DevOps · K8s · Volleyball · Travel  •  DevOps · K8s · Volleyball · Travel  •  DevOps · K8s · Volleyball · Travel
Explore NY Stream

How to Install Cygwin SSH Client and Server using version 2.774

— ny_wk

How to Install Cygwin SSH Client and Server using version 2.774

Installing a Cygwin SSH client and server on Windows gives you a Linux-style OpenSSH stack for batch scripting, secure shell access, and SFTP file transfers on a Windows host. This guide walks through a clean install of Cygwin, configuring the sshd service with ssh-host-config, granting user access, setting up key-based authentication, and fixing the most common startup failures.

Important version note: the original procedure this is based on referenced Cygwin setup 2.774 and OpenSSH 6.0p1-1. Those are long out of date and contain known security vulnerabilities. There is no Cygwin installer numbered 2.774 today — the current installer is named setup-x86_64.exe and reports a version like 2.9xx, while OpenSSH ships at 9.x. Always download the current installer from the official cygwin.com site and select the latest OpenSSH. The steps below are written against modern Cygwin; where the legacy workflow differed, that is called out.

Why use Cygwin SSH on Windows

Cygwin is a POSIX-compatible environment for Windows. It is a collection of GNU and open-source tools — bash, OpenSSH, coreutils, vim and more — recompiled to run natively on Windows through the cygwin1.dll compatibility layer. For administrators it solves three recurring problems:

  • Shell scripting: run real bash scripts, cron-style jobs and pipelines on a Windows server.
  • Inbound SSH/SFTP: expose an OpenSSH server so remote Linux/Unix hosts can push or pull files securely.
  • Key-based automation: use passwordless SSH key exchange for unattended scp/sftp batch jobs.

If you only need an SSH/SFTP server and do not need the wider Cygwin toolset, also consider the Windows built-in OpenSSH feature (Settings → Optional Features → OpenSSH Server) on Windows 10/11 and Windows Server 2019+. It is Microsoft-supported and requires no third-party DLL. Cygwin remains the better choice when you genuinely need a Linux-like shell and userland alongside the server.

Before you begin: prerequisites

  • Administrator rights. Log on with an account that has local administrator privileges. Cygwin ties file ownership to the installing account, so a local account (not a domain account that might later be deleted) is the safest choice for the install.
  • Disk and path. Pick a root install directory you control, for example D:\cygwin. Avoid C:\Program Files — spaces and tightened ACLs complicate POSIX permissions.
  • Network. If the host has internet access, install directly from a mirror. For locked-down servers, download packages once to a local folder and install offline.
  • Firewall. Decide now that inbound TCP 22 must be allowed for remote SSH/SFTP.

Step 1: Install Cygwin and the OpenSSH package

The Cygwin installer is also its package manager and updater — you run the same setup-x86_64.exe every time you add or upgrade packages.

  1. Download setup-x86_64.exe from cygwin.com/install.html and run it as administrator. Click Next on the welcome screen.
  2. Choose a download source. Select Install from Internet for an online host, or Install from Local Directory if you pre-downloaded the packages. Click Next.
  3. Set the Root Directory to D:\cygwin and leave Install For on All Users. Click Next.
  4. Accept the default Local Package Directory (where downloaded .tar packages are cached) and click Next. If prompted to choose a connection type, accept the default and continue.
  5. When installing from the internet, pick a nearby mirror from the list and click Next.
  6. In the package selector, switch the top View to Full and search for openssh. Click the word Skip next to openssh so it changes to the latest version number — this marks it for installation.
  7. Leave Select required packages (RECOMMENDED) checked so dependencies such as libcrypt and the OpenSSL libraries are pulled in automatically. Click Next and confirm the package list.
  8. Let the install finish, tick Add icon to Start Menu / Desktop, then click Finish.

You do not need to manually hunt for separate libwrap0 packages as the legacy guide did; modern OpenSSH no longer depends on TCP wrappers, and the dependency resolver handles the rest. Open the Cygwin Terminal from the desktop to confirm a bash prompt appears.

Step 2: Configure the sshd service with ssh-host-config

This is the core of installing a Cygwin SSH server. The ssh-host-config script generates host keys, creates the configuration, and registers sshd as a Windows service.

  1. Open the Cygwin Terminal as administrator (right-click → Run as administrator). Privilege separation requires it.
  2. Run the host configuration script:
    1. ssh-host-config -y
    The -y flag answers "yes" to the standard prompts and accepts sensible defaults.
  3. When asked for the value of CYGWIN for the daemon, the safe modern answer is to leave it blank (press Enter) or use ntsec. Note: tty is obsolete and ntsec is now the default behavior, so an empty value is usually correct.
  4. When prompted to create a privileged service account, accept it. On modern Cygwin you are asked whether to use a new account name — the conventional name is cyg_server. Choose a strong password that satisfies your Windows password policy.

Critical: the legacy guide hard-coded a weak example password. Never reuse a published password. If your domain or local policy enforces complexity and the password you supply does not meet it, Windows silently rejects it, the cyg_server account is created without a valid logon password, and sshd fails to start with a vague "logon failure." See the troubleshooting section to recover from exactly this case.

Start the service once configuration completes:

  1. net start sshd

The installer sets the CYGWIN sshd service to start automatically after reboot, so you do not need to start it manually again.

Step 3: Set environment variables and file permissions

Two adjustments keep scripts and authentication working smoothly on Windows.

  • PATH: add Cygwin's binaries so you can call ssh, scp and sftp from cmd and PowerShell. Append ;D:\cygwin\bin to the system Path variable (System Properties → Advanced → Environment Variables).
  • Line endings: the old SHELLOPTS=igncr trick told bash to ignore carriage returns in CRLF scripts. On current Cygwin the cleaner fix is to save scripts with Unix (LF) line endings or run dos2unix script.sh. If you maintain legacy CRLF scripts, you may still set a system variable SHELLOPTS with value igncr, but treat it as a workaround, not a best practice.

Grant the local Administrators group full control of the two account-mapping files so they can be edited and so the service can read them:

  • D:\cygwin\etc\passwd
  • D:\cygwin\etc\group

Modern Cygwin can resolve Windows accounts on the fly without these files, but generating them explicitly remains the most predictable way to control which users may authenticate.

Step 4: Enable local and domain user access

Cygwin authenticates against Windows accounts, but those accounts must be visible in /etc/passwd and /etc/group. Generate the entries with mkpasswd and mkgroup.

For a domain user, log on with a domain account that has local admin rights, open the Cygwin Terminal, and run:

  1. mkgroup -d -g 'Domain Users' >> /etc/group
  2. mkpasswd -d -u bgates01 >> /etc/passwd

Use the fully qualified domain name after -d if your environment requires it (for example -d office.example.net). The legacy guide's -p /home flag is deprecated; modern mkpasswd assigns the home directory automatically.

A few rules that trip people up:

  • Usernames are case-sensitive in Cygwin. Enter the account exactly as it appears in Active Directory, or authentication fails.
  • Avoid duplicate account names from different domains (for example office\bgates and sysdev\bgates). Cygwin's sshd cannot disambiguate them, and only the first entry written to /etc/passwd will be able to log in.

Verify the login from the same host or a remote workstation:

  1. ssh bgates01@localhost

At the Are you sure you want to continue connecting? prompt, type yes, then enter the Windows password. A bash prompt confirms success.

Step 5: Set up SSH key-based authentication

For unattended batch and SFTP jobs, key authentication removes the need to store passwords. Generate the key pair on the host that initiates the connection.

  1. Generate a modern key. The original guide used rsa -b 2048; today an Ed25519 key is preferred for security and speed:
    1. ssh-keygen -t ed25519 -C "batch@host"
    If a remote system only supports RSA, use ssh-keygen -t rsa -b 4096 instead. Press Enter to accept the default path; leave the passphrase empty only for fully automated jobs, and protect the private key with strict file permissions instead.
  2. Confirm the pair exists:
    1. ls ~/.ssh
    You should see id_ed25519 (private) and id_ed25519.pub (public).
  3. Copy the public key to the destination host. The simplest, least error-prone method is:
    1. ssh-copy-id user@destination
    If ssh-copy-id is unavailable, copy it manually with scp and append it:
    1. scp ~/.ssh/id_ed25519.pub user@destination:~/
    2. ssh user@destination
    3. mkdir -p ~/.ssh && cat ~/id_ed25519.pub >> ~/.ssh/authorized_keys
    4. rm ~/id_ed25519.pub
  4. Fix permissions on the destination — OpenSSH refuses keys that are too open:
    1. chmod 700 ~/.ssh
    2. chmod 600 ~/.ssh/authorized_keys
    Note the correction from the source, which set 0600 on the .ssh directory. A directory needs the execute (700) bit; only the authorized_keys file should be 600.

Verification: confirm the SSH and SFTP connection works

Test end to end before declaring the install complete. The verbose flags surface exactly where a handshake fails.

  1. Confirm the service is listening:
    1. net start | findstr /i sshd (on Windows) or cygrunsrv -Q sshd in the Cygwin shell.
  2. Test an interactive SSH session with full debug output:
    1. ssh -vv user@destination
  3. Test SFTP the same way:
    1. sftp -vv user@destination
  4. Check the installed versions:
    1. uname -a for the Cygwin/Windows build.
    2. ssh -V for the exact OpenSSH version.

If key auth still prompts for a password, run ssh -vv and look for lines mentioning authorized_keys permissions or Authentications that can continue — they pinpoint the cause.

Common pitfalls and troubleshooting

sshd will not start ("logon failure")

This is the single most common failure, almost always caused by the cyg_server password not meeting policy, or by stale cached credentials after a reinstall. Fix it cleanly:

  1. Open Computer Management (compmgmt.msc) → Local Users and Groups → Users, locate cyg_server, and reset its password to a policy-compliant value.
  2. Open Services (services.msc), double-click the CYGWIN sshd service, go to the Log On tab, and enter the new password.
  3. Start the service from the Services console, or run net start sshd.

To rotate the cyg_server password later, stop the service first (net stop sshd), change the password in both the user account and the service Log On tab, then restart it — the two must always match.

Permission-denied or refused keys

OpenSSH ignores authorized_keys if the file or its directory is world-writable. Re-apply chmod 700 ~/.ssh and chmod 600 ~/.ssh/authorized_keys, and make sure the home directory itself is not group/other writable.

SFTP closes immediately with "Connection closed" / exit 128

On some storage-driver or profile-restricted hosts, an SFTP session opens then drops with a debug line like Exit status 128. Two reliable workarounds: grant the connecting account local read access to the affected program directories, or, where policy allows, grant the service account the necessary permissions on the host. Always reproduce with sftp -vv to capture the failing step.

"Cannot create /tmp" after adding a domain user

A freshly registered domain user may fail to launch a shell with a /tmp error. The dependable fix is to remove and recreate the user's Windows profile, then re-run mkpasswd for that account.

Wrong line endings break scripts

If a script throws $'\r': command not found, it has Windows CRLF endings. Convert it with dos2unix yourscript.sh rather than relying on the igncr shell option.

Uninstalling Cygwin and removing the sshd service

Remove the service before deleting files, or Windows will leave an orphaned service registration.

  1. Stop the service from a normal command prompt: net stop sshd. If it reports the service does not exist, sshd was never registered — skip to deleting files.
  2. Open a Cygwin Terminal and remove the service definition: cygrunsrv -R sshd.
  3. In Computer Management, delete the cyg_server (and any sshd) account.
  4. Take ownership of D:\cygwin with the Administrators group (Properties → Security → Advanced → Owner, replace on subcontainers), then back up and delete the folder and its shortcuts.
  5. Remove the SHELLOPTS system environment variable and the ;D:\cygwin\bin entry you added to Path. Skip this if you plan to reinstall.

Security hardening recommendations

Because the source targeted EOL software, treat hardening as mandatory on any internet-facing host:

  • Run the current OpenSSH — versions before 9.x carry serious CVEs.
  • Disable password authentication once keys work: set PasswordAuthentication no in /etc/sshd_config and restart sshd.
  • Prefer Ed25519 keys and drop legacy ciphers.
  • Restrict inbound TCP 22 by source IP at the Windows Firewall.
  • Keep Cygwin patched by re-running the installer regularly.

Key Takeaways

  • Use a current installer: there is no Cygwin 2.774 today — download setup-x86_64.exe from cygwin.com and install the latest OpenSSH (9.x), not the EOL 6.0p1.
  • ssh-host-config -y does the heavy lifting: it creates host keys, the cyg_server account, and the auto-starting Windows sshd service.
  • Most startup failures are password-policy related: reset cyg_server in Computer Management and update the matching password on the service's Log On tab.
  • Key auth needs correct permissions: chmod 700 ~/.ssh and chmod 600 authorized_keys — a directory must be executable, not 600.
  • Consider Windows built-in OpenSSH when you need only SSH/SFTP; choose Cygwin when you also need a full Linux-style shell environment.

Frequently Asked Questions

How do I check my Cygwin and OpenSSH version?

Run uname -a in the Cygwin Terminal for the Cygwin/Windows build, and ssh -V for the exact OpenSSH version. To audit installed packages, re-run the Cygwin installer and review the package list, or use cygcheck -c openssh.

Why does the Cygwin sshd service fail to start with a logon error?

The cyg_server service account password almost certainly violates your Windows password policy, or it was cached from a previous install. Reset the password in compmgmt.msc, set the identical password on the CYGWIN sshd service's Log On tab in services.msc, then start the service.

Should I use Cygwin SSH or the built-in Windows OpenSSH?

If you only need an SSH/SFTP server or client, the Microsoft-supported built-in OpenSSH (an optional feature on Windows 10/11 and Server 2019+) is simpler and needs no third-party runtime. Choose Cygwin when you also rely on bash, coreutils, and other Linux tools for scripting on the same host.

How do I set up passwordless SSH for batch jobs?

Generate a key pair on the initiating host with ssh-keygen -t ed25519, copy the public key to the destination using ssh-copy-id user@host, then set chmod 700 ~/.ssh and chmod 600 ~/.ssh/authorized_keys on the destination. Test with ssh -vv user@host.

For more Windows and Linux sysadmin walkthroughs, subscribe on YouTube @explorenystream.