-
Notifications
You must be signed in to change notification settings - Fork 772
Install Win32 OpenSSH
-
Note these considerations and project scope first.
-
Download the latest build of OpenSSH. To get links to latest downloads this wiki page.
-
Extract contents of the latest build to
C:\Program Files\OpenSSH
-
Start Windows Powershell as Administrator
-
Navigate to the OpenSSH directory
cd 'C:\Program Files\OpenSSH'
-
On Windows 10, if you've enabled Developer Mode, you probably have another implementation of SSH installed on your machine. To figure out if this is the case, look for TCP port bindings on port 22 and these services: “SSH Server Broker” and “SSH Server Proxy”
netstat -anop TCP
- If you do see 22 occupied, #610 has workarounds to deal with port conflict.
-
Install
sshd
andssh-agent
services.powershell -ExecutionPolicy Bypass -File install-sshd.ps1
-
Generate SSH host keys (Optional after build 1.0.0.0 in powershell window)
.\ssh-keygen.exe -A
- Fix ACLs if the keys/config files are generated/deployed on build before 1.0.0.0:
Powershell.exe -ExecutionPolicy Bypass -Command '. .\FixHostFilePermissions.ps1 -Confirm:$false'
(Note the first "." is a call operator.)
-
Secure SSH host keys (optional)
Start-Service ssh-agent
- Download psexec from here
- Launch cmd.exe as SYSTEM
psexec.exe -i -s cmd.exe
- register host keys in above cmd.exe
ssh-add ssh_host_dsa_key
ssh-add ssh_host_rsa_key
ssh-add ssh_host_ecdsa_key
ssh-add ssh_host_ed25519_key
- Host private keys are now securely stored by ssh-agent, private key files can be deleted at this point.
sdelete
may be used to securely erase them.
-
Open the firewall for sshd.exe to allow inbound SSH connections
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Service sshd -Enabled True -Direction Inbound -Protocol TCP -Action Allow
Note:
New-NetFirewallRule
is for Windows 2012 and above servers only. If you're on a client desktop machine (like Windows 10) or Windows 2008 R2 and below, try:netsh advfirewall firewall add rule name=sshd dir=in action=allow protocol=TCP service=sshd
-
Setup
sshd
andssh-agent
to auto-start (optional)Set-Service sshd -StartupType Automatic
Set-Service ssh-agent -StartupType Automatic
-
Start the
sshd
andssh-agent
net start sshd
-
Configuring the default ssh shell (optional)
On the server side, configure the default ssh shell in the windows registry.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH\DefaultShell
- Full path (case sensitive) of the shell executable
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH\DefaultShellCommandOption
- The switch that the configured default shell requires to execute a command and immediately exit and return to the calling process. It is used for executing the remote ssh commands. Example- ssh user@ip hostname
If you are configuring the powershell.exe/cmd.exe/WSL-bash.exe as default ssh shell then you can ignore Computer\HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH\DefaultShellCommandOption
. Your registry should look like this.
If you want to configure default shell (Ex- cygwin) other than powershell/cmd/WSL-bash then your registry should look like this
- Start Windows Powershell as Administrator
- Navigate to the OpenSSH directory
cd 'C:\Program Files\OpenSSH'
- Run the uninstall script
powershell.exe -ExecutionPolicy Bypass -File uninstall-sshd.ps1
- MSI Install Instructions
- Script Install Instructions
- Alternative installation using the universal installer
- Retrieving download links for the latest packages