WARNING This approach does not enable impersonation. Thus, only a single user account is able to connect through ssh - the same user we use for running the Windows service. At time of writing it seem to only be possible with cygwin or msys2 to achieve multi-user support for sshd under Windows. E.g. https://ghc.haskell.org/trac/ghc/wiki/Building/Windows/SSHD
- Latest Git for Windows. I tried it with v2.6.0. (Note: with v2.5.3 sshd tried to load authorized keys from /c/.ssh instead of ~/.ssh).
User sshd is required for SSH daemon and MUST be named like so:
:: on Windows command
net user sshd /ADD /ACTIVE:NO
net localgroup Users sshd /DELETE
For sure, the SSH daemon needs keys for securing the connection:
#!/bin/sh
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa
ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa
ssh-keygen -f /etc/ssh/ssh_host_ed25519_key -N '' -t ed25519
Required for SSH daemon:
#!/bin/sh
mkdir -p /var/empty
mkdir -p /var/log
touch /var/log/lastlog # to prevent nasty message on ssh client
I used nssm to wrap sshd.exe
into a windows service:
:: on Windows command
nssm install sshd "C:\Program Files\Git\usr\bin\sshd.exe" -DE \"%APPDATA%\sshd.log\"
nssm set sshd Description SSH Daemon
nssm set sshd AppPriority ABOVE_NORMAL_PRIORITY_CLASS
nssm edit sshd
:: Goto "Log on" tab an change to "This account" using your Windows credentials
nssm start sshd
Hint: Be sure to first ssh-copy-id
your public key to sshd machine.
To deactivate password authentication edit C:\Program Files\Git\etc\ssh\sshdconfig
:
- #PasswordAuthentication yes
+ PasswordAuthentication no
If there is any issue while trying to connect, enable debugging for sshd by editing C:\Program Files\Git\etc\ssh\sshdconfig
:
- #LogLevel INFO
+ LogLevel DEBUG
Restart sshd
and check "%APPDATA%\sshd.log"
.
Also run ssh
client with -v
switch to show debug info.
Thank you!
The instructions are pretty comprehensive however I kept getting "Privilege separation user does not exist" errors in the log, I managed to solve that by following this answer: https://stackoverflow.com/a/24242464
Adding the following line to
/etc/passwd
got it to work for me: