How to Tunnel Remote Desktop using SSH (Cygwin) for

Windows XP (SP2)

The ssh server is an emulation of the UNIX environment and OpenSSH for Windows, by
Redhat, called cygwin

This manual covers:

Installation of Cygwin and SSH ............................................................................................1
Configuration of Variables ....................................................................................................3
Start and Stop sshd Services ..................................................................................................4
Setup passwd and group Files................................................................................................5
Open TCP port 22 ..................................................................................................................5
Test sshd Service ...................................................................................................................7
How to Update SSL / sshd.....................................................................................................8
Using PuTTY to Start a Remote Desktop Connection ..........................................................9

Installation of Cygwin and SSH

1. Login Windows XP as Administrator or as a user with Administrator privilege;
2. Make sure the current admin/user has a Windows password set. If not, go to Control
Panel; click User Accounts to create a password.
3. Just to be on the safe side, after you created a password, logoff and then log in again.
4. Create a folder c:\cygwin
5. Download cygwin's setup.exe from http://www.cygwin.com/ and save setup.exe in
c:\cygwin
Note: Cygwin's setup.exe can be used to add or delete or reinstall cygwin packages
after initial installation.
6. Double click c:\cygwin\setup.exe to start the installation
7. If you are asked to select "Just Me" or "All Users", choose "All Users"
8. When it asks for "Local Package Directory", type c:\cygwin

Cygwin_WindowsXP 1 / 10
 9. Choose a download site that is "close" to you. (e.g. “cse.yzu.edu.tw”). When a
selection screen comes up (you can resize the windows to see better), click the little

View button for "Full" view .

a. Find the package "openssh", click on the word "skip" so that an appears in
Column B, see picture below.

b. (Optional) find the package tcp_wrappers1, click on the word "skip" so that

an appears in Column B.

Notes: If you add "tcp_wrapper", you will most likely get "ssh-exchange-
identification: Connection closed by remote host" error.
If you get this error, then edit the file /etc/hosts.allow and add these two lines
before the PARANOID line. (After you finish the installation.)
ALL: 127.0.0.1/32 : allow
ALL: [::1]/128: allow.

10. Click Next to start installing cygwin and ssh.

(Size of the basic cygwin system is more than 50 Meg, this may take a while. If you
encounter problem during the installation, repeat the above steps or select another
download site.)

1
tcp_wrappers provide host-based access control and add an additional layer of protection by
defining which hosts are allowed or not allowed to connect to your PC. You can edit
"/etc/hosts.allow" or “/etc/hosts.deny”.

Cygwin_WindowsXP 2 / 10
Configuration of Variables
1. Right click My Computer, and then select Properties > Advanced tab >
Environment Variables;
Click New button to add a new entry to System variables:
variable name is CYGWIN
variable value is ntsec tty

Note: ntsec is to get a more UNIX-like permission structure based upon the security
features of Windows NT, http://erdelynet.com/archive/ssh-l/2004-06/2571.html for more
information.

2. Right click My Computer > Properties > Advanced > Environment Variables
Select the Path variable and click the Edit button, and then append ;c:\cygwin\bin to
the end of the existing variable string.
3. Open a cygwin window by double clicking the icon; a black screen pops open.
Set permission to these files and folder, at the prompt sign, type
chmod +r /etc/passwd
chmod +r /etc/group
chmod 755 /var

4. To generate the DSA security keys, at the prompt sign, type ssh-host-config -y
(It may take several minutes to generate the dsa security keys on a slower-end
computer.)

Cygwin_WindowsXP 3 / 10
 5. If the script asks you about "privilege separation", answer yes
If the script asks about "create a local user sshd on this machine", answer yes
If the script asks you about "install sshd as a service", answer yes
6. When the script stops and asks you for "environment variable CYGWIN=" answer
“ntsec tty”

Start and Stop sshd Services

1. To start the sshd service, at the prompt sign type
> net start sshd or
> cygrunsrv -start sshd

Note: If the service fails to start, try to change the owner:

> chown system /etc/ssh*
> chown system /var/empty or

Cygwin_WindowsXP 4 / 10
 > chown sshd_server /var/empty; and start the sshd service again:
> net start sshd
If you get "ssh-exchange-identification: Connection closed by remote host" error.
Edit the file /etc/hosts.allow and add these two lines before the line of PARANOID.
ALL: 127.0.0.1/32 : allow
ALL: [::1]/128: allow

2. To stop the sshd service, type > net stop sshd or cygrunsrv –stop sshd.

Setup passwd and group Files

1. It is important to match Windows user information with cygwin, otherwise you
cannot login. To check if you need to manually edit the /etc/group and passwd files:
a. Double click cygwin icon to open a window,
> cat /etc/group
> cat /etc/passwd
b. From the passwd file: look for your current Windows login name. Then look
for the GID (group ID) at the fourth field [fields are separated by colons] and
compare the group ID with that in the /etc/group file (at the third field.) It
should be the same in both files. If not, edit /etc/group so that it agrees.
2. If you logon your Windows XP to a domain, and your local account name is the same
as the domain name, then you would need to use administrator’s privilege to rename
the local account from name to name.local.
3. Then rebuild the passwd and group files with these two commands:
mkpasswd -cl > /etc/passwd
mkgroup -local > /etc/group
4. Then repeat step 1.a and 1.b.

Open TCP port 22

1. Open Windows Firewall to allow TCP port 22 through (for SSH connection). Your
Windows XP must be patched with SP2.
2. Click Start > Settings > Control Panel > Windows Firewall
3. Click Exceptions tab, click Add Port
Name: ssh
Port number: 22
and check the "TCP" checkbox

Cygwin_WindowsXP 5 / 10
 4. Click OK.

Cygwin_WindowsXP 6 / 10
Test sshd Service
1. To test sshd whether it is working, double click Cygwin to pop up a command
window.
2. At the command point, type
> whoami
> ssh localhost or
> ssh -v localhost

or
> ssh $USERNAME@127.0.0.1

3. If ssh complains "The authenticity of host xx.xx.xx.xx can't be established .... Are you
sure you want to continue connecting (yes/no)?" Answer yes
4. If you get an error message like "ssh-exchange-identification: Connection closed by
remote host", it is probably caused by McAfee 8.0i. Error is also related to
/etc/hosts.allow file.
5. If you get an error message like "entry point _getreent", or "QuerryService Status:
Win32 error 1062", it is probably caused by the existance of an older version of
"cygwin1.dll" located in the search path. Do a full serarch of "cygwin1.dll" and
remove the old version, except the current version at c:\cygwin\bin
6. If you get a prompt without error messages, type
> cd /cygdrive/c
> ls
7. if you see a directory listing, success! Type exit to end the cygwin ssh session.

Cygwin_WindowsXP 7 / 10
How to Update SSL / sshd
1. Check whether your ssl and sshd are up-to-date or not, go to
http://cygwin.com/packages/openssl/ and click on the latest packet link:
(Sample)
Wed Mar 25 17:38:35 2009 41 etc/profile.d/openssl.sh
Wed Mar 25 17:38:35 2009 109 etc/profile.d/openssl.csh
Wed Mar 25 17:38:36 2009 237568 usr/bin/cygssl-0.9.8.dll
Wed Mar 25 17:38:35 2009 361472 usr/bin/openssl.exe

http://cygwin.com/packages/openssh/ and click on the latest packet link:

(Sample)
Thu Nov 20 18:18:27 2008 310272 usr/sbin/sshd.exe
Thu Nov 20 18:18:28 2008 150016 usr/sbin/ssh-keysign.exe
Thu Nov 20 18:18:28 2008 41472 usr/sbin/sftp-server.exe

2. Compare to the ssl which is installed in your PC. Double click cygwin icon to
open a window, and change to the directory /etc/profile.d.

From this figure, the ssl dated to Jan 8, 2009 is older than the current one listed at
http://cygwin.com/packages/openssl/.
3. Then run the setup.exe again to patch ssl (refer to the section of “Installation of
Cygwin and SSH” starting from step 5).
4. Similarly, compare to the sshd which is installed in your PC. Change to the directory
/usr/sbin and type ls –l to list the files.

Cygwin_WindowsXP 8 / 10
 From this figure, the sshd.exe dated to Nov 21, 2008 is up-to-date.

Reference: http://pigtail.net/LRP/printsrv/cygwin-sshd.html; for more information about

Cygwin, go to http://cygwin.com/faq/.

Using PuTTY to Start a Remote Desktop Connection

Refer to “How to Tunnel Remote Desktop through SSH on a Windows Computer (Using
PuTTY); or

1. To open an Command Windows, click Start -> Run, and then input “cmd”

2. At the command prompt (where the PuTTY program is located), e.g.

C:\Program Files> putty –L 9001: office-pc:3389 office-pc
(Where office-pc is the hostname of your office PC)

3. Login to you office-pc when prompted. You can minimize the active PuTTY session and
keep the program running.

4. Go back to the Command Windows,

C:\Program Files> mstsc /v:localhost:9001 or

Cygwin_WindowsXP 9 / 10
 Start your Remote Desktop program as usual,

1. Login your office-pc on the remote desktop. After you successfully login, you will see your
Remote Desktop Window similar as the one below.

2. After you have finished using Remote Desktop, exit from the program as normal and then
close the PuTTY program.

Cygwin_WindowsXP 10 / 10