win10-ssh
Setup SSH Client and Server on Windows 10
Originally posted 2020-09-07
Intro
Windows now has a built-in ssh client and a server, adapted from OpenSSH. They are available starting in Server 2019 and the corresponding Windows 10 1809. Older Windows 10 versions had beta versions available, and you also have been able to install OpenSSH separately for a while.
Read first
Many of these commands require administrator access. Commands that change settings are assumed to be run in an administrator Powershell.
I assume that you are coming into this with at least a little experience with OpenSSH on other platforms, if you do not then I would recommend doing some background reading first.
Enable the features
You can check if the server and client are enabled by running this-
Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'
If they are not enabled you can install the features by running these commands.
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
These can also be managed via GUI by going to Settings→Apps & Features→Optional Features.
Use the client
Once you have the SSH client feature enabled, it is ready to use. It can be run with the standard ssh command, both in PowerShell and CMD.
The directory to put private keys and whatnot is the same as on other platforms, ie in .ssh under your user directory. You can get to it via %userprofile%\.ssh (explorer.exe, cmd) or $env:USERPROFILE\.ssh (PowerShell). The files are in the same format as on other platforms, so you can just copy and paste your private key into id_rsa or whatever. known_hosts is also here.
Setup the server
Setting up the SSH server is a bit more complex.
First, you need to open up the firewall so people can connect.
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH SSH Server' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
Next, you need to start the service and set it to start at boot up.
Set-Service -Name sshd -StartupType Automatic -Status Running
Hopefully, you should be able to SSH into the machine now via password.
It is much much more secure to use pubkey authentication rather than passwords. I would strongly suggest setting it up and disabling password authentication if you intend to keep the server running.
Setup pubkey authentication
The authorized keys file is in the `.ssh` directory. `$env:USERPROFILE\.ssh\authorized_keys` Add public keys, one key per line, to this file so you can log in with the associated private key from another machine. --- One thing to note is that by default, all administrators have a common authorized key file for public keys. It is located here: `$env:ProgramData\ssh\administrators_authorized_keys`. It can be changed by editing `$env:ProgramData\ssh\sshd_config` and commenting out or removing the following lines at the bottom of the file.Match Group administrators
AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
$authorizedKeyFilePath = "$env:USERPROFILE\.ssh\authorized_keys"
$authorizedKeyFileData = 'ssh-rsa bla bla bla add your public key here'
$authorizedKeyFileData | add-Content $authorizedKeyFilePath
$authorizedKeyFilePath = "$env:ProgramData\ssh\administrators_authorized_keys"
$authorizedKeyFileData = 'ssh-rsa bla bla bla add your public key here'
$authorizedKeyFileData | add-Content $authorizedKeyFilePath
icacls.exe $authorizedKeyFilePath /remove “NT AUTHORITY\Authenticated Users”
icacls.exe $authorizedKeyFilePath /inheritance:r
Get-Acl “$env:ProgramData\ssh\ssh_host_dsa_key” | Set-Acl $authorizedKeyFilePath
SFTP
For the SFTP client, it looks like it just works out of the box, just like the ssh client.
The SFTP server is started as part of the sshd service, so it also should just work once you have the ssh sever setup.
other
There are also other tools available, I have not played around with them too much yet.
