Skip to main content

OpenSSH Server on Windows Hosts

Enable SSH Server Capability

Get-WindowsCapability -Online -Name 'OpenSSH.Server*' | Add-WindowsCapability -Online

Generate a SSH Key Pair

See here for more information: https://notes.benheater.com/books/ssh-administration/page/create-new-key-pair-for-ssh

Add the Authorized Key String

Users

OpenSSH Server will fail to read the authorized_keys file if it is not encoded in UTF8 -- no UTF8 with BOM.

$publicKeyFile = "$env:UserProfile\Desktop\my_ssh_key.pub"
$outputFile = "$env:UserProfile\.ssh\authorized_keys"
$publicKeyBytes = [System.IO.File]::ReadAllBytes($publicKeyFile)
$utf8String = [System.Text.Encoding]::UTF8.GetString($publicKeyBytes)
[System.IO.File]::AppendAllLines($outputFile, $utf8String)

Run these commands in PowerShell to write the public key string to a user authorized_keys file

Administrators

$publicKeyFile = "$env:UserProfile\Desktop\my_ssh_key.pub"
$outputFile = "$env:ProgramData\ssh\administrators_authorized_keys"
$publicKeyBytes = [System.IO.File]::ReadAllBytes($publicKeyFile)
$utf8String = [System.Text.Encoding]::UTF8.GetString($publicKeyBytes)
[System.IO.File]::AppendAllLines($outputFile, $utf8String)

Run these commands in PowerShell to write a public key string of an approved administrator.
This key is stored globally in the ProgramData directory.

Configure SSH Server

  1. Open powershell.exe as administrator
  2. Run notepad.exe $env:ProgramData\ssh\sshd_config
  3. Change #PublicKeyAuthentication yes to PublicKeyAuthentication yes
  4. If you want to disable password authentication:
    Change PasswordAuthentication yes to PasswordAuthentication no
  5. Change #StrictModes yes to StrictModes no
  6. Press CTRL + S to save the changes to the file

Enable and Start SSH Server

Get-Service sshd | Set-Service -StartupType Automatic
Restart-Service sshd

Make sure the service has started and open TCP port 22. When running Add-WindowsCapability before, this should have opened the port in Windows Firewall for you. Nevertheless, be certain to check any other firewalls as necessary to troubleshoot any connectivity issues.

Get-NetTcpConnection -State Listen -LocalPort 22
Back to top