OpenSSH Server on Windows Hosts
Enable SSH Server Capability
Get-WindowsCapability -Online -Name 'OpenSSH.Server*' | Add-WindowsCapability -Online
Generate a SSH Key Pair
See here for more information: https://notes.benheater.com/books/ssh-administration/page/create-new-key-pair-for-ssh
Add the Authorized Key String
Users
OpenSSH Server will fail to read the authorized_keys
file if it is not encoded in UTF8
-- no UTF8 with BOM
.
$publicKeyFile = "$env:UserProfile\Desktop\my_ssh_key.pub"
$outputFile = '$env:UserProfile\.ssh\authorized_keys'
$publicKeyBytes = [System.IO.File]::ReadAllBytes($publicKeyFile)
$utf8String = [System.Text.Encoding]::UTF8.GetString($publicKeyBytes)
[System.IO.File]::AppendAllLines($outputFile, $utf8String)
Administrators
$publicKeyFile = "$env:UserProfile\Desktop\my_ssh_key.pub"
$outputFile = "$env:ProgramData\ssh\administrators_authorized_keys"
$publicKeyBytes = [System.IO.File]::ReadAllBytes($publicKeyFile)
$utf8String = [System.Text.Encoding]::UTF8.GetString($publicKeyBytes)
[System.IO.File]::AppendAllLines($outputFile, $utf8String)
Configure SSH Server
- Open powershell.exe as administrator
- Run
notepad.exe $env:ProgramData\ssh\sshd_config
- Change
#PublicKeyAuthentication yes
toPublicKeyAuthentication yes
- If you want to disable password authentication:
ChangePasswordAuthentication yes
toPasswordAuthentication no
- Change
#StrictModes yes
toStrictModes no
- https://man.openbsd.org/sshd_config#StrictModes
- This isn't really compatible with Windows by default, as many directories tend to be too open
- Press CTRL + S to save the changes to the file
Enable and Start SSH Server
Get-Service sshd | Set-Service -StartupType Automatic
Restart-Service sshd
Make sure the service has started and open TCP port 22. When running Add-WindowsCapability
before, this should have opened the port in Windows Firewall for you. Nevertheless, be certain to check any other firewalls as necessary to troubleshoot any connectivity issues.
Get-NetTcpConnection -State Listen -LocalPort 22