SSH : Secure Shell is a cryptographic network protocol.
SSH protocol Architecture:
Two computers in secure shell communicate where one of them isclientand the other isserver.
And SSH provides cryptographic sheild to this communication.
clientpresents query
serverresponds to query
Use Powershell 7.3 or up. as an Administrator.
Get-WindowsCapability -Online -Name OpenSSH*
OR
Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
OR
Add-WindowsCapability -Online -Name OpenSSH.Client*
Here
OpenSSH.Client~~~~0.0.1.0is theNameof the ssh client package provided when commandGet-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'was invoked.
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
OR
Add-WindowsCapability -Online -Name OpenSSH.Server*
Here
OpenSSH.Server~~~~0.0.1.0is theNameof the ssh server package provided when commandGet-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'was invoked.
Open an elevated PowerShell prompt (right click, Run as an administrator), then run the following commands accordingly:
Get-Service -Name ssh*
The
ssh-agentis a helper program that keeps track of users' identity keys and their passphrases.
Start-Service sshd
Start-Service ssh-agent
OR
Start-Service ssh*
This is because ssh-agent service is disabled by default.
User can use windows GUI to navigate to "Services" from start menu search, using admin privilage, and look for "openssh authentication agent" - right click to 'properties' and change the status from 'Disable' to 'Automatic'.
Using powershell one can:
- change startup type to automatic
- start the service
-
Set-Service -Name ssh-agent -StartupType 'Automatic' -
Start-Service -Name ssh-agent
Because sshd by default could be set to statupType 'Manual',
Just like above command: Set-Service -Name ssh-agent -StartupType 'Automatic'
For sshd service, we use:
Set-Service -Name sshd -StartupType 'Automatic'
This command will invoke the following startupType condition(Automatic):
If the sshd/ssh-agent service is stopped and the device restarts, after the reboot, sshd/ssh-agent service will remain stopped. Similarly, If the sshd/ssh-agent service is running and the device restarts, after the reboot, sshd/ssh-agent service will be running automatically.
Default startupType condition is(Manual):
If the sshd service is stopped and the device restarts, after the reboot, sshd service will remain stopped. And If the sshd service is running and the device restarts, after the reboot, sshd service will remain stopped, unless started again.
Confirm the Firewall rule is configured. It should be created automatically by setup. Run the following to verify
if (!(Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue | Select-Object Name, Enabled)) { Write-Output "Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it..." New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 } else { Write-Output "Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists." }
Default shell for OpenSSH in windows is command prompt.
Configuring the default ssh shell is done in the Windows registry by adding the full path to the shell executable to HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH in the string value DefaultShell.
Here with the command below, default shell for OpenSSH is set for powershell 7 which is located in C:\Program Files\PowerShell\7\pwsh.exe
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Program Files\PowerShell\7\pwsh.exe" -PropertyType String -Force
Note:
Open SSH Server (sshd) reads configuration data from %programdata%\ssh\sshd_config by default, or a different configuration file may be specified by launching sshd.exe with the -f parameter. If the file is absent, sshd generates one with the default configuration when the service is started.
OpenSSH Client (ssh) reads configuration data from a configuration file in the following order:
1. By launching ssh.exe with the -F parameter, specifying a path to a configuration file and an entry name from that file.
2. A user's configuration file at %userprofile%\.ssh\config
3. The system-wide configuration file at %programdata%\ssh\ssh_config
ssh-keygen -o -a 100 -t ed25519 -f $env:USERPROFILE\.ssh\client_key -C "clientUsername@clientHostname"
ssh-keygen will create 2 keys file. Public Keys(with .pub) and Private Keys.
| Options | Meaning |
|---|---|
-o |
Causes ssh-keygen to save private keys using the new OpenSSH format rather than the more compatible PEM format. The new format has increased resistance to brute-force password cracking but is not supported by versions of OpenSSH prior to 6.5. Ed25519 keys always use the new private key format.(IBM.com/docs) |
-a <KDF rounds> |
Specifies the number of KDF (key derivation function) rounds used. Higher numbers result in slower passphrase verification and increased resistance to brute-force password cracking (should the keys be stolen). In this case -a 100 round is used. |
-t <type> |
Specifies the type of the key to create. The possible values are “dsa”, “ecdsa”, “ed25519”, or “rsa”. Here we use -t ed25519 |
-f <path/filename> |
Specifies the name & location of the generated key file. If you want it to be discovered automatically by the SSH agent, it must be stored in the default ~/.ssh/ directory (windows : $env:USERPROFILE\.ssh\) |
-C "<comments>" |
An option to specify a comment. It’s purely informational and can be anything. But it’s usually filled with <login>@<hostname> who generated the key. The comment is truncated after 1023 characters. |
ssh-copy-id -i ~/.ssh/id_key.pub user@server
because ssh-copy-id doesnot work for windows, we use scp in the following way:
scp file2copy user@ip:"path "