You can use the official OpenSSH package for Windows to easily organize a secure file transfer between the client and Windows server using the SFTP (Secure FTP) protocol. In this article, we will show how to use the Win32-OpenSSH to run an SFTP server on Windows 10 or Windows Server 2016 / 2012R2.
What is SFTP?
SFTP (Secure File Transfer Protocol, Secure FTP or SSH FTP) is the extension of SSH protocol, being a standard in the world of UNIX/Linux systems. From the user point of view, it is similar to FTP, but in fact, it is a completely different protocol, having nothing in common with FTP. Data are transferred between a client and a server through the SSH tunnel (TCP port 22).
The main advantages of SFTP:
- Files and commands are transferred inside a secure SSH session;
- One connection is used to send both files and commands;
- Symbolic links, interrupt/resume transfer, file delete functions, etc. are supported;
- As a rule, in channels where FTP is slow or failing, SFTP connection is faster and more reliable;
- Possibility of authenticate using SSH keys.
SFTP Implementation in Windows
Historically, Windows operation systems don’t provide any built-in tools to run a secure SFTP server. For these purpose, open-source or proprietary solutions, like Core FTP, FileZilla, CYGWIN, OpenSSH, FTP Shell, IPSwitch, etc., have been used. However, several years ago Microsoft released its version of the OpenSSH port for Win32. This project is called Win32-OpenSSH.
Let’s consider the configuration of the SFTP server running Windows 10 or Windows Server 2019/2016/2012 R2 using the Win32 OpenSSH package.
Installing Win32 OpenSSH on Windows 10 1803+/Windows Server 2019
In Windows 10 build 1803 and newer and in Windows Server 2019, the OpenSSH package is already included in the operating system in the form of Feature on Demand (FoD) like RSAT.
You can install the OpenSSH server on Windows 10 and Windows Server 2019 using the following PowerShell cmdlet:
Add-WindowsCapability -Online -Name OpenSSH.Server*
Or using DISM:
dism /Online /Add-Capability /CapabilityName:OpenSSH.Server~~~~0.0.1.0
Also you can add OpenSSH server from Windows 10 GUI (Settings -> Apps -> Optional Features -> Add a feature -> Open SSH Server -> Install).
- OpenSSH executables are located in the directory:
- The sshd_config configuration file is located in the directory:
C:\ProgramData\ssh(this directory is created after the first start of the sshd service);
- Log file:
- The authorized_keys file and keys are stored in a directory:
Install Win32 OpenSSH on Windows Server 2016/2012 R2
In the previous versions of Windows 10 and in Windows Server 2016/2012 R2, you must download and install OpenSSH from the GitHub (https://github.com/PowerShell/Win32-OpenSSH/releases). You need to download a package version for Windows x64: OpenSSH-Win64.zip (3,5 MB).
- Extract the archive to the target directory: C:\OpenSSH-Win;
- Start the elevated PowerShell cli and switch to the OpenSSH folder:
- Add the path to the OpenSSH directory to the Path environment variable (System Properties -> Advanced tab -> Environment Variables -> Select and edit the Path system variable -> Add the path to the OpenSSH folder);
- Install the OpenSSH server:
.\install-sshd.ps1(a green message should appear “sshd and ssh-agent services successfully installed”);
- Generate SSH keys for the server (needed to start the sshd service):
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519
- Enable autostart for the SSHD service and start it using the following PowerShell service management commands:
Set-Service -Name sshd -StartupType ‘Automatic’
- Restart your computer:
- Use the PowerShell to open TCP port 22 in the Windows Firewall for incoming SSH traffic:
New-NetFirewallRule -Protocol TCP -LocalPort 22 -Direction Inbound -Action Allow -DisplayName SSHNote. The previous command won’t work in old dscktop Windows versions. In this case another command is used:
netsh advfirewall firewall add rule name='SSH Port' dir=in action=allow protocol=TCP localport=22
- Open the SSHD configuration file (C:\ProgramData\SSH\sshd_config) in any text editor. Find and check the value of the Subsystem sftp directive. The sftp-server.exe file should be specified here.
AllowGroups corp\sftp_users # allow to connect to OpenSSH only for users in this domaan group
AuthenticationMethods password # enable password authentication (SSH keys cannot be used)
ChrootDirectory C:\inetpub\wwwroot\ftpfolder #default directory for SFTP users
Testing SFTP Connection Using WinSCP
Let’s try to connect to the created SSH server using the SFTP protocol. To do it, use a free WinSCP client.
In the connection configuration window, select the SFTP as the file transfer protocol, specify the server name and the credentials of the Windows account, which is used for connection (it is also possible to configure key authentication).
When you try to connect for the first time, the following notification of the host key not found in the local cache appears.
If everything is configured correctly, a client would connect to the SFTP server and display the list of files in the user home directory (by default, it is the directory with the user profile).
Using the familiar file manager interface (like Total Commander), you can copy files between the server and the client. Files are transferred using the secure SFTP.
How to Uninstall Win32 OpenSSH?
To uninstall Win32 OpenSSH from your system correctly:
- Run the elevated PowerShell session;
- Stop the SSHD service:
- Uninstall the sshd service:
sshd successfully uninstalled ssh-agent successfully uninstalled