I did this on Windows 7 SP1 x64, and has the following assumptions:
- your machine is joined to the domain
- your firewall is properly set up to allow in SSH traffic (TCP port 22)
- I'm not sure if it matters, but any time I used an elevated command prompt, I specified a domain account I added to the local Administrators group (not domain admin), and not a local admin account.
- Install CopSSH 4.1.0
- Open the CopSSH control panel, and add a local user. Set the preferences for what you'd like the domain users to have.
- Exit the Control Panel. From this point, do not EVER open the control panel again, otherwise it'll wipe out anything you do manually. To make sure I don't run it by accident, I zipped it up (in case I needed it later) then deleted the exe.
- Start an elevated command prompt
- cd to the bin directory in the CopSSH program files folder
- Activate your Active Directory user:
copsshadm.exe --command activateuser --user "DOMAIN\username"
- In the etc directory, edit the file sshd_configwith Notepad++, or some other editor that's friendly with UNIX formatted files
- You'll see an entry that starts with Match User. This was created for the local user you activated in step 2. Copy that entire section (the Match User line through the MaxSessions line), and paste it directly below it.
- change the local username to be the domain username you activated in step 4 (just put the username, do not put the domain).
- Save the file
- Go the to Windows Services MMC Console, and restart the Openssh SSHD service
- You should now be able to SSH into your Windows machine
- If you want to allow public key authentication:
- in the sshd_config file, set PubkeyAuthentication to yes
- make sure your public key file is in OpenSSH format (not Putty formatted) and is named authorized_keys
- copy this file to the .ssh directory for the home folder for your Active Directory user in the CopSSH program files directory
Here's why I had to do this:
- When I used the CopSSH control panel to try to activate a domain user, the Domain field never showed the Active Directory domain (only the local machine).
- When I manually modified the copsshcp.config file and added the domain user, the user would properly show up in the Control Panel, but still not allow logins.
- Also after you manually add a domain user, any time you try to open the Control Panel, it appears to try to rebuild the group and passwd files by querying Active Directory. Our AD has 100,000+ users and several thousand groups. Having this app query for all users and groups (to rebuild these files) every time you open it or make a change is probably why it's not working right for me.
- To fix this issue, I'm guessing that the devs will need to update the app to only query for specific usernames or groups, and not pull all user and group info from Active Directory as it currently does (or maybe leave this as default, but have a large domain option).