OpenSSH Server on Windows is very cool, and very weird...
You need to open a PowerShell Prompt as Administrator
If you're going to connect to Windows via OpenSSH, I think you're really best off using PowerShell rather than cmd.exe, as PowerShell can do quite a bit more from the command line that's impossible with cmd.exe.
# Install the OpenSSH Server
Add-WindowsCapability -Online -Name OpenSSH.Server
# Start the SSH server
Start-Service sshd
# or the even shorter and older...
net start sshd
32-bit versions of windows shipped with a ported version of edit.exe
from DOS that would work in a command prompt. The 64-bit editor that works in every version of windows and is guaranteed to be installed is notepad.exe
. Obviously that's not going to get us very far via ssh
so we need a way to edit in the terminal.
The best solution is to install neovim
via scoop
. If you're not into neovim
, regular vim
or nano
(doesn't use vi keys) would also work.
# Allow PowerShell to run RemoteSigned code
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
# Install scoop
iwr -useb get.scoop.sh | iex
# Install git - required for scoop to operate
scoop install git
# Install neovim
scoop install neovim
# or `scoop install vim` if Lua is too fast for you
# or `scoop install nano` if hklj are too powerful...
# Install the VC++ runtime (recommended for neovim)
scoop install vcredist2015
Most regular *nix machines put the sshd
configuration in /etc/ssh/sshd_config
. For Windows, the /etc/ssh
directory is:C:\ProgramData\ssh
. Inside of this directory you'll see:
Directory: C:\ProgramData\ssh
logs/
ssh_host_dsa_key
ssh_host_dsa_key.pub
ssh_host_ecdsa_key
ssh_host_ecdsa_key.pub
ssh_host_ed25519_key
ssh_host_ed25519_key.pub
ssh_host_rsa_key
ssh_host_rsa_key.pub
sshd.pid
sshd_config
administrators_authorized_keys
At the end of the Windows sshd_config
you'll see:
Match Group administrators
AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
If you're in a multi-user corporate environment I would strongly recommend changing this to:
AuthorizedKeysFile __PROGRAMDATA__/ssh/%u/authorized_keys
The point is that in a multi-admin environment, you'll realistically want every admin to at least have their own home folder, and not effectively be sharing a login... Using Microsoft's default, the username is set by user
set in the ssh user@server
command.
If you use any path under ProgramData for your keys, you'll need to icalcls
to set exactly these permissions, of course update your file name accordingly.
icacls.exe "C:\ProgramData\ssh\administrators_authorized_keys" /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F"
In my case, I'm just running this as a virtual machine for development, so I just commented out the #match group Administrators Authorized Key File
which simplifies permissions and behaves more like you expect of ssh. In a real server environment, I would definitely go with: PROGRAMDATA__/ssh/%u/authorized_keys
#Match Group administrators
# AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
Last, you need to add your ~/.ssh/some_key.pub
public key to the authorized_keys
file that you've chosen, and then restart sshd
.
net stop sshd
net start sshd
Now you should be able to log in via:
ssh myuser@windows-host -p 22 -i ~/.ssh/some_key
Once you've got SSH connected, I would recommend setting ssh
to launch powershell
as the default shell rather than cmd
, so that you can edit the registry via SSH.
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force
# Check that it's set with:
Get-Item -Path "HKLM:\SOFTWARE\OpenSSH"
You can list the current version of windows that's being used via cmd.exe's 'ver' shell builtin.
cmd.exe /c ver
# Windows "11" is:
Microsoft Windows [Version 10.0.22000.318]
Windows 11 ships with WSLg
allowing display of GUI apps, supporting both Wayland and X11 APIs...
wsl --install -d Ubuntu
One reply on “Configuring OpenSSH-Server (sshd) on Windows 11”
Test Reply