Skip to content

Install Win32 OpenSSH

Jump to bottom
Yanbing edited this page May 14, 2017 · 121 revisions

Install Win32 OpenSSH (test release)

  • Download the latest build. To get links to latest downloads - see here. A Chocolatey package is also available if you prefer. For compat issues on Nano see issues on Nano. See here for PS script to automate installation and configuration.
  • Extract contents to C:\Program Files\OpenSSH
  • Start Powershell as Administrator
    • cd 'C:\Program Files\OpenSSH'
  • On Windows 10, in developer mode, a different implementation of SSH exists in-box. Look for TCP port bindings on port 22 and these processes - “SSH Server Broker” and “SSH Server Proxy”
    • netstat -anop TCP
    • If you do see 22 occupied, #610 has workarounds to deal with port conflict.
  • Install sshd and ssh-agent services.
    • powershell -executionpolicy bypass -file install-sshd.ps1
  • Setup SSH host keys
    • .\ssh-keygen.exe -A (This will generate all secured 'host' keys (starting build v0.0.13.0).)
    • If host keys were generated by ssh-keygen.exe before build v0.0.13.0, you will have to re-ACL files on both the server and client side. please see Security protection for details.
  • (Required starting build v0.0.13.0. ) Grant "NT service\sshd" Read access the host key files: 
       Get-ChildItem -Path 'C:\Program Files\OpenSSH\ssh_host_*_key*' | % {    
   $acl = get-acl $_.FullName
   $ar = New-Object  System.Security.AccessControl.FileSystemAccessRule("NT Service\sshd", "Read", "Allow")
   $acl.SetAccessRule($ar)
   Set-Acl $_.FullName $acl
}
  • Secure SSH host keys (optional)
    • Start-Service ssh-agent
    • download psexec from here
    • launch cmd.exe as SYSTEM - psexec.exe -i -s cmd.exe
    • register secured host keys in above cmd.exe
    • ssh-add ssh_host_dsa_key
    • ssh-add ssh_host_rsa_key
    • ssh-add ssh_host_ecdsa_key
    • ssh-add ssh_host_ed25519_key
    • host private keys are now securely stored by ssh-agent, private key files can be removed at this point.
  • Open Firewall
    • New-NetFirewallRule -Protocol TCP -LocalPort 22 -Direction Inbound -Action Allow -DisplayName SSH
  • Set sshd in auto-start mode and open up firewall (optional)
    • Set-Service sshd -StartupType Automatic
    • Set-Service ssh-agent -StartupType Automatic
    • Make the service start on boot (PowerShell): Set-Service sshd -StartupType Automatic

New-NetFirewallRule is for servers only. If you're on a workstation try:

netsh advfirewall firewall add rule name='SSH Port' dir=in action=allow protocol=TCP localport=22

Uninstall Win32 OpenSSH

  • Start Powershell as Administrator
  • Uninstall
    • powershell.exe -executionpolicy bypass -file uninstall-sshd.ps1

Manuals

Installation

Usage

Project

Developing and Contributing to Win32-OpenSSH

Clone this wiki locally