I recently set up a new Windows build machine on an Intranet and found myself wishing I had remote access to it (via SSH for instance). I did briefly look into PowerShell remoting, but I like using SSH. Microsoft had plans to add an SSH server into Windows, and it turns out the project is progressing more smoothly than I thought. I however ran into some snags along the way and thought I’d record my steps here in case I need to replicate them one day (very likely).
First, in an admin PowerShell session, install Chocolatey and then Win32 OpenSSH:
PS> Get-PackageProvider chocolatey PS> Install-Package openssh
OpenSSH got installed in
C:\Program Files\OpenSSH-Win64" in my case. For good measure I added that to my PATH environment variable. Next,cd
into that directory and set upsshd`. Most of the next steps follow the instructions on the project’s wiki
PS> powershell -ExecutionPolicy Bypass -File install-sshd.ps1 PS> .\ssh-keygen.exe -A PS> .\FixHostFilePermissions.ps1 -Confirm:$false PS> Start-Service ssh-agent PS> psexec.exe -i -s cmd.exe PS> ssh-add ssh_host_dsa_key PS> ssh-add ssh_host_rsa_key PS> ssh-add ssh_host_ecdsa_key PS> ssh-add ssh_host_ed25519_key PS> New-NetFirewallRule -Protocol TCP -LocalPort 22 -Direction Inbound -Action Allow -DisplayName SSH
psexec tool can be found here.
Next, we want to disable password authentication.
PS> notepad .\sshd_config
Edit the following lines:
PasswordAuthentication no PubkeyAuthentication yes (Optional) Subsystem powershell C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
The last line is supposed to enable the PowerShell subsystem for PowerShell remoting.
Now we want to add the client’s public key to
authorized_keys. Create the
%USERPROFILE%\.ssh\authorized_keys file and copy the public key there. Then, we need to set the permissions to that file or
sshd will reject it. Permission inheritance for
.ssh and containing files should be disabled.
PS> icacls %USERPROFILE%\.ssh\authorized_keys /grant `"NT SERVICE\sshd`":`(R`) PS> icacls %USERPROFILE%\.ssh\authorized_keys /grant `"USERNAME`":`(F`)
sshd and enable automatic startup.
PS> Start-Service sshd PS> Set-Service sshd -StartupType Automatic PS> Set-Service ssh-agent -StartupType Automatic