[Win10] Offline installation of FoD like OpenSSH Server without VLSC ISO

Windows 10 comes with a lot of additional options to install, which are not part of the "local" installationmedia.
That means things like e.g. the OpenSSH Server component. These options are called "Features on Demand" (FoD) and do need either an active internet connection to download and install, or a specializied FoD ISO which you only can download from the Microsoft Volume Licensing Service Center (VLSC). If you need to install these options for your Windows 10 Professional or similar offline - without having a valid subscription, you cannot get the needed offline files that way.

However, there is another option by using a second computer with the same Major Release (e.g. Windows 10 1909 / 2004 / or 20H2 aka 2009) and possible latest patches installed to grab those files from the internet and then use these for offline installation.

Example, we want to get the OpenSSH Server package for Windows 10 20H2 / 2009 and install it offline afterwards.

  1. Get a Windows 10 20H2 computer connected to the internet, patched to latest version
  2. Download Everything ( https://www.voidtools.com/ - the portable version will do ) - this is a tool to scan for changes in the windows filesystem
  3. Start it, if it asks for admininistrative rights, say yes
  4. Enter "C:\Windows\" in the search path, so that only changes in the Windows path will be shown in Everything, so that you don't drown in information

5. Open an admininistrative Powershell - you can know search for the latest version of the FoD package you want to install, like
Get-WindowsCapability -Online |? Name -like 'OpenSSH.Server*'

This will get us info like:

Name  : OpenSSH.Server~~~~0.0.1.0
State : NotPresent
  1. Now, this is were it gets tricky. You need to start the download of the package, track it traversing through the filesystem with Everything and copy it before it gets deleted again by Windows after installation. You might need to repeat the process several times, but here it is in a full write up

6a. Enter
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
which will start the download & installation

6b. Watch the Everything window. At some point a cab file with OpenSSH will pop-up within the C:\Windows\SoftwareDistribution\Download folder. Select that file. And press CTRL+C to copy it.

6c. Move the focus of the mouse to your Desktop or other folder, at some point the file path of the selected file will change to C:\Windows\CbsTemp because it was done with downloading and will start to be installed. Your selection and copy will still be valid and now target this new file. Hence you need to hit CTRL+V to paste/copy it to your desktop fast, because it will disappear within seconds.

6d. If everything went ok, you will have the cab file with some MB size (in case of OpenSSH-Server-Package~31bf3856ad364e35~amd64~~.cab its just ~1.22 MB) and thats what we need. If you were to slow, you can try again by uninstalling the OpenSSH Server via powershell using
Remove-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
then start at 6a and repeat until it works

6e. One word of caution - the filename will stay the same for all Windows 10 Release Versions. So it would be wise to put it into a folder with the version name - so that you don't mix up differnt versions. Also don't change the filename of the cab file, otherwise it cannot be used for installation anymore.

  1. Move the file to your target / isolated system.
  2. Powershell with Admin Rights to the correct folder with e.g. OpenSSH-Server-Package~31bf3856ad364e35~amd64~~.cab in it, then execute the installation command:
    Add-WindowsCapability -Online -Name "OpenSSH.Server~~~~0.0.1.0" -Source "." -LimitAccess

It is going to be installed. But as additional stuff…

// Set Services to Autostart
Set-Service sshd -StartupType Automatic
Set-Service ssh-agent -StartupType Automatic
// Check if Firewall Rule is activated
Get-NetFirewallRule -Name *ssh*
// There should be a firewall rule named "OpenSSH-Server-In-TCP", which should be enabled
// If the firewall does not exist, create one
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
// Configuration of OpenSSH Server
// You can set Powershell as default shell
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force
// Start Service 
Start-Service sshd
Start-Service ssh-agent

SSH config for beginners

The SSH config is a powerful tool to get "more" out of your normal SSH connection.

Just create an file called "config" in your .ssh folder and it will be used on a new SSH session.

Lets start with a simple example of how a connection configuration could look like:

Host myHost
  Hostname 1.2.3.4 
  IdentityFile ~/.ssh/myHostKey
  User myUser

With this code, an "ssh myHost" will try to connect to the host 1.2.3.4 - using the user myUser and the keyfile myHostKey. And with this - you can use multiple keys and users on the same host without too much trouble 🙂

Another example with different ssh port:

Host myHost2
  Hostname myhost.com
  Port 3001
  User anotheruser
  IdentityFile ~/.ssh/anotherKey

You can also just give your ssh connection another keyfile:

Host github.com
  IdentityFile ~/.ssh/github

Forward a local port from your remote pc to yours:

Host myHost_tunnel
  Hostname myhost.com
  IdentityFile ~/.ssh/myHostKey
  User myUser
  LocalForward 443 127.0.0.1:443

Or even use your remote host as HTTP proxy (binding on your local port 8888):

Host myHost_proxy
  Hostname myhost.com
  IdentityFile ~/.ssh/myHostKey
  User myUser
  DynamicForward 127.0.0.1:8888

And the ssh config is even able to do a lot more but ... you'll find that in the manpage of ssh 🙂

[Ubuntu] Use Molly-Guard to stop shooting your own leg

If you're working on some dozens of linux servers (or even more than 100,.. as in my case), you end up doing administration via SSH - which is the way to go. And chances are, that you'll get dozens of SSH connections open in dozens of tabs and you did some updates on some of those servers and want to restart this thing with a quick sudo reboot now...
I won't lie if I say, it happend more than once that I accidentally rebooted the wrong server - at least that was the case more than a year ago.
For the last year, since I have been using Molly-Guard - that did not happen once. Why? Because Molly-Guard does stop the reboot command if it detects that you're issuing it from an SSH console - and asks for the server name. If you're entering it correctly - it will reboot. If you're in a frenzy, doing your "sudo reboot now" and enter name serverB while you're on serverA - yep, Molly-Guard will stop you from shooting yourself in the leg. Neat, ain't it?

Oh - and the best part? Ease of use: sudo apt-get install molly-guard
Thats it, you're set, bye.

Nope. Really. No configuration needed. Just install that baby and be safe :)!

SSH Socks Proxy

Very easy and handy is to use an SSH Server as Socks Proxy:
ssh -D 8080 username@my_ssh_server

Or use Putty:
Enter the IP Address of your SSH Server, Port and go to Connection -> SSH -> Tunnels.
In Source Port enter the Port where the Proxy should be available. I.e. 8080
Then choose "Dynamic".
Leave Destination Port Empty and the IP Configuration on "Auto".

After connecting to your SSH Server, you can configure i.e. Firefox to use your Socks 5 Server on IP 127.0.0.1 and Port 8080.

[ESXi 3.5] ESXi 3.5 Update 5 Install CD with oem.tgz + ssh,ftp,rsync and wget (made easy)!

Hello,

It has been a while since I was really doing something new with VMWare, but as I had the need to install some new Servers, I also was looking for better ways on integrating oem.tgz and other features. For that, I stumbled upon an very cool and useful Linux Build Script for ESXi, made by the User Varazir. After this How To you're going to hold an ISO Installer with SSH, FTP, RSYNC, WGET and the Community Unified Driver Pack 1.1.0 oem.tgz in your Hands. Or an USB Stick with the same features - as Live Boot or Installer. Your choice.

Download:
VMware-VMvisor-InstallerCD-3.5.0_Update_5-207095.i386.iso: Vmware.com / ESXi 3.5 Download Section
Mkesxiiso.sh: http://varazir.mine.nu/esxi/
CommunityUnifiedDriverPack_v1.1.0_U3-123629.oem.gz: http://www.vm-help.com/esx/esx3i/Custom_oem.tgz/CommunityUnifiedDriverPack_v1.1.0_U3-123629.oem.gz

What you also need:
An english (!) speaking and recent Ubuntu Version with installed mkisofs.
You can use the VMWare Player for that ;-).

How To:
Copy all the files into the /tmp Folder of the Ubuntu Installation.
Rename the CommunityUnifiedDriverPack_v1.1.0_U3-123629.oem.gz to oem.tgz
Give chmod +x to the latest Mkesxiiso.sh (in my case: chmod +x mkesxiaio_3.9.1.sh).
Run sudo ./mkesxiaio_3.9.1.sh
Now the Script is going to walk you through the build of the ESXi System.

Thanks to Varazir and www.vm-help.com its finally very easy to build an custom system!

Addition: Add User to installed ESXi:
If you got an installed ESXi 3.5 and want to have an second User to use ssh and ftp instead of "root only", do this:
userdelete the old additional VMWare User you created. Create it a new with: useradd Username -M -d /
Wit that command you create the new user and put its root folder into "/" (root).
Problem why an normal user can't access ssh is, that VMWare does erase the home Folder on every boot.
You should also change the User Password on creation with passwd Username...

SSH Tunneling

One of the most important things by working in "dangerous" Networking Enviroments is protection.

And by that I don't mean the usual (and important!) Anti Virus, Anti Malware and Firewall Software, but Traffic Tunneling, meaning VPN or SSH.

SSH is the secure equivalent to the good old (and Plaintext transmitted) Telnet. And its also more powerful: Its use is not limited to remote Control, but can also provide an secured Datatunnel through which all your Traffic to your Remote Location (i.e. an Mysql Database, Web- or Mailserver or the Web itself) is tunneld - and encrypted. Giving therefore little to no chance to "Wiresharkes" and other Cable Tappers or Span Users.

So lets go:

1. Setting up the SSH Server
Setting up an ssh Server is as simple as:
apt-get install openssh-server
if you're running Debian or Ubuntu.

Optional you can configure that the "root" Account
won't be able to access via ssh and you can configure that
Plaintext Passwords aren't allowed. We will go for an Keybased Setup here,
but I would recommend not shutting down this Plaintext Password Authentification
if you can't access the machine physically easily (as the Certifactes are only valid
for one year...).

2. Configuring the SSH Server
vi /etc/ssh/sshd_config

- change Port to 18000
Port 18000
// Thats an must!

- deactivate root access
PermitRootLogin yes
// Thats optional, it does NOT allow your root Account to login via SSH.
// Only set that if you know what you're doing!

- deactivate password login
PasswordAuthentication no
// Thats optional as well, you can set that after this whole thing,
// as you have working SSH Key Authentification - but beware,
// you won't be able to login via an Password then!
// ( And that will hurt if your Keys are expired and don't work anymore... )

3. Configure Router (NAT and Firewall) to Allow Access to your SSH Server.
Use Dynamic DNS (i.E. DynDNS.org) to get an Dynamic DNS Adress.
( Means that an adress like myserver.dyndns.org will always point to
your dynamically changing IP Adress of your Router. Most Routers have an
DynDNS Client built in, so they update the DynDNS Account on every IP Change -
look it up in the Handbook / Config Menu)

4. Setting up an SSH User with Restricted Shell Access
sudo apt-get install rssh
// Installs the restricted shell
sudo useradd tunnel -m -s /usr/bin/rssh
// Creates an User named tunnel with the Restricted Shell
sudo passwd tunnel
// Enter the Password you want for the User

5. Setting up Squid HTTP Proxy
sudo apt-get install squid

6. Creating the Connection using Putty and Setting up the Clients
Download the Putty installer from
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
and install. Then open Putty:

Session -> Hostname and Port: Enter your DynDNS Adress and the Port you chose for SSH
Connection -> Enable TCP Keepalives
Connection -> SSH -> Don't start a shell or command at all
Connection -> SSH -> Enable compression
Connection -> SSH -> Tunnels: Source Port you can choose i.E. 20000
// Source Port is the Port the Tunnel will end on your "Client PC"
Connection -> SSH -> Tunnels: Destination Port localhost:3128
// Destination Port is in that Case the Server (localhost) and Port 3128
// which is the Squid Proxy. But it could also be something like
// IPofyourRouter:21 to forward the Telnet of your Router to Port 20000 on
// the Remote PC, or IporNameofyourHomePc:3389 to forward the Windows
// Remote Desktop - or anything else. You would then connect with the
// Remote Desktop Tool to "localhost:20000" to Access your PC at Home.
Session -> Press Save and Save the Session
Session -> Press Open and Enter your Login, i.E. tunnel and password

You won't see anything as it stays open and "nothing happens".

Go to your Internet Explorer \ Firefox and enter as Proxy localhost, Port 20000

Internet Explorer:
Extras, Internetoptions, Lan Settings, Choose Proxy Server for Lan
Enter localhost, Port 20000

Firefox:
Extras, Settings, Advanced, Network, Settings
Manual Proxy Configuration, HTTP Proxy: localhost, Port 20000
For all Protocols

And now you'll be able to surf the Web Securely from everywhere through your
secured Tunnel!

WARNING: ONLY the Traffic is secured. Your DNS Lookups STILL go to your local
DNS Server. So i.e. the Local DNS Admin can see that you were surfing on
i.e. Google, Facebook or so - but can't see what you did transmit there.
To change that and to do DNS also tunneled via SSH do this:.

Internet Explorer:
don't know, isn't working

Firefox:
// Enter in the URL Bar:
about:config
// Look for this string and set it to "true"
network.proxy.socks_remote_dns

Only one thing to do left:
Set Keybased Authentification.
Keybased Authentification has two main Advantages:
a) You can use it allow scripts to identify themselfes via the key and use ssh
b) Its more secure as the Key does check its Serverpart and tells you if you're
connection has been redirected or intercepted. Its the way to go.

Creating keys:
su
// Enter password for root Access
ssh-keygen -t rsa -b 2048
Just "enter" through everything

Installing keys:
cd /home/tunnel/
mkdir .ssh
chmod 700 .ssh/
cd .ssh/
touch authorized_keys
cat ~/.ssh/id_rsa.pub > authorized_keys
chmod 600 authorized_keys
cd ..
chmod 700 .ssh/
chown tunnel -R .ssh/
exit

Download the key id_rsa in /root/.ssh/ via WinSCP to your PC
Startup puttygen which you did gain with the Putty installer.
Load the id_rsa in Putty and press on "Save Private Key"

Using key based Authentification with Putty:
Open Putty and load your Preset
Connection -> SSH -> Auth
And use the "Private Key File for Authentification" to point to your previously
set Private Key (wheter encrypted or not isn't important at this Point).
Go again to Session and Save again. Press Open.
You'll be asked to enter your Username and Passphrase (if you got one).
If you want to really automate that, you can even specify your Username in
Putty under SSH -> Connection -> Data "Auto Login Name"