SSHing into a Windows Server on Amazon’s EC2
What looked at first like a simple task – turned out to cost me hours of trial and error.
Some of the problems I’ve encountered:
- Cygwin’s SSHd, OpenSSH and CopSSH all work great on Windows EC2 instances. Until you try to bundle an instance. After you launch a bundled instance – the SSHd service wouldn’t run, because of permissions problems – and throws weird error messages in the different logs.
- It turned out that Sysprep was responsible for this – mangling the permissions of the SSHd users.
- Turning Sysprep off as suggested in some places sounds like a recipe for problems down the road.
- Couldn’t find the source code of an SSHd implemented in Java, and FreeSSHd. Wouldn’t be smart to use closed-source applications for this, security wise…
- Couldn’t find any other SSHd client, or a full solution for this specific problem.
I Googled everywhere, until I assembled the solution which consists of:
- Installing Cygwin’s SSHd (thank you LifeHacker).
- AutoExNT service is used to run a batch file right after the machine’s launch (Thank you Microsoft).
- Update_Cygwin solved the permissions problem (Thank you VCL).
So, the steps to SSH into a Windows machine on Amazon EC2 are these:
- Install Cygwin, make sure you include the OpenSSH package.
- chmod +r /etc/passwd
- chmod +r /etc/group
- chmod 755 /var
- ssh-host-config
- Choose root as the name of the privileged account.
- Copy your public key into the authorized_keys file of the account you’d like to log-in with.
- Install the AutoExNT service.
- Run the update_cygwin script right after each instance launch.
- Don’t forget to open the SSH port on the security group of the instance.
I still don’t understand:
- How come Windows doesn’t come pre-configured with an SSHd service. What do people use in order to administer Windows Server machines? Unsecure Telnet? Do they all use Remote Desktop for this?? Very weird…
- How come there’s no solution for this already on Amazon EC2 forums? Saw lots of people run into this problem, and it seems like pretty basic stuff. I guess that Windows Server administration still isn’t that popular…
Thanks for everybody on the forum that saved me valuable time getting this problem behind me…
Now for the real work 
May 31st, 2009 at 1:11 am
I spent some time yesterday SSHing my niece.
She’s eight months old and gets cranky if she doesn’t get her nap time.
Does the Green Party Meymad know you’ve associated their logo with your occult geekish texts?
Cheers,
Mike
June 12th, 2009 at 3:06 am
June 18th, 2009 at 9:27 pm
Looks like The Resource Kit is not supported on 64bit platforms. Any alternatives to AutoExNT ?
July 8th, 2009 at 1:54 pm
Have you looked at PuTTY and WinSCP?
July 9th, 2009 at 11:30 pm
I use both of them as clients, what was challenging is to install an SSH server that could accept their connections on the EC2 machines…
September 10th, 2009 at 1:07 am
Thanks for this writeup. Big help.
I can’t believe it requires so many manual steps (click, turn off IE warning, click again, turn off another IE warning, repeat ad nauseum) to be able to make an AMI that whose sshd works!
January 26th, 2010 at 4:16 am
Update: we decided to abandon SSHding into machines, we had too many problems with cygwin – probably it’s still not ready for production in virtualized machines.
Update 2: Instead of autoexnt we now use group policy to auto start applications on machine loading.
Update 3: Bundling might not be that problematic anymore, with EBS machines.