Connecting Windows via SSH Using Built-in OpenSSH Server

Windows 10 1809 and Windows Server 2019 have got a built-in SSH server based on OpenSSH. In this article we’ll show how to install and configure an OpenSSH server on Windows 10 and connect to it remotely over protected SSH protocol (just like in Linux 🙂 ).

How to Install OpenSSH Server on Windows?

Let’s see on how to install OpenSSH Server feature on Windows 10 1903 (in Windows Server 2019 the procedure is the same).

The OpenSSH package (like RSAT) is added to these (and newer) Windows versions as the Feature on Demand (FoD).

If you have a direct Internet access, you can install OpenSSH using PowerShell:

Add-WindowsCapability -Online -Name OpenSSH.Server*

Or using DISM:

dism /Online /Add-Capability /CapabilityName:OpenSSH.Server~~~~0.0.1.0

You can also install OpenSSH on Windows 10 through the Settings panel (Apps -> Apps&Features -> Manage optional features -> Add a feature). Find Open SSH Server in the list and click Install.

To make sure the OpenSSH server has been installed, run the command:
Get-WindowsCapability -Online | ? Name -like 'OpenSSH.Ser*'

State : Installed

Configure SSH Server on Windows 10/Windows Server 2019

After you have installed OpenSSH server in Windows, you must change sshd service startup type to automatic and start the service using PowerShell:
Set-Service -Name sshd -StartupType 'Automatic'
Start-Service sshd

Using netstat, make sure that the SSH server is running and waiting for the connections on TCP port 22:
netstat -na| find ":22"

Make sure that Windows Defender Firewall allows inbound connections to Windows through TCP port 22:
Get-NetFirewallRule -Name *OpenSSH-Server* |select Name, DisplayName, Description, Enabled

Name DisplayName Description Enabled
---- ----------- ----------- -------
OpenSSH-Server-In-TCP OpenSSH SSH Server (sshd) Inbound rule for OpenSSH SSH Server (sshd) True

If the rule is disabled (Enabled=False) or missing, you can create a new inbound rule using the New-NetFirewallRule cmdlet:

New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

By default, important OpenSSH components are located in these folders:

• OpenSSH Server executables: C:\Windows\System32\OpenSSH\
• The sshd_config file (created after the first service startup): C:\ProgramData\ssh
• OpenSSH log: C:\windows\system32\OpenSSH\logs\sshd.log
• The authorized_keys file and keys: %USERPROFILE%\.ssh\

After OpenSSH installation, a new local user (sshd) is created on the computer.

OpenSSH Server Configuration File (sshd_config)

You can change your OpenSSH server settings in the config file: %programdata%\ssh\sshd_config.

For example, to deny SSH connection for the specific domain user account (or all domain users), add these directives to the end of the file:

DenyUsers woshub\admin@192.168.1.10
DenyUsers corp\*

To allow SSH connection to the specific domain group only:

AllowGroups woshub\sshadmins

Or you can allow access to a local group:

AllowGroups sshadmins

You can deny access to the accounts with the administrator privileges. In this case, if you need to perform any privileged actions in your SSH session, you will have to use runas.

DenyGroups Administrators

The following directives allow SSH access using RSA keys and passwords (we’ll look on how to use RSA keys to access Windows through SSH in the next article in detail):

PubkeyAuthentication yes
PasswordAuthentication yes

You can change the port OpenSSH receives connections to in the Port directive of the sshd_config file.

How to Connect to Windows 10 via SSH?

Now you can try to connect to your Windows 10 through the SSH client (I am using PuTTY, but you can use a built-in Windows SSH client instead).

At the first connection, a standard request to add the host to the list of known SSH hosts will appear.

Click Yes, and logon to your Windows 10 under Windows user.

If the SSH connection is successful, the cmd.exe shell will start with a prompt string.

admin@win10pc C:\Users\admin>

You can run different commands, scripts or apps in the command prompt.

I prefer working in the PowerShell console. To start it, run this command:

powershell.exe

In order to change the default cmd.exe shell to PowerShell for OpenSSH, make changes to the registry using the following PowerShell command:

New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String –Force

Restart your SSH connection and make sure that PowerShell is now used as a default SSH shell (this is shown by PS C:\Users\admin>).

The PowerShell console has been started in your SSH session, and familiar features work in it: tab autocompletion, PSReadLine color highlighting, command history, etc. If the current user is a member of the local administrators group, all session commands are executed elevated even if UAC is enabled.