SSHing into a Windows Server on Amazon’s EC2

SSHing into a Windows Server on Amazon’s EC2

sshing

What looked at first like a simple task – turned out to cost me hours of trial and error.

Some of the problems I’ve encountered:

  • Cygwin’s SSHd, OpenSSH and CopSSH all work great on Windows EC2 instances. Until you try to bundle an instance. After you launch a bundled instance – the SSHd service wouldn’t run, because of permissions problems – and throws weird error messages in the different logs.
  • It turned out that Sysprep was responsible for this – mangling the permissions of the SSHd users.
  • Turning Sysprep off as suggested in some places sounds like a recipe for problems down the road.
  • Couldn’t find the source code of an SSHd implemented in Java, and FreeSSHd. Wouldn’t be smart to use closed-source applications for this, security wise…
  • Couldn’t find any other SSHd client, or a full solution for this specific problem.

I Googled everywhere, until I assembled the solution which consists of:

  • Installing Cygwin’s SSHd (thank you LifeHacker).
  • AutoExNT service is used to run a batch file right after the machine’s launch (Thank you Microsoft).
  • Update_Cygwin solved the permissions problem (Thank you VCL).

So, the steps to SSH into a Windows machine on Amazon EC2 are these:

  • Install Cygwin, make sure you include the OpenSSH package.
  • chmod +r /etc/passwd
  • chmod +r /etc/group
  • chmod 755 /var
  • ssh-host-config
  • Choose root as the name of the privileged account.
  • Copy your public key into the authorized_keys file of the account you’d like to log-in with.
  • Install the AutoExNT service.
  • Run the update_cygwin script right after each instance launch.
  • Don’t forget to open the SSH port on the security group of the instance.

I still don’t understand:

  1. How come Windows doesn’t come pre-configured with an SSHd service. What do people use in order to administer Windows Server machines? Unsecure Telnet? Do they all use Remote Desktop for this?? Very weird…
  2. How come there’s no solution for this already on Amazon EC2 forums? Saw lots of people run into this problem, and it seems like pretty basic stuff. I guess that Windows Server administration still isn’t that popular…

Thanks for everybody on the forum that saved me valuable time getting this problem behind me…

Now for the real work 🙂

15 thoughts on “SSHing into a Windows Server on Amazon’s EC2

  1. I spent some time yesterday SSHing my niece.
    She’s eight months old and gets cranky if she doesn’t get her nap time.

    Does the Green Party Meymad know you’ve associated their logo with your occult geekish texts?

    Cheers,
    Mike

  2. Looks like The Resource Kit is not supported on 64bit platforms. Any alternatives to AutoExNT ?

  3. Thanks for this writeup. Big help.

    I can’t believe it requires so many manual steps (click, turn off IE warning, click again, turn off another IE warning, repeat ad nauseum) to be able to make an AMI that whose sshd works!

  4. Update: we decided to abandon SSHding into machines, we had too many problems with cygwin – probably it’s still not ready for production in virtualized machines.
    Update 2: Instead of autoexnt we now use group policy to auto start applications on machine loading.
    Update 3: Bundling might not be that problematic anymore, with EBS machines.

  5. That update_cygwin script does a lot of stuff, making me suspect is is brittle. We went the AutoExNT route suggested above but found a much simpler implementation: we use AutoExNT to run ssh-host-config at startup if the service isn’t already running. AutoExNT’s batch file checks the instance’s user-data and, if desired, runs this bash script:

    if ! cygrunsrv -Q sshd; then
    ssh-host-config -y -c ntsec -w
    net start sshd
    fi

    As a matter of hygiene we don’t run this script on our AMI source instances – in other words, our AMI source image lineage never has sshd turned on. Instead, the above script is only run on production instances that are launched from our rebundled AMIs but which are not themselves destined to be rebundled.

    To circle back, that’s where checking user-data comes in – to decide whether or not to run ssh-host-config. However, I do believe the above solution works even if you’re working off an AMI that itself had run ssh-host-config previously, but we don’t do it as a matter of course. YMMV.

  6. You forgot to mention that you have to enable port 22 on the windows instance firewall advanced settings. THAT took me 2 hours to figure out. –Noob

  7. During the process, it gives me “The RPC server is unavailable” message.
    I opened port 22, started RPC service on this remote machine. Do I need to restart the machine? Is it even a good idea to restart it?

  8. Seems like while configuring Cygwin on windows EC2 remote instance for SSHing, I am giving wrong domain name in the command mkpasswd -l [-d] > /etc/passwd

    I set root as my username and used that as value for [-d]. I guess its wrong. Could anybody tell me any example of [-d] here.

  9. You can simply add a free tier linux machine on the same subnet.
    And through that, you can have access to your entire subnet by using ssh port forwarding feature.

Leave a Reply

Your email address will not be published. Required fields are marked *