Recently I had to replace an older Windows server. Over the years this server had acquired multiple additional roles. One of those was being the backup target for our Cisco ISE servers. While I could have just installed FileZilla and continued to use FTP, I decided to get OpenSSH installed and use SFTP instead.
Installing OpenSSH
My first step was to get OpenSSH installed. Although there are installers for Windows including Cygwin, there is a new option. With the latest releases of Windows Server 2019 and Windows 10, OpenSSH can be installed as a Windows feature. I find PowerShell to be the easiest way to add features as shown below:
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
Configuring OpenSSH
This will install both the OpenSSH client and server. If you want to use keys for authentication, there are more steps. Those instructions can be found here. My next step was to set up the services to run automatically on boot and to start them using PowerShell.
Set-Service -Name ssh-agent -StartupType ‘Automatic’
Set-Service -Name sshd -StartupType ‘Automatic’
Start-Service ssh-agent
Start-Service sshd
At this point, you should be able to log in via SSH to the server with your Windows username and password. For my needs, I set up a local user on this server for ISE so that I didn’t have to give ISE an AD account. Also, I wanted the root directory when that user logs in to be C:\Users\ISEUser\Documents\ instead of C:\. To do this I had to edit the sshd_config file. It is located in C:\ProgramData\ssh\sshd_config. In this file, I added a stanza as shown below. The ChrootDirectory statement tells OpenSSH to treat C:\Users\ISEUser\Documents as \ in terms of SSH (and SFTP).
Match User ISEUser
ChrootDirectory C:\Users\ISEUser\Documents
Configuring Cisco ISE
Configuring a repository for SFTP is almost identical to the setup for FTP.
After you’re done configuring the repository, you will get an alert from ISE… please read it.
Did you read it? If not, please go back and read it. Ok, now we can continue. One thing that this message doesn’t say is that you have to do this command on the host that the backups are run on at the least or since repositories can be used on all hosts, run on all of the hosts. That’s what got me. I did see the message and put it on the node I was using for administration. Unfortunately, backups ran off a different node so I spent 4 hours troubleshooting my Windows OpenSSH service. Thankfully you can learn from my misery.
Ben’s Thoughts
Windows is finally catching up with native tools that Linux has had for years. In an environment where it is easier to acquire a Windows Server tools like this will definitely come in handy. This also taught me to pay more attention to the details of the random warning messages that I’ve gotten numb to over the years. Sometimes they have something useful to say.