Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Install Win32 OpenSSH
Install Win32 OpenSSH (test release)
Extract contents of the latest build to
C:\Program Files\OpenSSH(Make sure binary location has the Write permissions to just to SYSTEM, Administrator groups. Authenticated users should and only have Read and Execute.)
In an elevated Powershell console, run the following
powershell.exe -ExecutionPolicy Bypass -File install-sshd.ps1
Open the firewall for sshd.exe to allow inbound SSH connections
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
New-NetFirewallRuleis for Windows 2012 and above servers only. If you're on a client desktop machine (like Windows 10) or Windows 2008 R2 and below, try:
netsh advfirewall firewall add rule name=sshd dir=in action=allow protocol=TCP localport=22
sshd(this will automatically generate host keys under %programdata%\ssh if they don't already exist)
net start sshd
Migrate sshd configuration from 0.0.X.X versions (optional):
- To use existing customized sshd_config, you need to copy it from binary location to %programdata%\ssh\sshd_config (Note that %programdata% is a hidden directory).
- To use existing host keys, you need to copy them from binary location to %programdata%\ssh\
- Prior versions required SSHD resources (sshd_config, host keys and authorized_keys) to have READ access to "NT Service\SSHD". This is no longer a requirement and the corresponding ACL entry should be removed. You may run
Powershell.exe -ExecutionPolicy Bypass -Command '. .\FixHostFilePermissions.ps1 -Confirm:$false'(Note the first "." is a call operator.) to fix up these permissions.
ssh-agentto auto-start (optional)
Set-Service sshd -StartupType Automatic
Set-Service ssh-agent -StartupType Automatic
Configuring the default ssh shell (optional)
If you configure a default shell, ensure that OpenSSH installation path is in system PATH. If not already present, amend system PATH and restart sshd service.
On the server side, configure the default ssh shell in the windows registry.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH\DefaultShell - Full path (case sensitive) of the shell executable
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH\DefaultShellCommandOption - The switch that the configured default shell requires to execute a command and immediately exit and return to the calling process. It is used for executing the remote ssh commands. Example- ssh user@ip hostname
Example - Powershell cmdlets to set powershell bash as default shell
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShellCommandOption -Value "/c" -PropertyType String -Force
If you are configuring the powershell.exe/cmd.exe/WSL-bash.exe as default ssh shell then you can ignore
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH\DefaultShellCommandOption. Your registry should look like this.
If you want to configure default shell (Ex- cygwin) other than powershell/cmd/WSL-bash then your registry should look like this
Uninstall Win32 OpenSSH
- Start Windows Powershell as Administrator
- Navigate to the OpenSSH directory
cd 'C:\Program Files\OpenSSH'
- Run the uninstall script
powershell.exe -ExecutionPolicy Bypass -File uninstall-sshd.ps1