Windows 10

Connecting Windows via SSH Using Built-in OpenSSH Server

By December 30, 2020January 21st, 2021No Comments

Windows 10 1809 and Windows Server 2019 have got a built-in SSH server based on OpenSSH. In this post we’ll show how to install and configure an OpenSSH server on Windows 10 and connect to it remotely over protected SSH protocol (just like in Linux 🙂 ). You can install an OpenSSH server in previous Windows versions as well, but you must manually download and install OpenSSH for win32 port from GitHub (https://github.com/powershell/Win32-OpenSSH).

How to Install OpenSSH Server on Windows?

Let’s review how to install OpenSSH Server feature on Windows 10 1903 (in Windows Server 2019 the procedure is the same).

The OpenSSH package (like RSAT) is added to these (and newer) Windows versions as the Feature on Demand (FoD).

If you have a direct Internet access, you can install OpenSSH using PowerShell:

Add-WindowsCapability -Online -Name OpenSSH.Server*

Or using DISM:

dism /Online /Add-Capability /CapabilityName:OpenSSH.Server~~~~0.0.1.0

You can also install OpenSSH on Windows 10 through the Settings panel (Apps -> Apps&Features -> Manage optional features -> Add a feature). Find Open SSH Server in the list and click Install.

install openssh server feature on windows 10

To make sure the OpenSSH server has been installed, run the command:
Get-WindowsCapability -Online | ? Name -like 'OpenSSH.Ser*'

State : Installed
check openssh server feature installed on windows Get-WindowsCapability

Configure SSH Server on Windows 10/Windows Server 2019

After you have installed OpenSSH server in Windows, you must change sshd service startup type to automatic and start the service using PowerShell:
Set-Service -Name sshd -StartupType 'Automatic'
Start-Service sshd

start sshd service on windows 10
Using netstat, make sure that the SSH server is running and waiting for the connections on TCP port 22:
netstat -na| find ":22"
check ssh tcp port 22 listening on windows 10
Make sure that Windows Defender Firewall allows inbound connections to Windows through TCP port 22:
Get-NetFirewallRule -Name *OpenSSH-Server* |select Name, DisplayName, Description, Enabled

Name DisplayName Description Enabled
---- ----------- ----------- -------
OpenSSH-Server-In-TCP OpenSSH SSH Server (sshd) Inbound rule for OpenSSH SSH Server (sshd) True
open inbound ssh port in windows defender firewall

If the rule is disabled (Enabled=False) or missing, you can create a new inbound rule using the New-NetFirewallRule cmdlet:

New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

By default, important OpenSSH components are located in these folders:

  • OpenSSH Server executables: C:\Windows\System32\OpenSSH\
  • The sshd_config file (created after the first service startup): C:\ProgramData\ssh
  • OpenSSH log: C:\windows\system32\OpenSSH\logs\sshd.log
  • The authorized_keys file and keys: %USERPROFILE%\.ssh\

After OpenSSH installation, a new local user (sshd) is created on the computer.

OpenSSH Server Configuration File (sshd_config)

You can change your OpenSSH server settings in the config file: %programdata%\ssh\sshd_config.

For example, to deny SSH connection for the specific domain user account (or all domain users), add these directives to the end of the file:

DenyUsers contoso.com\[email protected]
DenyUsers corp\*

To allow SSH connection to the specific domain group only:

AllowGroups contoso.com\sshadmins

Or you can allow access to a local group:

AllowGroups sshadmins

You can deny access to the accounts with the administrator privileges. In this case, if you need to perform any privileged actions in your SSH session, you will have to use runas.

DenyGroups Administrators

The following directives allow SSH access using RSA keys and passwords:

PubkeyAuthentication yes
PasswordAuthentication yes

You can change the port OpenSSH receives connections to in the Port directive of the sshd_config file.

%programdata%\ssh\sshd_config file in windows

After making any changes to sshd_config file, you need to restart the sshd service:

restart-service sshd

How to Connect to Windows 10 via SSH?

Now you can try to connect to your Windows 10 through the SSH client.

At the first connection, a standard request to add the host to the list of known SSH hosts will appear.

putty accept rsa key for a ssh server

Click Yes, and logon to your Windows 10 under Windows user.

login windows 10 via ssh like in linux

If the SSH connection is successful, the cmd.exe shell will start with a prompt string.

[email protected]c C:\Users\admin>
cmd.exe shell in windows ssh session

You can run different commands, scripts or apps in the command prompt.

run command in windows 10 via ssh

I prefer working in the PowerShell console. To start it, run this command:

powershell.exe

run powershell in windows ssh

In order to change the default cmd.exe shell to PowerShell for OpenSSH, make changes to the registry using the following PowerShell command:

New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String –Force

New-ItemProperty replacing ssh shell from cmd.exe to powershell.exe

Restart your SSH connection and make sure that PowerShell is now used as a default SSH shell (this is shown by PS C:\Users\admin>).

powershell console in windows 10 ssh session

The PowerShell console has been started in your SSH session, and familiar features work in it: tab autocompletion, PSReadLine color highlighting, command history, etc. If the current user is a member of the local administrators group, all session commands are executed elevated even if UAC is enabled.

Leave a Reply