How to Set Up OpenSSH on a Windows Server [Complete Guide]

choubertsprojects

VPN offers!

1. NordVPN

2. Surfshark

3. ExpressVPN

Setting up OpenSSH is a requirement if you want to use the server remotely. This tutorial will walk you through setting it up on Windows Server 2016, with some additional help from PowerShell script and PuTTY.

The “install openssh windows server 2019 offline” is a guide that will show you how to set up OpenSSH on your Windows Server. This guide is for the latest version of Windows Server 2019.

How to Set Up OpenSSH on a Windows Server [Complete Guide]

On Linux, the Secure Shell (SSH) protocol and OpenSSH project have existed for decades. OpenSSH on Windows, on the other hand, has just lately gained popularity in the Windows world. As a result, a Windows Server isn’t usually pre-built and ready to use, and needs some configuration.

In this article, you’ll learn how to SSH into your Windows Server as simply as you would a Linux server. You’ll learn how to install (or upgrade) OpenSSH on Windows, establish public key, password, and certificate-based authentication, and apply necessary firewall rules.

Prerequisites

To follow the examples and demonstrations in this article properly, you must fulfill the criteria listed below.

  • A Windows Server system – Windows Server 2019 Datacenter will be used in this post. The user account for this tutorial will be june, and it will connect to the server using the IP address 40.117.77.227 and the hostname ataWindows.
  • PowerShell 7.1 is installed on a local machine. Windows, Linux, and macOS all have PowerShell 7.1. PowerShell 7.1 with Windows 10 is used in the examples in this tutorial.

Obtaining OpenSSH

Unlike Linux servers, Windows servers do not come with a built-in SSH server. Microsoft, on the other hand, has produced an open-source version of OpenSSH for Windows. You may now set up an SSH server on a Windows system with this version.

To begin, you’ll need to first download OpenSSH. Follow the steps below to do so:

  1. Remote Desktop (RDP) or your favourite desktop management client may be used to connect to a Windows Server’s desktop.

Top Free Remote Desktop Connection Managers (Related)

2. Open an elevated Windows PowerShell console on your Windows Server desktop.

3. Paste the following code into the PowerShell window and hit Enter. This script will download the most recent OpenSSH version, which is v8.1.0.0p1-Beta as of this writing, to the current working directory.

If you want to save the PowerShell code for downloading OpenSSH, you may do so by using a code editor such as Windows PowerShell ISE or Visual Studio Code.

Set the network connection protocol to TLS 1.2, and provide the OpenSSH latest release URL. $url = ‘https://github.com/PowerShell/Win32-OpenSSH/releases/latest/’ ## $url = ‘https://github.com/PowerShell/Win32-OpenSSH/releases/latest/’ Make a web request to get the most recent release’s download URL. $request = [System.Net.WebRequest]::$request = $request = $request = $request = $request = $re $request = Create($url) AllowAutoRedirect= $false $response=$request. GetResponse() $([String])$([String])$([String])$([Str $response.GetResponseHeader(“Location”)). ‘/OpenSSH-Win64.zip’ + Replace(‘tag’,’download’) ## Download the most recent version of OpenSSH for Windows to your current working directory. $webClient = [System.Net.WebClient]::new() $webClient.DownloadFile($source, $source, $source, $source, $source, $source, $source, $source, $source, $source, $source, $source, $source, $source, $ (Get-Location). ‘OpenSSH-Win64.zip’ + path)

How to Download a File from the Web Using PowerShell

4. Your current working directory should now include the OpenSSH-Win64.zip file. Run the command below to confirm this.

The OpenSSH-Win64.zip file is present in the directory, as shown below.

Checking for the existence of the OpenSSH zip fileChecking for the existence of the OpenSSH zip file

Getting OpenSSH to Work

The next step is to install OpenSSH on the server once you’ve downloaded OpenSSH-Win64.zip. If you were hoping for an installation wizard, you will be disappointed.

  1. Copy the code below and execute it in PowerShell while remaining in the same PowerShell session. The contents of the OpenSSH-Win64.zip file are extracted to C:Program FilesOpenSSH using this code.

# Save the ZIP file to a temporary folder. Expand-Archive -Path is a command that expands an archive path. -DestinationPath ($env:temp) OpenSSH-Win64.zip -Force # Copy the contents of the extracted ZIP file to C:Program FilesOpenSSH Move-Item “$($env:temp)OpenSSH-Win64” -Destination “C:Program FilesOpenSSH” -Force Get-ChildItem -Path “C:Program FilesOpenSSH” | Unblock-File # Unblock the files in C:Program FilesOpenSSH

2. Launch the command below in PowerShell to run the script C:Program FilesOpenSSHinstall-sshd.ps1 after extracting the ZIP file. The OpenSSH SSH Server service (sshd) and the OpenSSH Authentication Agent service are installed by this script (sshd-agent).

& ‘C:Program FilesOpenSSHinstall-sshd.ps1’

Related:How to Run a PowerShell Script from the Command Line and Other PowerShell Resources

The projected outcome is shown below.

Getting OpenSSH to WorkGetting OpenSSH to Work

Run the command below in PowerShell to guarantee that the SSH server begins automatically.

The sshd service’s starting type is changed from manual to automated using this command. The sshd service is started using Set-Service sshd -StartupType Automatic ##. sshd sshd sshd sshd ss

Allowing SSH Traffic Through a Windows Firewall Rule

This process only applies if your Windows Server is configured to use the Windows Firewall. Refer to your firewall manual for instructions on how to allow port 22 on servers with third-party firewalls.

Getting OpenSSH to Work does not automatically create a firewall exception rule to allow SSH traffic. Therefore, your next task is to create the firewall rule manually.

PowerShell and the New-NetFirewallRule cmdlet are one of the simplest methods to create a new Windows Firewall rule. The program below establishes the Allow SSH firewall rule, which permits all incoming TCP traffic to port 22.

Copy and execute the command below in PowerShell.

New-NetFirewallRule -Name sshd -DisplayName ‘Allow SSH’ -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 New-NetFirewallRule -Name sshd -DisplayName ‘Allow SSH’ -Enabled True -Direction Inbound -Protocol TCP -Action Allow

After defining the firewall rule, the following snapshot displays the anticipated result in PowerShell.

Adding a rule to the Windows Firewall to enable Port 22Adding a rule to the Windows Firewall to enable Port 22

Using Password Authentication to Connect to SSH

You’ve now completed the first server setup and installed OpenSSH on Windows. The next step is to see whether connecting through SSH is possible.

Let’s use the ssh command on your local machine to test your freshly configured SSH server.

When connecting to a Linux SSH server, use the identical methods outlined in this section.

1. This time, launch PowerShell from your local computer.

2. Then, to begin the SSH login procedure, type the command below. Make sure your Windows Server’s username and remote host are both changed.

3. Because you’re connecting to the server for the first time, you’ll get a popup stating that the host’s validity cannot be verified. The notification indicates that your computer has not yet detected the remote host. To continue, type yes and hit Enter.

4. When asked for a password, enter the password for your account and hit enter.

Connecting via SSH into Azure VMUsing Password Authentication for SSH Connection

5. You’ll arrive at the remote host’s command line after signing in, as seen in the picture below. Let’s say you want to double-check that you’ve entered the remote host’s session. To do so, put hostname into the address bar and hit Enter. The name of the remote machine should be returned by the command.

Obtaining the SSH server's hostnameObtaining the SSH server’s hostname

Changing OpenSSH’s Default Shell to PowerShell

You’ll note that CMD is the default shell or command interpreter when you initially connect in to your Windows SSH server. It’s acceptable to use CMD as your default SSH shell, but if you wish to use PowerShell instead, follow these instructions.

To switch the default OpenSSH shell from CMD to PowerShell, follow these steps:

If you don’t already have one, launch an elevated PowerShell window on your Windows Server.

Next, under the registry key HKLM:SOFTWAREOpenSSH, add a new registry string value named DefaultShell. Set the DefaultShell string data to C:WindowsSystem32WindowsPowerShellv1.0powershell.exe, the Windows PowerShell location.

New-ItemProperty -Path “HKLM:SOFTWAREOpenSSH” -Name DefaultShell -Value “C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” New-ItemProperty -Path “HKLM:SOFTWAREOpenSSH” -Name DefaultShell -Value “C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” -Force -PropertyType String

The anticipated outcome of the command is shown in the image below.

Changing the default settings Shell for OpenSSHChanging the default settings Shell for OpenSSH

Related:How to Get a Registry Value with PowerShell

Configuring Authentication using Public Keys

You linked using a username and password in the preceding sections. This works, however using a key pair to authenticate with an SSH server is more safe.

In a word, a key pair is made up of two keys, the public key and the private key, that together provide a set of security credentials that may be used to confirm your identity.

The private key is kept on the local computer, while the public key is kept on the server. A private key must be treated as if it were a password. Anyone with access to your SSH server may use the private key if it is hacked.

The administrators authorized keys file is being prepared.

The server must have public keys. But where are you going? The public keys for OpenSSH on Windows are read from the C:ProgramDatasshadministrators authorized keys file by the SSH server. However, by default, this file does not exist. You must first create one.

To create the administrators authorized keys file and configure its suitable access control list, follow the procedures below (ACL).

On a Windows Server, you should:

If you haven’t already, open an elevated Windows PowerShell terminal.

2. Copy and execute the command below in PowerShell. This command creates the administrators_authorized_keys file using the New-Item cmdlet.

C:ProgramDatasshadministrators authorized keys -New-Item -Type File -Path

You should get something like the screenshot below.

The administrators authorized keys file is being created.The administrators authorized keys file is being created.

3. Now transfer the ACL that is presently allocated to the ssh host dsa key file to the administrators authorized keys file. Run the command below to do so.

get-acl C:ProgramDatasshssh host dsa key | get-acl C:ProgramDatasshssh host dsa key set-acl C:ProgramDatasshadministrators authorized keys set-acl C:ProgramDatasshadministrators authorized keys

Only the Administrators group and the SYSTEM account should have access to the administrators authorized keys file, according to the OpenSSH service. Because the ACL of ssh host dsa key has already been established, copying it to administrators authorized keys makes sense.

How To Use PowerShell To Manage NTFS Permissions

4. Now go to Windows Explorer and open it.

5. Go to the C:ProgramDatassh directory.

6. Right-click the administrators authorized keys file and choose Properties from the drop-down menu.

7. On the properties page, go to the Security Tab and choose Advanced from the drop-down menu.

Activating enhanced security optionsActivating enhanced security options

8. Finally, double-check that the permissions are as indicated in the figure below.

Permission to see advanced security permissionsPermission to see advanced security permissions

Creating an SSH Key Pair from Scratch

Use the ssh-keygen command, which is part of the OpenSSH client utilities included with Windows 10 (and later) and most Linux operating systems, to produce a new SSH key pair.

This section’s example works on both Windows and Linux PCs.

In a PowerShell console on your local computer:

1. Run the command below to go to the.ssh directory in your home folder.

2. Type ssh-keygen into the command prompt and hit Enter. When prompted to choose a file location for the key you’re creating, choose the default and hit Enter. This enables your SSH client to automatically locate your SSH keys when authenticating.

In Windows, the default key file is C:Users<username>.sshid_rsa.

3. At the following box, enter “password” instead of “password.” You don’t need to use a passphrase for testing at this moment.

Adding a passphrase to your private key improves its security greatly. To your private key, a pass serves as a second-factor authentication (2FA).

The program produced two files: id rsa (private key) and id rsa.pub, as you can see (public key).

Creating an SSH Key Pair from Scratch on the local computerCreating an SSH Key Pair from Scratch on the local computer

The Public Key is Installed on the Windows SSH Server

After you’ve created your private-public key pair, you’ll need to transfer the public key to the SSH server’s C:ProgramDatasshadministrators authorized keys file.

In a PowerShell console on your local computer:

1. In PowerShell, copy and execute the code below. Before you do anything further, make sure you update your login and IP address. You can find out what each command performs by looking at the note above it.

# Retrieve the public key. $public key = Get-Content /.ssh/id rsa.pub $public key = Get-Content /.ssh/id rsa.pub $public key = Get-Content # Using ssh, add the public key to the administrators authorized keys directory on the server. “‘$($public key)’ | Out-File C:ProgramDatasshadministrators authorized keys -Encoding UTF8 -Append” “‘$($public key)’ | Out-File C:ProgramDatasshadministrators authorized keys -Encoding UTF8 -Append”

Get-Content in PowerShell: Reading Text Files Like a Boss

2. When asked, provide your password, and ssh will copy the public key. As illustrated below, you’ll get a similar effect.

The Public Key is Installed on the Windows SSH ServerThe Public Key is Installed on the Windows SSH Server

Using Public Key Authentication to connect to SSH

You don’t need to use a password to authenticate now that you’ve copied your public key to your SSH server. As you can see in the screenshot below, ssh did not ask for a password.

Connecting with SSH into Azure VM using Public Key AuthenticationUsing Public Key Authentication to connect to SSH

Certificate Authentication Configuration

Certificate authentication, like public key authentication, does not need a password or is password-protected. To allow certificate login, repeat the key pair generation process but do not deploy the public key to the SSH server.

The public key does not need to be mapped to the SSH server’s authorized keys or administrators authorized keys files. Instead, a certificate authority (CA) key is used to sign the public key.

Creating the Key for the Certificate Authority (CA)

The CA keys for signing are created in the same way as the user key pair you created previously in this article. Only this time, you’ll need to give the new CA keys a filename. To do so, open a PowerShell terminal on your Windows Server and type:

As stated below, run the ssh-keygen command. This command saves the CA key to C:ProgramDatasshca userkeys, but you may call it anything you like. Changing the filename has no effect on the CA key’s operation.

When prompted for a password, type “password” and hit Enter.

C:ProgramDatasshca userkeys ssh-keygen -f

The command creates two files, as seen below. The private key is ca userkeys, whereas the public key is ca userkeys.pub.

Creating the Key for the Certificate Authority (CA) on a Windows SSH serverCreating the Key for the Certificate Authority (CA) on a Windows SSH server

Tell the SSH server to trust the CA and where to locate the CA key now that you’ve created the CA keys. To do so, add a new line to the server’s C:ProgramDatasshsshd config file called TrustedUserCAKeys path/to/ca userkeys.pub.

To add the configuration item to the file sshd config, run the instructions below.

# If the SSH server is Windows echo TrustedUserCAKeys C:ProgramDatasshca_userkeys.pub>> C:ProgramDatasshsshd_config

The User’s Public Key is Signed

You’ve produced the CA keys and told the SSH server to trust the CA public key file at this point. The only thing left is to sign your user’s public key.

In a PowerShell console on your local computer:

1. Using the SCP command, copy the id rsa.pub file to your home disk on the SSH server. Change the username and IP address to the appropriate settings.

2. Use ssh to connect to your Windows Server. Run ssh-keygen to sign the user’s public key once logged in. The command below included multiple arguments, as you can see. Let’s take a look at each one individually.

  • -s C:ProgramDatasshca userkeys – specifies the location of the CA key used to sign the public key. The CA key in this case is the one you created.
  • -I id username – the ID to be assigned to the signed user’s public key. Change the value of id username to anything you desire.
  • -V +4w – this argument determines the signed key’s validity period. +4w indicates that the signed user key will be valid for four weeks in this case. This value may be changed to your chosen validity period.
  • -n username – the username of the person who will be the owner of the signed public key.
  • <path to id_rsa.pub> – this is the user public key’s location to sign (Windows).

ssh-keygen -s C:ProgramDatasshca userkeys -I id username -V +4w -n username /id rsa.pub ssh-keygen -s C:ProgramDatasshca userkeys -I id username -V +4w -n username

You should obtain something similar to the result shown below after running the command in your SSH connection. The program created a new file named id rsa-cert.pub, which is the signed user certificate, as you can see.

The User Key Is SignedThe User Key Is Signed

3. Return to your PowerShell session on your local computer and transfer the id rsa-cert.pub file from the server to your local machine. Before executing the command, make sure the username and IP address are right.

After the copy is complete, look in your home folder for the signed user certificate, as seen below.

The SSH user certificate may be found here.The SSH user certificate may be found here.

Using Certificate Authentication to connect to SSH

You’ve set up certificate authentication, and you’ve got your user certificate now. Now you should try connecting to the SSH server using certificate authentication.

Connecting to SSH using a certificate is the same as connecting with a password or public key. However, if you have already enabled public key authentication, you must first deactivate it. Otherwise, your key pair will be used instead of your certificate by ssh.

Remove your public key from the administrators authorized keys file to deactivate your key pair. Follow these instructions to do so.

The instructions that follow will clear the administrators authorized keys file, thereby erasing all mapped public keys. If you don’t want to delete all mapped public keys, manually remove chosen public keys from each file using a text editor.

While connected to the Windows Server over SSHe:

To empty the administrators authorized keys file, run the code below in PowerShell.

# Clear the administrators_authorized_keys file $NULL > C:ProgramDatasshadministrators_authorized_keys # Confirm that the administrators_authorized_keys is empty Get-Content C:ProgramDatasshadministrators_authorized_keys

2. As you can see in the picture below, the authorized keys and administrators authorized keys files are empty at this time.

Delete the administrators authorized keys folder.Delete the administrators authorized keys folder.

3. To disconnect from your SSH session, type exit and press Enter. You’ll be back in PowerShell in no time.

4. Your next ssh login attempt will employ certificate authentication once you remove the public keys. The login process will be identical to that of public key authentication.

Using Certificate Authentication to connect to SSHUsing Certificate Authentication to connect to SSH

Conclusion

You’ve now built an OpenSSH Windows Server from the ground up, including studying and configuring multiple authentication methods. You may now connect to your Windows Servers in the same way that you connect to Linux servers!

The “openssh-win64 download” is a complete guide for setting up OpenSSH on Windows Server. The tutorial includes troubleshooting tips and solutions to common errors.

Frequently Asked Questions

How do I enable OpenSSH on Windows?

A: OpenSSH is an encryption program that allows for remote login to your computer after entering a password. To enable it, you must first install the Windows software PuTTY from their website and input the server IP address into PuTTys Host Name text field.

How do I enable OpenSSH server?

A: OpenSSH is a program that makes the secure Shell service available over network. SSH stands for Secure Socket Shell, and it allows users to log in remotely on their own computer without having to know a password or type one in each time they want access.

How do I setup a SSH server?

A: First, you will need to install the software called PuTTY.
➡️ To open a terminal in Windows use Ctrl+Alt+T

Related Tags

  • openssh windows server 2016
  • install openssh windows server 2012
  • install openssh windows server 2016
  • download openssh for windows
  • openssh download