SSH Server on Windows
I recently set up a new Windows build machine on an Intranet and found myself wishing I had remote access to it (via SSH for instance). I did briefly look into PowerShell remoting, but I like using SSH. Microsoft had plans to add an SSH server into Windows, and it turns out the project is progressing more smoothly than I thought. I however ran into some snags along the way and thought I’d record my steps here in case I need to replicate them one day (very likely).
First, in an admin PowerShell session, install Chocolatey and then Win32 OpenSSH:
PS> Get-PackageProvider chocolatey
PS> Install-Package openssh
OpenSSH got installed in C:\Program Files\OpenSSH-Win64" in my case. For good measure I added that to my PATH environment variable. Next,
cdinto that directory and set up
sshd`. Most of the next steps follow the instructions on the project’s wiki
PS> powershell -ExecutionPolicy Bypass -File install-sshd.ps1
PS> .\ssh-keygen.exe -A
PS> .\FixHostFilePermissions.ps1 -Confirm:$false
PS> Start-Service ssh-agent
PS> psexec.exe -i -s cmd.exe
PS> ssh-add ssh_host_dsa_key
PS> ssh-add ssh_host_rsa_key
PS> ssh-add ssh_host_ecdsa_key
PS> ssh-add ssh_host_ed25519_key
PS> New-NetFirewallRule -Protocol TCP -LocalPort 22 -Direction Inbound -Action Allow -DisplayName SSH
The psexec
tool can be found here.
Next, we want to disable password authentication.
PS> notepad .\sshd_config
Edit the following lines:
PasswordAuthentication no
PubkeyAuthentication yes
(Optional)
Subsystem powershell C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
The last line is supposed to enable the PowerShell subsystem for PowerShell remoting.
Now we want to add the client’s public key to authorized_keys
. Create the %USERPROFILE%\.ssh\authorized_keys
file and copy the public key there. Then, we need to set the permissions to that file or sshd
will reject it. Permission inheritance for .ssh
and containing files should be disabled.
PS> icacls %USERPROFILE%\.ssh\authorized_keys /grant `"NT SERVICE\sshd`":`(R`)
PS> icacls %USERPROFILE%\.ssh\authorized_keys /grant `"USERNAME`":`(F`)
Lastly, start sshd
and enable automatic startup.
PS> Start-Service sshd
PS> Set-Service sshd -StartupType Automatic
PS> Set-Service ssh-agent -StartupType Automatic