OpenSSH Server on Windows is very cool, and very weird…
You need to open a PowerShell Prompt as Administrator
If you’re going to connect to Windows via OpenSSH, I think you’re really best off using PowerShell rather than cmd.exe, as PowerShell can do quite a bit more from the command line that’s impossible with cmd.exe.
# Install the OpenSSH Server Add-WindowsCapability -Online -Name OpenSSH.Server # Start the SSH server Start-Service sshd # or the even shorter and older... net start sshd
32-bit versions of windows shipped with a ported version of
edit.exe from DOS that would work in a command prompt. The 64-bit editor that works in every version of windows and is guaranteed to be installed is
notepad.exe. Obviously that’s not going to get us very far via
ssh so we need a way to edit in the terminal.
The best solution is to install
scoop. If you’re not into
nano (doesn’t use vi keys) would also work.
# Allow PowerShell to run RemoteSigned code Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser # Install scoop iwr -useb get.scoop.sh | iex # Install git - required for scoop to operate scoop install git # Install neovim scoop install neovim # or `scoop install vim` if Lua is too fast for you # or `scoop install nano` if hklj are too powerful... # Install the VC++ runtime (recommended for neovim) scoop install vcredist2015
Most regular *nix machines put the
sshd configuration in
/etc/ssh/sshd_config. For Windows, the
/etc/ssh directory is:
C:\ProgramData\ssh. Inside of this directory you’ll see:
Directory: C:\ProgramData\ssh logs/ ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_ecdsa_key ssh_host_ecdsa_key.pub ssh_host_ed25519_key ssh_host_ed25519_key.pub ssh_host_rsa_key ssh_host_rsa_key.pub sshd.pid sshd_config administrators_authorized_keys
At the end of the Windows
sshd_config you’ll see:
Match Group administrators AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
If you’re in a multi-user corporate environment I would strongly recommend changing this to:
The point is that in a multi-admin environment, you’ll realistically want every admin to at least have their own home folder, and not effectively be sharing a login… Using Microsoft’s default, the username is set by
user set in the
ssh user@server command.
If you use any path under ProgramData for your keys, you’ll need to
icalcls to set exactly these permissions, of course update your file name accordingly.
icacls.exe "C:\ProgramData\ssh\administrators_authorized_keys" /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F"
In my case, I’m just running this as a virtual machine for development, so I just commented out the
#match group Administrators Authorized Key File which simplifies permissions and behaves more like you expect of ssh. In a real server environment, I would definitely go with: PROGRAMDATA__/ssh/%u/authorized_keys
#Match Group administrators # AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
Last, you need to add your
~/.ssh/some_key.pub public key to the
authorized_keys file that you’ve chosen, and then restart
net stop sshd net start sshd
Now you should be able to log in via:
ssh myuser@windows-host -p 22 -i ~/.ssh/some_key
Once you’ve got SSH connected, I would recommend setting
ssh to launch
powershell as the default shell rather than
cmd, so that you can edit the registry via SSH.
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force # Check that it's set with: Get-Item -Path "HKLM:\SOFTWARE\OpenSSH"
You can list the current version of windows that’s being used via cmd.exe’s ‘ver’ shell builtin.
cmd.exe /c ver # Windows "11" is: Microsoft Windows [Version 10.0.22000.318]
Windows 11 ships with
WSLg allowing display of GUI apps, supporting both Wayland and X11 APIs…
wsl --install -d Ubuntu