Windows SSH Server

Last modified 23 Nov 2021 09:20 +01:00

Native Feature of Windows

Microsoft has adopted openssh as Feature / Capability since Windows version 10 / Windows Server 2019. The openssh functionality is delivered in two independent features - client and server. The main benefit for the user is a complex implementation covering the PowerShell module or the Firewall rule. Other important benefit is delivering updates directly over the system update system.

Installation / enabling the service

You can use GUI to enable the feature but there is not one place where all the stuff would be done. Enabling the Feature (Windows 10) or Capability (Windows 2019) is a first step but there is also a need to enable and start the system service. Optionally the firewall rule could be checked.

The development of the capability started with Windows 7 so the development version can be downloaded and installed even for e.g. Windows Server 2016. For Windows server 2016 the firewall related command is the same as for newer version (powershell based). In case you need to install it on older version of windows system ( which is already unsupported) the firewall related commands are a little bit different.
Reference can be found directly on the powershell/Win32-Openssh project site or older version of this site.

PowerShell

Primary way to configure the system is to use the PowerShell. Adopting openssh as the native feature / capability also covers the implementation of the management of the service into the powershell environment - the PowerShell module is created. It offers the possibility to do all the necessary things from one console at the same time.

To process following commands the PowerShell console should be run with elevated permission (as administrator).

Check the version
Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'

# This should return the following output:

Name  : OpenSSH.Client~~~~0.0.1.0
State : NotPresent
Name  : OpenSSH.Server~~~~0.0.1.0
State : NotPresent

1. OpenSSH - server

1.1. install capability / the application

The installation process consists of

  • install the application / capability / feature

  • check / enable / create firewall rule

  • enable autostart of the service

  • start application

1.1.1. Windows 10 / Windows server 2019 and above ( native capability )

Install OpenSSH - server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

1.1.2. Windows where it is not a native capability yet

There is repository with the source code on github. In case you don’t want to build it you can download some binary form of released versions from the release section on github. To use the binary file download OpenSSH-Win64.zip file.

Download externally

In case you want to download it out of the server (or you have it already downloaded) the file share feature may be useful. There is "default" share set for whole C: as C$. You can access the share as Administrator at the \\<srv_ip>\C$\Program Files\. To access the server you have to allow the service (the port) on the firewall.

Enable file share port on firewall
Set-NetFirewallRule -DisplayGroup "File And Printer Sharing" -Enabled True -Profile Any
Installation

The content of the file is recommended to be placed in the C:\Progam Files\OpenSSH by default. In case you will simply extract to the C:\Program Files the extracted folder will have name OpenSSH-Win64. This folder name can be kept. The permission should be set (by default) to write for SYSTEM and Administrator groups and to read & Execute to Authneticated users.

Once the files are ready you can run the installation process:

Install the services
powershell.exe -ExecutionPolicy Bypass -File install-sshd.ps1

The service is now ready.

1.2. Common setting

To access it we need to open the port on firewall.

Check the firewall rule installed by the "native capability way"
Get-NetFirewallRule -Name *ssh*
Enable the SSH port (TCP/22) on the firewall
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
Enable the service for the autostart (to stay up after restart)
Set-Service -Name sshd -StartupType Automatic
Set-Service -Name ssh-agent -StartupType Automatic

With the installation there is not installed the SSH server keys, which have to be unique per installation. During the start these are checked for existence and if missing, it will be autogenerated. To Finish installation, we need to start it - the first start may take a little bit more time than the next ones.

Start the service
Start-Service sshd
Start-Service ssh-agent

The default shell is cmd.exe but it is possible to change it to the PowerShell.

OpenSSH - PowerShell as default shell
# Set PowerShell as default shell after the login
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force
Once the service is installed and started all other setting can be done over ssh connection (may be useful for better clipboard utilization). Before the powershell as default shell is set the cmd (Command Line) is used as default. In that case the first command should be C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe to enter powershell environment.
Based on the default shell setting the midpoint’s SSH connector should be properly set to handle variables. With the powershell as default shell the argumentStyle should be set to variables-powershell. For more information see the information related to the SSH connector on github.

1.3. Config file location

The global system configuration ( in *nix system usually located /etc/ssh ) can be found %programdata%/ssh/ ( c:\ProgramData\ssh\ ). There is located configuration file and also the keys (used for the secure communication on server side)

  • sshd_config

  • *_key

For our purpose we don’t need to cover all the options available for openssh. As the build has been customized for the purpose of the integration into the windows system, there are some options which can’t be used in sshd_config the same way as in the linux system. To see more details please see Microsoft Docs page.

1.4. User keys (key authentication)

Default location is in user’s home directory in the .ssh folder ( %HOME%\.ssh\authorized_keys ).

administrator access (SSH Keys)

In case the user is a member of the administrator group the key should be placed in the common location instead of user home directory. In this case the location is %programdata%\ssh\administrators_authorized_keys. To add the content to the file you can use following command:

Add-Content -Path C:\ProgramData\ssh\administrators_authorized_keys

Without -Value parameter you will be asked for the content. The empty line ends the process of entering the content. In case the file does not exist it will be created.

To set the proper permission for the file you can use following PowerShell script.

Permission for authorized_keys
#get the ACL object for the file
$acl = Get-Acl C:\ProgramData\ssh\administrators_authorized_keys

#set the proper permissions
$acl.SetAccessRuleProtection($true, $false)
$administratorsRule = New-Object system.security.accesscontrol.filesystemaccessrule("Administrators","FullControl","Allow")
$systemRule = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","Allow")
$acl.SetAccessRule($administratorsRule)
$acl.SetAccessRule($systemRule)

#process the setting
$acl | Set-Acl

1.5. Uninstall

The uninstallation process consists of

  • stop application

  • remove the service or at least disable autostart

  • disable / remove firewall rule

  • (optionally) remove the application / capability / feature

1.5.1. Native Capability (Win 10 / Win Server 2019 and above)

Remove OpenSSH - server
Remove-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Firewall rule should be handled by the capability handling.

To check the state of firewall rule
Get-NetFirewallRule -Name *ssh*

1.5.2. Manual installation

Uninstall the OpenSSH
# In case you have install to OpenSSH-Win64 follow the used path
Set-Location -Path "C:\Program Files\OpenSSH"
powershell.exe -ExecutionPolicy Bypass -File uninstall-sshd.ps1
Remove Firewall rule
Remove-NetFirewallRule -Name sshd

2. OpenSSH - client

install OpenSSH - client
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
Remove OpenSSH - client
Remove-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

See Also