Install Win32 OpenSSH

Manoj Ampalam edited this page Jul 3, 2018 · 115 revisions

Install Win32 OpenSSH (test release)

  1. Note these considerations and project scope first.

  2. Download the latest build of OpenSSH. To get links to latest downloads this wiki page.

  3. Extract contents of the latest build to C:\Program Files\OpenSSH (Make sure binary location has the Write permissions to just to SYSTEM, Administrator groups. Authenticated users should and only have Read and Execute.)

  4. In an elevated Powershell console, run the following

    • powershell.exe -ExecutionPolicy Bypass -File install-sshd.ps1
  5. Open the firewall for sshd.exe to allow inbound SSH connections

    • New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

    Note: New-NetFirewallRule is for Windows 2012 and above servers only. If you're on a client desktop machine (like Windows 10) or Windows 2008 R2 and below, try:

    netsh advfirewall firewall add rule name=sshd dir=in action=allow protocol=TCP localport=22
    
  6. Start sshd (this will automatically generate host keys under %programdata%\ssh if they don't already exist)

    • net start sshd
  7. Migrate sshd configuration from 0.0.X.X versions (optional):

    • To use existing customized sshd_config, you need to copy it from binary location to %programdata%\ssh\sshd_config (Note that %programdata% is a hidden directory).
    • To use existing host keys, you need to copy them from binary location to %programdata%\ssh\
    • Prior versions required SSHD resources (sshd_config, host keys and authorized_keys) to have READ access to "NT Service\SSHD". This is no longer a requirement and the corresponding ACL entry should be removed. You may run Powershell.exe -ExecutionPolicy Bypass -Command '. .\FixHostFilePermissions.ps1 -Confirm:$false' (Note the first "." is a call operator.) to fix up these permissions.
  8. Setup sshd and ssh-agent to auto-start (optional)

    • Set-Service sshd -StartupType Automatic
    • Set-Service ssh-agent -StartupType Automatic
  9. Configuring the default ssh shell (optional)

If you configure a default shell, ensure that OpenSSH installation path is in system PATH. If not already present, amend system PATH and restart sshd service.

On the server side, configure the default ssh shell in the windows registry.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH\DefaultShell - Full path (case sensitive) of the shell executable

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH\DefaultShellCommandOption - The switch that the configured default shell requires to execute a command and immediately exit and return to the calling process. It is used for executing the remote ssh commands. Example- ssh user@ip hostname


Example - Powershell cmdlets to set powershell bash as default shell

  • New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force

  • New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShellCommandOption -Value "/c" -PropertyType String -Force


If you are configuring the powershell.exe/cmd.exe/WSL-bash.exe as default ssh shell then you can ignore Computer\HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH\DefaultShellCommandOption. Your registry should look like this.

If you want to configure default shell (Ex- cygwin) other than powershell/cmd/WSL-bash then your registry should look like this

Uninstall Win32 OpenSSH

  • Start Windows Powershell as Administrator
  • Navigate to the OpenSSH directory
    • cd 'C:\Program Files\OpenSSH'
  • Run the uninstall script
    • powershell.exe -ExecutionPolicy Bypass -File uninstall-sshd.ps1
Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.