Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'
# This should return the following output:
Name : OpenSSH.Client~~~~0.0.1.0
State : NotPresent
Name : OpenSSH.Server~~~~0.0.1.0
State : NotPresent
Windows SSH Server
Native Feature of Windows
Microsoft has adopted openssh as Feature / Capability since Windows version 10 / Windows Server 2019. The openssh functionality is delivered in two independent features - client and server. The main benefit for the user is a complex implementation covering the PowerShell module or the Firewall rule. Other important benefit is delivering updates directly over the system update system.
Installation / enabling the service
You can use GUI to enable the feature but there is not one place where all the stuff would be done. Enabling the Feature (Windows 10) or Capability (Windows 2019) is a first step but there is also a need to enable and start the system service. Optionally the firewall rule could be checked.
The development of the capability started with Windows 7 so the development version can be downloaded and installed even for e.g. Windows Server 2016.
For Windows server 2016 the firewall related command is the same as for newer version (powershell based).
In case you need to install it on older version of windows system ( which is already unsupported) the firewall related commands are a little bit different. |
PowerShell
Primary way to configure the system is to use the PowerShell. Adopting openssh as the native feature / capability also covers the implementation of the management of the service into the powershell environment - the PowerShell module is created. It offers the possibility to do all the necessary things from one console at the same time.
To process following commands the PowerShell console should be run with elevated permission (as administrator).
1. OpenSSH - server
1.1. install capability / the application
The installation process consists of
-
install the application / capability / feature
-
check / enable / create firewall rule
-
enable autostart of the service
-
start application
1.1.1. Windows 10 / Windows server 2019 and above ( native capability )
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
1.1.2. Windows where it is not a native capability yet
There is repository with the source code on github. In case you don’t want to build it you can download some binary form of released versions from the release section on github. To use the binary file download OpenSSH-Win64.zip file.
Download externally
In case you want to download it out of the server (or you have it already downloaded) the file share feature may be useful. There is "default" share set for whole C: as C$. You can access the share as Administrator at the \\<srv_ip>\C$\Program Files\. To access the server you have to allow the service (the port) on the firewall.
Set-NetFirewallRule -DisplayGroup "File And Printer Sharing" -Enabled True -Profile Any
Installation
The content of the file is recommended to be placed in the C:\Progam Files\OpenSSH by default. In case you will simply extract to the C:\Program Files the extracted folder will have name OpenSSH-Win64. This folder name can be kept. The permission should be set (by default) to write for SYSTEM and Administrator groups and to read & Execute to Authneticated users.
Once the files are ready you can run the installation process:
powershell.exe -ExecutionPolicy Bypass -File install-sshd.ps1
The service is now ready.
1.2. Common setting
To access it we need to open the port on firewall.
Get-NetFirewallRule -Name *ssh*
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
Set-Service -Name sshd -StartupType Automatic
Set-Service -Name ssh-agent -StartupType Automatic
With the installation there is not installed the SSH server keys, which have to be unique per installation. During the start these are checked for existence and if missing, it will be autogenerated. To Finish installation, we need to start it - the first start may take a little bit more time than the next ones.
Start-Service sshd
Start-Service ssh-agent
The default shell is cmd.exe but it is possible to change it to the PowerShell.
# Set PowerShell as default shell after the login
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force
Once the service is installed and started all other setting can be done over ssh connection (may be useful for better clipboard utilization). Before the powershell as default shell is set the cmd (Command Line) is used as default. In that case the first command should be C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe to enter powershell environment. |
Based on the default shell setting the midpoint’s SSH connector should be properly set to handle variables. With the powershell as default shell the argumentStyle should be set to variables-powershell. For more information see the information related to the SSH connector on github. |
1.3. Config file location
The global system configuration ( in *nix system usually located /etc/ssh ) can be found %programdata%/ssh/ ( c:\ProgramData\ssh\ ). There is located configuration file and also the keys (used for the secure communication on server side)
-
sshd_config
-
*_key
For our purpose we don’t need to cover all the options available for openssh. As the build has been customized for the purpose of the integration into the windows system, there are some options which can’t be used in sshd_config the same way as in the linux system. To see more details please see Microsoft Docs page.
1.4. User keys (key authentication)
Default location is in user’s home directory in the .ssh folder ( %HOME%\.ssh\authorized_keys ).
administrator access (SSH Keys)
In case the user is a member of the administrator group the key should be placed in the common location instead of user home directory. In this case the location is %programdata%\ssh\administrators_authorized_keys. To add the content to the file you can use following command: Add-Content -Path C:\ProgramData\ssh\administrators_authorized_keys Without -Value parameter you will be asked for the content. The empty line ends the process of entering the content. In case the file does not exist it will be created. |
To set the proper permission for the file you can use following PowerShell script.
#get the ACL object for the file
$acl = Get-Acl C:\ProgramData\ssh\administrators_authorized_keys
#set the proper permissions
$acl.SetAccessRuleProtection($true, $false)
$administratorsRule = New-Object system.security.accesscontrol.filesystemaccessrule("Administrators","FullControl","Allow")
$systemRule = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","Allow")
$acl.SetAccessRule($administratorsRule)
$acl.SetAccessRule($systemRule)
#process the setting
$acl | Set-Acl
1.5. Uninstall
The uninstallation process consists of
-
stop application
-
remove the service or at least disable autostart
-
disable / remove firewall rule
-
(optionally) remove the application / capability / feature
1.5.1. Native Capability (Win 10 / Win Server 2019 and above)
Remove-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Firewall rule should be handled by the capability handling.
Get-NetFirewallRule -Name *ssh*
1.5.2. Manual installation
# In case you have install to OpenSSH-Win64 follow the used path
Set-Location -Path "C:\Program Files\OpenSSH"
powershell.exe -ExecutionPolicy Bypass -File uninstall-sshd.ps1
Remove-NetFirewallRule -Name sshd
2. OpenSSH - client
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
Remove-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0