Posted on July 28, 2016 · Posted in Windows Server 2012 R2

Installing SFTP (SSH FTP) Server on Windows Server 2012 R2

We go on talking about the means of secure file transfer between a client and a server running Windows Server 2012 R2. Last time we discussed using FTPS as a secure extension of FTP. Today we’ll dwell on the peculiarities of SFTP (Secure FTP) and its use in Windows Server OSs.

SFTP Peculiarities

SFTP (Secret File Transfer Protocol , Secure FTP or SSH FTP) is the extension of SSH protocol, being a standard in the world of UNIX/Linux systems. From the user point of view, it is similar to FTP, but in fact, it is a completely different protocol, having nothing in common with FTP. Data are transferred between a client and a server through the SSH tunnel using Port 22.

The main advantages of SFTP:

  1. Files and commands are transferred inside a secure SSH session
  2. One connection is used to transfer both files and commands
  3. Symbolic links, interrupt/resume transfer, file delete functions, etc. are supported
  4. As a rule, in channels where FTP is slow or failing, SFTP connection is faster and more reliable
  5. Possibility of authenticate using SSH keys

SFTP Implementation in Windows Systems

Microsoft operation systems do not provide any built-in means to organize a protected SFTP server. To do it, open-source or proprietary solutions, like Core FTP, FileZilla, CYGWIN, OpenSSH, FTP Shell, IPSwitch, etc., have been used.

However, in October, 2015, Microsoft development PowerShell team announced the release of the OpenSSH candidate for Windows, being a port of OpenSSH for win32.

Note. Now Win32-OpenSSH project has a pre-release status. According to the developers’ plans, this year the final release will be ready.

Let’s consider the configuration of the SFTP server running Windows Server 2012 R2 using Win32 OpenSSH package.

Installation of Win32 OpenSSH on Windows Server 2012 R2

You can download a compiled version of the package here: We need a version for 64-bit Windows version: (4 MB)

  1. Extract the archive to the target directory: C:\OpenSSH-Win
  2. Start PowerShell command prompt with the administrator privileges and go to the OpenSSH directory:Cd C:\OpenSSH-Win
  3. Generate SSH keys for the server (they are necessary to start sshd):
    ssh-keygen.exe –Agenerating new openssh rsa keys

    generating new host keys: RSA DSA ECDSA ED25519

  4. Allow the incoming traffic on Port 22 (SSH server) in Windows Firewall:New-NetFirewallRule -Protocol TCP -LocalPort 22 -Direction Inbound -Action Allow -DisplayName SSH

    New-NetFirewallRule - add incoming rule port 22

    Note. The previous command won’t work in a client OS. In this case another command is used:

    netsh advfirewall firewall add rule name='SSH Port' dir=in action=allow protocol=TCP localport=22

  5. To enable authentication using keys:
    powershell.exe .\install-sshlsa.ps1
  6. Restart your server:
  7. Open the configuration file C:\OpenSSH-Win\sshd_config in any text editor, find and change the value of Subsystem sftp to C:\OpenSSH-Win\sftp-server.exe C:\OpenSSH-Win\sftp-server.exe
  8. Install sshd service
    .\sshd.exe install
  9. Specify that it has to be started automatically during the system boot and start it:Set-Service sshd -StartupType Automatic
    Start-Service sshd

Note. In my case, SSHD in Windows Server 2012 R2 did not start returning the following error:

net start sshd

The SSHD service is starting.
The SSHD service could not be started.
A system error has occurred.
System error 1067 has occurred.
The process terminated unexpectedly.

System error 1067 has occurred

When trying to start sshd.exe with no parameters manually, the error text was more informative, but still not enough for effective troubleshooting.


[Build Mar 19 2016 22:36:41]
key_load_private: insufficient buffer space
Could not load host key: ssh_host_rsa_key
key_load_private: insufficient buffer space
Could not load host key: ssh_host_dsa_key
key_load_private: insufficient buffer space
Could not load host key: ssh_host_ecdsa_key
key_load_private: insufficient buffer space
Could not load host key: ssh_host_ed25519_key
Disabling protocol version 2. Could not load host key

key_load_private: insufficient buffer space

As it turned out, it is a well-known bug of the release as of March, 19, 2016. The developers promise to correct it in the next releases. Meanwhile, it is recommended to use OpenSSH-Win64-1.1.

Test of the SFTP Connection

Let’s try to connect to the created SSH server by SFTP. To do it, use a free WinSCP client.

In the connection configuration window, select SFTP as the protocol of data transfer, specify the server name and the credentials of the Windows account, which is used for connection. (It is also possible to configure authentication using keys.)

WinSCP test sftp connection

When you try to connect for the first time, the following notification of the host key not found in the local cache appears.

rsa2 key warning

If you configured it right, a client would connect to the SFTP server and display the list of files in the user home directory (by default, it is the directory with the user profile).

Using the familiar interface of the file manager, you can copy files between the server and the client. Files are transferred using the protected SFTP.

connect openssh on windows server using winscp

How to Uninstall Win32 OpenSSH

To uninstall Win32 OpenSSH from your system correctly:

  1. Start PowerShell console with the administrator privileges
  2. Stop the SSHD service:
    Stop-Service sshd
  3. Uninstall the service:.\sshd.exe uninstall
  4. Uninstall the keys:
    powershell .\uninstall-sshlsa.ps1
Related Articles