Home
Products
     WinSSHD
          Users' guide
          Usage FAQ
          Securing WinSSHD
          WinSSHD for SFTP
          History
          Pricing
          License
     Tunnelier
          Portable
          FTP bridge
          History
          Pricing
          License
          The 'log' utility
     Screenshots
     Download
     Notifications
     Security
     Large scale
     Purchase
          Reseller list
          Reseller policy
     Customers
How-tos and tutorials
     About SSH
     SSH Features
     How the net works
     Port forwarding guide
     Tunnel Remote Desktop
     Tunnel Windows shares
     Tunnel WinVNC
     Tunnelier as service
Work at Bitvise
About us
Contact

Frequently Asked Questions about Using WinSSHD

If you have a problem using WinSSHD - and even if you don't - you should first become comfortable with the WinSSHD log files. WinSSHD writes warnings and errors into the Application section of the Windows Event Log, but it also writes more detailed information to textual log files. These are located by default in the 'Logs' subdirectory of the WinSSHD installation directory.

Whenever you have a problem, the WinSSHD log files are the first place you should look.

Getting It Up and Running

Q10. After I install WinSSHD, what do I need to configure before I can start using it?

For a basic open setup, just start the WinSSHD service and it will work. Use one of your existing Windows account names and passwords to log on. For a basic usage case, where you want to use WinSSHD for remote administration, the default WinSSHD settings do not need to be changed. However, after you have established a successful connection, consider locking down your settings to prevent SSH access to Windows accounts and features that you do not want to be accessible over SSH.

Q11. How do I log in to a Windows domain account?

Specify the username in the standard domain, backslash, account format - for example, 'company\john' - or with a fully qualified name, for example 'john@company.com'. Alternately, add the domain name to the Domain Order setting.

Q11B. How do I log in to a Windows domain account without having to specify a fully qualified username?

The 'Domain order' setting in WinSSHD Settings is provided for this purpose. Configure an entry specifying the domain name where you would like WinSSHD to start looking up unqualified usernames. You can configure multiple such domain names.

Q12. What client software can I use to connect to WinSSHD?

You can use any client program that supports SSH, as long as it implements SSH version 2 - the newer and secure version of the protocol. There are multiple types of SSH clients, including terminal session clients, file transfer clients, port forwarding clients, command execution clients, and they come in all sorts of combinations. If your client machine runs Windows, you can use our Tunnelier client for most purposes. Tunnelier offers an excellent terminal console, graphical file transfer, dynamic and manual port forwarding, as well as scriptable command-line clients and an FTP-to-SFTP bridge. Also available for Windows is PuTTY, which includes SSH file transfer programs 'pscp' and 'psftp'. On Unix platforms, the OpenSSH package is freely available and provides the 'ssh' program for terminal sessions and port forwarding, as well as 'scp' and 'sftp' for file transfers.

Q13. My WinSSHD log shows an error like 'Failed to bind listening socket', and I cannot connect to WinSSHD.

Such an error indicates that another application is already listening on the port you have configured for WinSSHD. The default port is 22, and this port is used as default by all SSH servers. It is likely that you already have another SSH server running on your machine, and that it is occupying port 22. You either need to shutdown the other SSH server, or configure WinSSHD to listen on a different port.

Q14. I can only log in with an administrator account - attempting to log in with a regular account fails.

There are two most common causes.

  • You are trying to log in with an account configured in WinSSHD to use the 'interactive' logon type, but this account does not have the Windows permission to log on locally. On domain controllers, this permission is not granted to regular users by default and must be enabled in the Domain Controller Security Policy.
  • You have successfully logged in with an account configured in WinSSHD to use the 'network' logon type, or you logged in using GSSAPI (Kerberos or NTLM) authentication, but starting the terminal shell failed with an Access Denied error. This is because default filesystem permissions on Windows 2003 servers grant access to cmd.exe and other command line tools only to 'interactive' users. Switch this user or group in WinSSHD to use the 'interactive' logon type, or modify filesystem permissions for cmd.exe and other command-line tools to allow execution by users logged in with the 'network' logon type.

For more information, please read the Network vs. interactive logon section in the WinSSHD Users' Guide.

Q15. I'm trying to get some SSH client to work with WinSSHD. However, the session gets terminated immediately after connecting, and the WinSSHD event log tells me: 'Unable to create child process: Access is denied.' What is going on?

In order to provide SFTP, SCP, terminal shell, or exec request functionality, WinSSHD must have permission from Windows to execute a child process in the name of the user. You have probably configured your machine in such a way that, when the user logs in and WinSSHD starts impersonating that user, WinSSHD loses permission to execute the necessary child processes. In order to use WinSSHD, you must configure your machine so that the remote user will be able to run executables in the WinSSHD installation directory; plus, of course, whatever programs you want the user to be able to execute, such as the terminal shell - 'cmd.exe'. Read and execute access is also required to the dynamic load libraries that programs use - in particular, system libraries which reside in the \Windows and \Windows\System32 directories.

File Transfer Issues

Q20. How do I get WinSCP to work with WinSSHD?

The latest WinSCP versions work fine in SFTP mode. Older WinSCP versions that only support SCP can also be made to work if you install the Cygwin bash shell and Cygwin's SCP, configure the bash shell to be used in WinSSHD, and move WinSSHD's scp.exe out of the way. However, it is much easier to simply use the latest version of WinSCP and toggle the setting to make it talk SFTP.

Q22. What is the difference between SCP and SFTP?

SCP and SFTP are two different file transfer protocols. SFTP is well-documented and standardized, while SCP is an ad-hoc adaptation of the Unix utility 'rcp'. SFTP is launched by the client opening a session channel and requesting the 'sftp' subsystem. SCP is launched by the client instructing the server to execute SCP via an SSH exec request.

In WinSSHD 4, the SCP subsystem was not supported as well as SFTP. Since WinSSHD 5, support for the two subsystems is integrated, and the same virtual filesystem can be accessed equally through SFTP and SCP.

Public Key Authentication

Q30. Someone wants to use public key authentication to log into the WinSSHD server that I am administering. They have already sent me their public key file. How do I tell WinSSHD to use the public key file when that user logs in?

Open WinSSHD Settings and go to Access Control > Windows accounts (or Virtual accounts if this is a virtual user). If an entry for this user is not already present, you need to add one. For Windows accounts, the name of the entry must match the Windows username that will be used when logging in. Now, click Edit to open the account entry in a new window, and click the 'Public keys' link. A key management window will open which you can use to import the public key.

If you are using one of the later WinSSHD 3.xx versions, the name of the link is '0 Keys' or 'n Keys'.

If using WinSSHD 4 or newer, please also read this page in the WinSSHD Users' Guide for important information about how WinSSHD account and group settings work.

Q31. I am unable to import a user's public key within the WinSSHD user key management window. I keep getting a dialog box telling me that the public key could not be imported. What could be the problem?

It is most likely that the public key you are trying to import is not in the right format. It might be an SSH1 public key file instead of an SSH2 key, or it might be something entirely alien. The formats supported by WinSSHD are the standard SSH2 public key format, and the OpenSSH SSH2 public key format. The OpenSSH SSH1 public key format is different and incompatible with SSH2.

Q32. I set up my account for public key authentication, but the next time I tried to log in, I still got asked for a password. Why?

When you enable public key authentication for an account and configure a public key, WinSSHD needs to cache the password so that later you can log in with just the public key. There are two ways for WinSSHD to get the password: either you enter it yourself in WinSSHD Control Panel > Manage password cache, or using the wcfg utility; or WinSSHD gets it from the SSH client. If there's no password in the cache on your first login attempt after you set up public key authentication, WinSSHD will ask you for a password - even if your client already authenticated successfully using a public key. If you supply a valid password, WinSSHD will cache it, and subsequently, or until it changes, you will not be asked to enter it again.

Q33. How do I set up public key authentication with Tunnelier?

Generate a keypair in Tunnelier's User Keypair Manager. Use the Export button to export the public key in standard SSH2 format. Transfer the resulting file onto the WinSSHD machine. Follow the instructions in Q30 (above) to import the public key into WinSSHD. In Tunnelier, configure the Login : Authentication : Initial Method setting so that Tunnelier will use your generated user keypair for authentication. You can also save your Tunnelier settings into a profile for convenience. You will now be able to connect with public key authentication.

Account Settings

Q40. How do WinSSHD account settings work?

Please read this page in the WinSSHD Users' Guide for this important explanation.

Q43. How can I limit a user so that they cannot access files outside of a certain directory?

The answer depends on what sort of access you have in mind. For shell access and remote execution, jailing a user is possible only through Windows file system permissions. On the other hand, if you are permitting the user only file transfer access (using SFTP and SCP), you can configure a limited-access virtual filesystem for the user by editing settings for their account or group in WinSSHD Settings. If editing account settings, disable 'Use default SFS map', then open SFS virtual filesystem mount points, and set the 'Real root path' setting for the default mount point ('/') to the directory you want them to access.

Usage

Q51. How can a user change their password remotely?

WinSSHD supports changing a Windows account password during SSH user authentication by using a client that supports this feature, such as Tunnelier.

Additionally, WinSSHD comes with a 'bvPwd' utility which allows any user to change their password if they know what it currently is. The utility can be found in the WinSSHD installation directory; run it with 'bvPwd -h' for help. Additionally, administrators can use the 'net user' command intrinsic to Windows to change any user's password - type 'net help user' in a Command Prompt for help.

Passwords for WinSSHD virtual accounts cannot be changed by the virtual user themselves, but can be changed by an administrator in WinSSHD Settings orusing wcfg.

Contacting Support

Q. I read the entire FAQ, but it didn't help me solve my problem. What do I do?

Visit our discussion groups. Use the search function to see if your issue has been raised in the past. If not, feel free to post a support query in the appropriate forum, in which you describe your problem in as detailed manner aspossible. The more information you supply, the greater the chance of a swift and effective resolution.