompt
   
   mkgroup -l > /etc/group
   mkpasswd -l > /etc/passwd
   
   If you would like to use a domain user account instead, enter the
   following:
   
   mkgroup -d > /etc/group
   mkpasswd -d > /etc/passwd
   
   After executing the commands the line for the ehealth user in /etc/passwd file should be changed from its default home path ( /home/ehealth) to the correct home path (/cygdrive/c/Users/ehealth).
   
   Sample:
   ehealth:unused:1000:513:ehealth,U-W2008X\ehealth,S-1-5-21-116329628-4136230505-2145968379-1000:/cygdrive/c/Users/ehealth:/bin/bash
5. Configure the OpenSSH host (remote site) using the following steps:
   
   Navigate to the directory, C:\cygwin, and run the batch file, Cygwin.bat, as a user with Administrator privileges.
   Run ssh-host-config and supply the following responses:
   
   Query: Should privilege separation be used? (yes/no) yes
   Query: new local account 'sshd'? (yes/no) yes
   Query: Do you want to install sshd as a service?
   Query: (Say "no" if it is already installed as a service) (yes/no) yes
   Query: Enter the value of CYGWIN for the daemon: [] CYGWIN
   Query: Do you want to use a different name? (yes/no) no
   Query: Create new privileged user account 'cyg_server'? (yes/no) yes
   Query: Please enter the password: {specify password}
   Query: Reenter:
6. Reboot the system after running ssh-host-config. This is a required action. ..??
7. Create the required .ssh directory using the following information:
   From the windows command prompt: mkdir %HOME%\.ssh
   From the cygwin command prompt: mkdir ~/.ssh
8. Start the server using the following command:
   
   net start sshd

Additional Configuration for OpenSSH

Complete this procedure to provide additional, required configuration information:

1. Create a soft link named NH_HOME:
2. Run the following command from the cygwin command prompt:
   
   ln -s /cygdrive/c/eHealth/ /NH_HOME
   
   In this command, C:/eHealth is the CA eHealth home directory.

1. Restart the sshd service
   
   
   • net stop sshd
   • wait some seconds
   • net start sshd

Note: If you receive an error, remove the file, C:\Cygwin\var\log\sshd.log, and restart the service.

Generate Authentication Keys for OpenSSH

Use this procedure to generate authentication keys and disable password authentication for OpenSSH on Windows systems. To generate authentication keys

1. Configure the key authentication by entering the following command from the Windows Command prompt on the console:
   
   ssh-keygen -t dsa

Note: Accept the default key location, /cygdrive/c/Users/%NH_USER%/.ssh/id_rsa, and do not provide a passphrase.

The id_dsa and id_dsa.pub keys appear at the default key locations.

1. Copy the public key, id_dsa.pub, to all remote poller systems in this collection set.
2. Place the key in the directory, C:\Users\%NH_USER%\.ssh.
   
   sftp NH_USER@REMOTE_SITE
   sftp>cd .ssh
   sftp>lcd .ssh
   sftp>put id_dsa.pub
   sftp>exit

NH_USER Indicates your CA eHealth user.
REMOTE_SITE Specifies the name of the remote poller.

Update Authentication File on a Windows 2008 Remote Site

After you copy the public keys to the .ssh subdirectory on each remote site in the collection set, you must update the authentication file on each remote site.

To update authentication file on each remote site

1. Log into the remote site as $NH_USER and navigate to the .ssh subdirectory on the remote site.
2. List the files in the .ssh subdirectory by entering the command, dir.
   
   The system displays a file with a .pub extension. This is your public key.
3. Copy the public key into the authorized_keys file, using the following command:
   
   copy /b id_dsa.pub authorized_keys
4. Restart the sshd Windows service.
   
   
   • net stop sshd
   • wait some seconds
   • net start sshd
5. Repeat this procedure for each Windows remote system.

Test the Secure FTP Connection

Test the secure FTP connection between the central site and the remote polling sites to verify that the sites do not prompt for a user name or password. To test the secure FTP connection for OpenSSH

1. Access a command prompt on the central site.
2. Enter the following command:
   
   sftp NH_USER@Hostname
   
   NH_USER Specifies your FTP user name.
   Hostname Specifies the name of the remote polling site system.

The central site should connect to the remote polling site without requiring you to enter a user name or password. If you are prompted for a user name or password, the encryption authentication is not set up correctly. Verify that you have correctly completed the steps for Configure OpenSSH on Windows and Update Authentication File on a Windows Remote Site. Note: Do not attempt to run the nhRemotePollerSetup command until you have verified that you have set up secure FTP correctly for each remote polling site.

Repeat step 2 to test the secure FTP connection for each remote polling site associated with this central site.