Windows 10 1809 and Windows Server 2019 have got a built-in SSH server based on OpenSSH. In this post we’ll show how to install and configure an OpenSSH server on Windows 10 and connect to it remotely over protected SSH protocol (just like in Linux 🙂 ). You can install an OpenSSH server in previous Windows versions as well, but you must manually download and install OpenSSH for win32 port from GitHub (https://github.com/powershell/Win32-OpenSSH).
How to Install OpenSSH Server on Windows?
Let’s review how to install OpenSSH Server feature on Windows 10 1903 (in Windows Server 2019 the procedure is the same).
The OpenSSH package (like RSAT) is added to these (and newer) Windows versions as the Feature on Demand (FoD).
If you have a direct Internet access, you can install OpenSSH using PowerShell:
Add-WindowsCapability -Online -Name OpenSSH.Server*
Or using DISM:
dism /Online /Add-Capability /CapabilityName:OpenSSH.Server~~~~0.0.1.0
You can also install OpenSSH on Windows 10 through the Settings panel (Apps -> Apps&Features -> Manage optional features -> Add a feature). Find Open SSH Server in the list and click Install.

To make sure the OpenSSH server has been installed, run the command:Get-WindowsCapability -Online | ? Name -like 'OpenSSH.Ser*'
State : Installed

Configure SSH Server on Windows 10/Windows Server 2019
After you have installed OpenSSH server in Windows, you must change sshd service startup type to automatic and start the service using PowerShell:Set-Service -Name sshd -StartupType 'Automatic'
Start-Service sshd
Using netstat, make sure that the SSH server is running and waiting for the connections on TCP port 22:netstat -na| find ":22"
Make sure that Windows Defender Firewall allows inbound connections to Windows through TCP port 22:Get-NetFirewallRule -Name *OpenSSH-Server* |select Name, DisplayName, Description, Enabled
Name DisplayName Description Enabled ---- ----------- ----------- ------- OpenSSH-Server-In-TCP OpenSSH SSH Server (sshd) Inbound rule for OpenSSH SSH Server (sshd) True

If the rule is disabled (Enabled=False) or missing, you can create a new inbound rule using the New-NetFirewallRule cmdlet:
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
By default, important OpenSSH components are located in these folders:
- OpenSSH Server executables:
C:\Windows\System32\OpenSSH\
- The sshd_config file (created after the first service startup):
C:\ProgramData\ssh
- OpenSSH log:
C:\windows\system32\OpenSSH\logs\sshd.log
- The authorized_keys file and keys:
%USERPROFILE%\.ssh\
After OpenSSH installation, a new local user (sshd) is created on the computer.
OpenSSH Server Configuration File (sshd_config)
You can change your OpenSSH server settings in the config file: %programdata%\ssh\sshd_config.
For example, to deny SSH connection for the specific domain user account (or all domain users), add these directives to the end of the file:
DenyUsers contoso.com\[email protected] DenyUsers corp\*
To allow SSH connection to the specific domain group only:
AllowGroups contoso.com\sshadmins
Or you can allow access to a local group:
AllowGroups sshadmins
You can deny access to the accounts with the administrator privileges. In this case, if you need to perform any privileged actions in your SSH session, you will have to use runas.
DenyGroups Administrators
The following directives allow SSH access using RSA keys and passwords:
PubkeyAuthentication yes PasswordAuthentication yes
You can change the port OpenSSH receives connections to in the Port directive of the sshd_config file.

After making any changes to sshd_config file, you need to restart the sshd service:
restart-service sshd
How to Connect to Windows 10 via SSH?
Now you can try to connect to your Windows 10 through the SSH client.
At the first connection, a standard request to add the host to the list of known SSH hosts will appear.

Click Yes, and logon to your Windows 10 under Windows user.

If the SSH connection is successful, the cmd.exe shell will start with a prompt string.
[email protected] C:\Users\admin>

You can run different commands, scripts or apps in the command prompt.

I prefer working in the PowerShell console. To start it, run this command:
powershell.exe

In order to change the default cmd.exe shell to PowerShell for OpenSSH, make changes to the registry using the following PowerShell command:
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String –Force

Restart your SSH connection and make sure that PowerShell is now used as a default SSH shell (this is shown by PS C:\Users\admin>
).

The PowerShell console has been started in your SSH session, and familiar features work in it: tab autocompletion, PSReadLine color highlighting, command history, etc. If the current user is a member of the local administrators group, all session commands are executed elevated even if UAC is enabled.