In this article, I will show how to set up an SSH server on Windows and how to install OpenSSH on a Windows client for PowerShell remoting in PowerShell Core.Update: We have two new articles about the topic:
PowerShell remoting with SSH public key authentication
Enable PowerShell Core 6 remoting with SSH transport

If you have been following the developments over the last year on PowerShell Core, you'll know that the PowerShell team has been hard at work. Not only are they quickly approaching the release of the production version of PowerShell Core, but they have also been working constantly on several projects. These include Desired State Configuration, the PowerShell Visual Studio Code extension, and the topic of this article: porting OpenSSH to Windows.

SSH has long been the remoting mainstay in the Linux world. In client scenarios, PuTTY on Windows is the most common use of SSH, as it allows a Windows user to SSH into a Linux system. There are other third-party solutions providing an SSH server on Windows, but having a Microsoft team officially providing it will make it easier to adopt.

Although Windows PowerShell users are used to WinRM as their remoting protocol with PowerShell, it makes a lot of sense to enable Windows to use SSH. The ability to use SSH provides a common user experience for Linux users to connect to Windows systems remotely and vice versa. In my opinion, in the not-so-distant future, SSH will likely become the remoting protocol of choice for Windows users as well.

Installing the OpenSSH package ^

Currently, there are two ways to install OpenSSH on Windows documented on GitHub. I recommend using Chocolatey because it is much simpler and automates a few of the necessary tasks for you.

In PowerShell or cmd, this command will install both the client tools and server component. To install just the client tools, remove the ‑param argument. Among other tasks, it opens the proper firewall ports and sets or starts the sshd and ssh-agent services:

Now our local computer is ready to remote to open hosts with SSH and have other hosts connect to it.

SSH on Windows with password authentication ^

In these examples my username is "dan" and my SSH server is "remotehost." When attempting to remote into a host with a password for a local user, you can simply run:

After you run this, it will prompt you to type in your password. If successful, you will gain access to the shell.

Fortunately, you are also able to use an Active Directory domain account with SSH as well. You can use either "DOMAIN\dan" or dan@domain.

Notice I have to specify the -l parameter (login name) when using the dan@domain syntax because it conflicts with the standard dan@remotehost use of SSH.

SSH with key authentication ^

While authenticating via SSH supports using a password, it is more secure to use a key. To set up a key, you first have to generate it from your client and provide a passphrase. In this example, I use the defaults "id_rsa" as the file and RSA as the type:

Generating the public key

Generating the public key

This results in two files now created in c:\users\dan\.ssh: id_rsa and id_rsa.pub.

Please note you need to ensure you are the only user who has access to the id_rsa private key on the file system for security purposes.

Ensure the ssh-agent service is started:

Next, we need to add our key with the ssh-agent service:

Setting up an SSH server on Windows ^

Now that we've set up our SSH client with its key, we need to ensure the server can authenticate the user with that key.

The first task we need to do is copy the public key of our client to the "C:\users\dan\.ssh\authorized_keys" file on the server. If the ".ssh" directory does not exist on the server yet, we will need to create it and apply the proper NTFS permissions. The user account associated with the key, the system account, and the sshd service (which only needs read access) should be the only accounts given permissions.

If you have admin access on both systems, you can simply use PowerShell to copy the contents of your public key to the SSH server:

Finally, we log in via SSH to our "remotehost" server from our Windows client, specifying the ‑i parameter and our private key:

Remoting through SSH

Remoting through SSH

By default, I enter into cmd, but I can easily open PowerShell Core:

Connected via SSH

Connected via SSH

PowerShell Core as a subsystem on the SSH server ^

One additional configuration you may want is making PowerShell Core a subsystem when using Enter-PSSession to your Windows server. To do this, you edit the "sshd_config" file located on your server currently at "C:\Program Files\OpenSSH-Win64." Remember this is subject to change if you update to a newer version of PowerShell Core.

In addition, it is important to note that this will only allow PowerShell remoting cmdlets (Enter-PSSession, Invoke-Command, etc.) to drop directly into PowerShell. It does not work with using ssh.exe to connect from the client.

Here, I am using PowerShell remoting from my client into my Windows Server with a local account named "dan." Notice that ‑HostName uses a specific parameter set that defaults to SSH as the protocol. The command also automatically uses my key to authenticate and enters directly into PowerShell Core on my SSH server. The use of ComputerName will result in using WinRM as the protocol as most Windows users are familiar with.

Using Enter PSSession from PowerShell Core with SSH

Using Enter PSSession from PowerShell Core with SSH

Conclusion ^

I hope this article introduces Windows users to using OpenSSH on the Windows platform. With the future releases of PowerShell Core and OpenSSH, exciting times for Windows are ahead! Please keep in mind some of these instructions are subject to change with the production release of OpenSSH.

Join the 4sysops PowerShell group!

Your question was not answered? Ask in the forum!

6+

Users who have LIKED this post:

  • avatar
  • avatar
Share
10 Comments
  1. David Aldrich 2 years ago

    Thanks for this article. When I executed:

    choco install openssh -params '"/SSHServerFeature /KeyBasedAuthenticationFeature"' –y

    I got:

    Unable to find package '-y'

    Any idea why please?

    1+

    • Author

      Interesting, seems like a bug in Chocolatey open source. The business version of Chocolatey works. Try this:

      choco install openssh -y -params '"/SSHServerFeature /KeyBasedAuthenticationFeature"'

      0

  2. David Aldrich 2 years ago

    Further to my previous post, I think '-params' should be '--params'.

    0

  3. Mbali 2 years ago

    This is really helpful. More of these would be appreciated.

    0

  4. Bekasu 2 years ago

    I struggled several hours with the dreaded 1058 error on Windows 10 when trying to start the agent.

    using the command:

    ssh-agent -s   or start-service ssh-agent  both failed.

    Turns out the service was disabled.  Therefore, manually starting it would not work.

    Windows Administration Tools>

    Computer management>

    Services and applications>

    Services>

    Open SSH Authentication Agent

    -- Then set the start-up type to Manual.

     

    0

  5. KingWm 1 year ago

    Today I spent hours trying to get this to work.  I am stuck on the Start-Service ssh-agent command.  I have searched and search for a solution.  The path is included in the system variable.  This is the response I get:

    Start-Service : Cannot find any service with service name 'ssh-agent'.

    At line:1 char:1

    Start-Service ssh-agent

    CategoryInfo: ObjectNotFound: (ssh-agent:String) [Start-Service], ServiceCommandException

    FullyQualifiedErrorID : NoServiceFoundForGivenName, Microsoft,PowerShell.Commands.StartServiceCommand

    I have OpenSSH working using PuTTY but I wanted to try out PowerShell.  I used Chocolatey for the install.

    Please help. TY

    0

    • Seems your OpenSSH installation failed. Did you try installing it without Chocolately? I described here.

      If that works, you know that you have an issue with Chocolately.

      1+

  6. KingWm 1 year ago

    After further searching, I found this:

    https://powershell.org/forums/topic/failure-to-install-openssh-using-chocolatey/

    When I used your specified command to install OpenSSH, there were several errors and warnings.  I used the suggested command in that article and it worked great.  HOWEVER, while this edited command solved the problem for the person in that post, I still get the same error when trying to start the ssh-agent.

    0

  7. KingWm 1 year ago

    Michael, that must have been the problem. I followed your instructions and I was able to start the agent. Thanks.

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account