OpenSSH Server for Windows

Guestbook

Want to run OpenSSH Server on Windows e.g. Windows 10. From Windows 10, it natively supports OpenSSH.

NOTE: The beta and nightly build of OpenSSH Server for Windows have a lot of runtime issues.

Check OpenSSH installation:

1
2
3
4
5
6
7
PS C:\ProgramData\ssh> Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'

Name  : OpenSSH.Client~~~~0.0.1.0
State : Installed

Name  : OpenSSH.Server~~~~0.0.1.0
State : NotPresent

Install the missing OpenSSH Server:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PS C:\ProgramData\ssh> Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
>>

Path          :
Online        : True
RestartNeeded : False


PS C:\ProgramData\ssh> Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'

Name  : OpenSSH.Client~~~~0.0.1.0
State : Installed

Name  : OpenSSH.Server~~~~0.0.1.0
State : Installed

Check OpenSSH for Windows version, check Windows Operating System version:

1
2
3
4
5
PS C:\ProgramData\ssh> ((Get-Item (Get-Command sshd).Source).VersionInfo.FileVersion)
8.1.0.1

PS C:\ProgramData\ssh> ((Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows nt\CurrentVersion\" -Name ProductName).ProductName)
Windows 10 Enterprise

Check Windows Domain information:

1
2
3
4
5
6
7
8
9
10
11
12
PS C:\ProgramData\ssh> dsregcmd /status

+----------------------------------------------------------------------+
| Device State                                                         |
+----------------------------------------------------------------------+

             AzureAdJoined : YES
          EnterpriseJoined : NO
              DomainJoined : YES
                DomainName : CORP
               Device Name : WINDOWS.corp.paradise.local
...

Check OpenSSH Server for Windows run as a service:

OpenSSH SSH Server service

Make sure OpenSSH SSH Server firewall inbound rule allows ALL profiles:

OpenSSH SSH Server firewall inbound rule

The default C:\ProgramData\ssh\sshd_config file doesn’t work for Windows Domain users authentication, and does’t support .ssh\authorized_keys public key authentication. Error lookup_principal_name: User principal name lokup failed for user ‘corp\darling’ in OpenSSH Server C:\ProgramData\ssh\logs\ssd log file. A work around solution is to comment out lines:

1
2
#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

A complete sshd_config example file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
SyslogFacility LOCAL0
LogLevel DEBUG3

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

# For this to work you will also need host keys in %programData%/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# GSSAPI options
#GSSAPIAuthentication no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	sftp-server.exe

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Now run ssh client and log on SSH Server:

1
2
3
4
5
$ sshpass -f ~/.ssh/windows.passwd ssh -l darling windows.local
Microsoft Windows [Version 10.0.19044.2965]
(c) Microsoft Corporation. All rights reserved.

corp\darling@WINDOWS C:\Users\darling>

References

Setup Socks/Socks5 proxy and git repo via proxy

Guestbook

Host windows.local has VPN connection which is granted with git repository.

  • Setup Socks/Socks5 proxy
1
2
3
$ ssh-copy-id -i id_rsa.pub darling@windows.local

$ ssh -D 3128 -q -C -N -f darling@windows.local
  • -q: quiet mode, don’t output anything locally
  • -C: compress data in the tunnel, save bandwidth
  • -N: do not execute remote commands, useful for just forwarding ports
  • -f: keep it running in the background

If PasswordAuthentication is enforced, and pubilc key authentication in SSH Server is not supported, try:

1
$ sshpass -f ~/.ssh/windows.passwd ssh -D 3128 -q -C -N -f darling@windows.local
  • Configure git with Sock/Socks5 proxy
1
2
3
4
5
6
7
8
9
$ git config http.proxy 'socks5://localhost:3128'

$ cat .git/config
[user]
	name = Terrence Miao
	email = terrence.miao@paradise.net
	signingkey = EBCEB936
[http]
	proxy = socks5://localhost:3128

Then can access git repository via proxy both on command line and in UI client.

Setup ssh ProxyCommand/proxyJump on multiple jump hosts

Guestbook

NOTE: Some SSH Server doesn’t allow public key authentication. Then sshpass is a friend here for you.

Install sshpass in MacOS:

1
$ brew install esolitos/ipa/sshpass

Test sshpass:

1
$ ssh -oProxyCommand="sshpass -f ~/.ssh/windows.passwd ssh -W %h:%p jumphost" -l darling jumphost-npe.paradise.net

Setup .ssh/config file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
## Keeping SSH Sessions Alive
Host *
 ServerAliveInterval 15

Host jumphost.mac
    Hostname mac.local
    IdentityFile ~/.ssh/id_rsa
    User darling

Host jumphost.windows
    Hostname windows.local
    IdentityFile ~/.ssh/id_rsa
    User darling

Host jumphost-npe
    Hostname jumphost-npe.paradise.net
    User darling
    IdentityFile ~/.ssh/id_rsa
    ProxyCommand sshpass -f ~/.ssh/windows.passwd ssh -W %h:%p jumphost.windows
    IdentitiesOnly yes
    StrictHostKeyChecking no
    UserKnownHostsFile=/dev/null
    ServerAliveInterval 60
    ServerAliveCountMax 5

## DEVELOPMENT hosts in AWS
Host ip-10-212-*.ap-southeast-2.compute.internal
    ProxyCommand ssh -W %h:%p jumphost-npe
    IdentityFile ~/.ssh/dev-stack.pem

## PTEST hosts in AWS
Host ip-10-213-*.ap-southeast-2.compute.internal
    ProxyCommand ssh -W %h:%p jumphost-npe
    IdentityFile ~/.ssh/test-stack.pem

## STEST hosts in AWS
Host ip-10-214-*.ap-southeast-2.compute.internal
    ProxyCommand ssh -W %h:%p jumphost-npe
    IdentityFile ~/.ssh/test-stack.pem

Host jumphost-prod
    HostName jumphost-prod.paradise.net
    User darling
    IdentityFile ~/.ssh/id_rsa.prod
    ProxyCommand sshpass -f ~/.ssh/windows.passwd ssh -W %h:%p jumphost.windows
    IdentitiesOnly yes
    StrictHostKeyChecking no
    UserKnownHostsFile=/dev/null
    ServerAliveInterval 60
    ServerAliveCountMax 5

## PROD hosts in AWS
Host ip-10-208-*.ap-southeast-2.compute.internal
    ProxyCommand ssh -W %h:%p jumphost-prod
    IdentityFile ~/.ssh/prod-ddc-stack.pem

## SSH over Session Manager
host i-* mi-*
    ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"

Micro Frontends

Guestbook

Micro Frontends

Righ model, right tools - the new way of building and collaborating on frontend apps is the core element of Micro Frontends.

Geekbench head to head - Mac vs iPad vs Android

Guestbook

Geekbench head to head - Mac vs iPad vs Android:

  • 10 years old Mac mini Late 2012 (2.6GHz quad-core Intel Core i7 Turbo Boost up to 3.6GHz)
  • 4 years old MacBook Pro 15-inch Mid 2018 (2.6GHz 6-core Intel Core i7, Turbo Boost up to 4.3GHz)
  • 4 years old iPad Pro 11” 2018 3rd gen (A12X Bionic 7 nm, 4-core Vortex at 2.5GHz , 4-core Tempest at 1.6GHz)
  • 1 year old MacBook Pro 16-inch 2021 (Apple Silicon M1 Pro, 10-core CPU at 3.2GHz)
  • 没满岁的 Android (Snapdragon 8 Gen1, 1 core Cortex-X2 at 3GHz, 3-core Cortex-A710 at 2.5GHz, and 4-core Cortex-A510 at 1.8GHz)

Geekbench head to head - Mac vs iPad vs Android

Conclusion:

  1. Intel 已经是江河日下,被时代淘汰
  2. Apple Processors 实在太强。 四年前的处理器还可吊打当前最新的 Snapdragon Processors
  3. 同是 2018 年产品,iPad Pro 把 Intel CPU based 的 MacBook Pro 按在地上碾压

ARM vs x86 谁是未来,一目了然。

NOTE

The Apple M1 chip is built for Macs, and the A15 for phones. They use completely different architectures. The A15 prioritizes battery over performance. The M1 has more firepower for graphics.

How to use Web Inspector and debug Safari on iPhone/iPad

Guestbook

Prerequisites:

  • iPhone / iPad / iPod and the Macbook on the same version of Safari
  • a genuine Apple lightning or USB cable

Step by step:

  • On iPad, iPhone or iPod touch, go to menu Settings > Safari > Advanced and toggle on Web Inspector. Enable JavaScript if it isn’t already on
  • On Macbook, launch Safari and go to menu Preferences > Advanced then toggle on “Show Develop menu in menu bar”
  • Connect iOS device to Macbook with the lightning or USB cable
  • Now on iOS device, open Safari and go to the website you want to debug
  • On Macbook, open Safari and go to “Develop” menu. You now see your iOS device that has connected with Macbook (if no page opened on iOS device, you see a message saying “No Inspectable Applications”)

![Safari Develop menu](/img/Safari Develop.png “Safari Develop menu”)

  • Click on the website in Safari Develop > iOS device menu, Web Inspector window opened, then you can debug as you used to debug in Safari

![Web Inspector](/img/Web Inspector.png “Web Inspector”)

Powerful Zsh

Guestbook

Powerful Zsh

First you have Zsh, next install Oh My Zsh https://ohmyz.sh/

1
sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"

Add Powerlevel10k https://github.com/romkatv/powerlevel10k and configure it

1
git clone --depth=1 https://github.com/romkatv/powerlevel10k.git ${ZSH_CUSTOM:-$HOME/.oh-my-zsh/custom}/themes/powerlevel10k

Set ZSH_THEME to powerlevel10k in .zshrc

1
ZSH_THEME="powerlevel10k/powerlevel10k"

Then run Powerlevel10k configure:

1
p10k configure

Add zsh-autosuggestions https://github.com/zsh-users/zsh-autosuggestions

1
git clone https://github.com/zsh-users/zsh-autosuggestions ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-autosuggestions

Add zsh-syntax-highlighting https://github.com/zsh-users/zsh-syntax-highlighting

1
git clone https://github.com/zsh-users/zsh-syntax-highlighting.git ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-syntax-highlighting

and enable them in .zshrc:

1
2
3
4
5
6
...
plugins=(
  zsh-autosuggestions
  zsh-syntax-highlighting
)
...

Install Fig (deprecated) https://fig.io/, an IDE-style autocomplete but for terminal, and configure in .zshrc

1
2
3
4
5
6
7
...
# Fig pre block. Keep at the top of this file.
[[ -f "$HOME/.fig/shell/zshrc.pre.zsh" ]] && . "$HOME/.fig/shell/zshrc.pre.zsh"
...
# Fig post block. Keep at the bottom of this file.
[[ -f "$HOME/.fig/shell/zshrc.post.zsh" ]] && . "$HOME/.fig/shell/zshrc.post.zsh"
...

References