The OpenSSH SSHD service on Windows 10 an 11 is extremely useful, but a bit tricky to set up. Here are my notes on how to do it.
-
Follow the instructions from [1] to "Install OpenSSH" via Windows Settings. Alternately, use PowerShell:
Add-WindowsCapability -Online -Name OpenSSH.Client Add-WindowsCapability -Online -Name OpenSSH.Server
Installling
OpenSSH.Server
is often quite slow (it seems to hang for a minute or two). Be patient. -
I'm assuming you're in the Administrators group on your Windows system. If so, and you want to login using your id (rather than logging in as a user that's not part of the Administrators group), you need to do some special configuration. In any case, you definitely do not want to login with your password, or leave password security enabled. We'll turn them off below.
-
The OpenSSH server creates a number of files the first time you start it, in the directory
%programdata%\ssh
(typicallyC:\ProgramData
). One of them issshd_config
, and we want to edit it. So start and stop the service using an Administrative PowerShell window, thereby creating the files and leaving them accessible to us:PS> dir $env:ProgramData\ssh PS> # the dir is empty, so no output. PS> Start-Service sshd PS> Stop-Service sshd PS> dir $env:ProgramData\ssh Directory: C:\ProgramData\ssh Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 6/24/2022 7:18 PM logs -a---- 6/24/2022 7:18 PM 6 sshd.pid -a---- 6/4/2021 5:53 PM 2297 sshd_config -a---- 6/24/2022 7:18 PM 1405 ssh_host_dsa_key -a---- 6/24/2022 7:18 PM 620 ssh_host_dsa_key.pub -a---- 6/24/2022 7:18 PM 525 ssh_host_ecdsa_key -a---- 6/24/2022 7:18 PM 192 ssh_host_ecdsa_key.pub -a---- 6/24/2022 7:18 PM 419 ssh_host_ed25519_key -a---- 6/24/2022 7:18 PM 112 ssh_host_ed25519_key.pub -a---- 6/24/2022 7:18 PM 2622 ssh_host_rsa_key -a---- 6/24/2022 7:18 PM 584 ssh_host_rsa_key.pub PS>
-
Use an editor with administrative privileges to open the file
%programdata%\ssh\sshd_config
. You can usenotepad
for this, if you launch it from the elevated PowerShell prompt.Find the following lines:
# To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no
Insert an uncommented line to disable PasswordAuthentication.
# To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes PasswordAuthentication no #PermitEmptyPasswords no
-
Having made the above change, save the file. Then follow the instructions from [1] to "Start and configure OpenSSH Server".
-
On Linux or macOS, you'd add your SSH public key under your home directory, in
.ssh\authorized_keys
. However, because you're member of the Administrators group, you need to add your SSH key in a file named%programdata%\ssh\administrators_authorized_keys
; both the location and the file name are unique to Windows. To add your public key, an administratorcmd.exe
is best; PowerShell likes to create UTF-16 files, butsshd
will only read ASCII (or perhaps UTF-8) files.So: use the Start menu to open a "
Command Prompt (Admin)
", and then enter the following commandscd C:\ProgramData\ssh echo ....yourkey.... >> administrators_authorized_keys cacls .\administrators_authorized_keys /e /r "NT AUTHORITY\Authenticated Users"
Don't put quotes around "....yourkey.....", as
cmd
doesn't strip the quotes.The last line (with
cacls
) is important. The fileadministrators_authorized_keys
may otherwise be created with read access given toAuthenticated Users
. If read access is given,sshd
will notice, and will refuse to use the file.Note: if you use
Notepad
to createadministrators_authorized_keys
, be aware that it might put the UTF-8 prefix on the file. If you're not able to log in, enable logging per below and look for a line like this:10108 2023-08-21 12:04:01.373 debug2: __PROGRAMDATA__/ssh/administrators_authorized_keys:1: check options: 'ÿþs'
The
'ÿþs'
is your clue that there's a UTF-8 prefix on the file. The easiest way to remove it is to use theecho
command and simply recreate the file. Or you can try opening the file withNotepad
and usesave as
to recreate it with encodingANSI
. However, check the permissions after doing this, just to make sure. -
Optional: if you want to log in with a Posix-like shell:
a. make sure you have git bash installed.
b. Change the remote login shell to git bash using the following PowerShell command:
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Program Files\Git\usr\bin\bash.exe" -PropertyType String -Force Restart-Service sshd
-
If you need to enable logging in order to debug connection problems, you must change two lines in your
sshd_config
, and restart the service.Change from:
# Logging #SyslogFacility AUTH #LogLevel INFO
To:
# Logging SyslogFacility LOCAL0 LogLevel DEBUG2
Restart the daemon using PowerShell:
Restart-Service sshd
-
If you enable logs, be sure to disable logging when you're finished debugging. Then for security, delete the logs using Admin PowerShell:
Stop-Service sshd del c:\ProgrmData\ssh\logs\sshd.log Start-Service sshd
-
Be sure to set the ssh service to auto-start:
Set-Service -Name sshd -StartupType 'Automatic'
[1] "Get started with OpenSSH", docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse