- Move Windows recovery partition using GParted - Wed, Dec 1 2021
- Configure Secured Core in Windows Server 2022: HVCI, DMA protection, System Guard, and VBS - Mon, Nov 22 2021
- ADMX templates for Office 2021: compatible with 2016 GPOs and 10 new settings - Mon, Nov 15 2021
By porting OpenSSH to Windows, Microsoft made it easier to manage heterogeneous environments. You can remotely administer Linux computers via SSH from Windows, and thanks to the new OpenSSH server, the reverse is now also possible. In addition, PowerShell Core supports remoting via SSH, even between different OSes.
OpenSSH server is not included in the operating system ^
One would expect that a system component with such strategic importance is delivered as part of the operating system and can be installed as a feature via the Server Manager or PowerShell.
However, Microsoft has decided to provide OpenSSH as an optional feature (also called a "Feature on Demand"). This unifies the installation between the client and server OSes. The following description therefore also applies to Windows 10 from release 1803 onwards.
Installation via the GUI ^
To install OpenSSH server, start Settings and then go to Apps > Apps and Features > Manage Optional Features. As you can see from the list of installed components, the SSH client is already installed by default. The server, on the other hand, you need to add using the Add Features option.
In the list above, select OpenSSH server and click on the Install button that appears. Windows will now download the required files over the internet. If an error occurs, you will not receive a message from the Settings app, but it will simply jump back to the list of features.
Adding an OpenSSH server via PowerShell ^
In contrast, PowerShell provides more transparency. To find the exact name of the required package, enter the following command:
Get-WindowsCapability -Online | ? name -like *OpenSSH.Server*
Finally, add the name shown to Add-WindowsCapability:
Alternatively, you can pass on the output via a pipe:
Get-WindowsCapability -Online | ? name -like *OpenSSH.Server* | Add-WindowsCapability -Online
Faulty builds ^
There are at least two reasons why you may encounter problems here. If the build of the system is older than 17763.194, you will see this error:
Add-WindowsCapability failed. Error code = 0x800f0950
In this case, you need a current cumulative update to fix the problem (documented here).
Problems with WSUS ^
A further hurdle arises if the server, which is usually the case, is updated via WSUS. Microsoft delivers features on demand bypassing WSUS, so you don't get them via the internal update server.
Therefore, it is not unlikely that PowerShell will present the following error here:
Error with "Add-WindowsCapability". Error code: 0x8024002e
In the eventlog, you will then find an entry with ID 1001 stating that the OpenSSH-Server-Package is not available.
As with the RSAT, a remedy is to allow Windows to load optional features directly from Microsoft Update via group policy. This setting is "Specify settings for optional component installation and component repair," and you can find it under Computer Configuration > Policies > Administrative Templates > System.
At the same time, you must ensure that neither the setting "Do not connect to Windows Update Internet locations" nor "Remove access to use all Windows Update features" is in effect.
The latter may have been enabled to prevent users from manually downloading feature updates. This primarily affects Windows 10 rather than the server.
Activating SSH-Server ^
OpenSSH Server installs two services that are not yet running and whose startup type is manual and disabled. If you want to use SSH regularly, you will want to start the services automatically.
You can configure this via the GUI services, but the fastest way is by using PowerShell:
Set-Service sshd -StartupType Automatic Set-Service ssh-agent -StartupType Automatic
To put the SSH server into operation immediately, you must also start the two services manually:
Start-Service sshd Start-Service ssh-agent
Get-Service -Name *ssh* | select DisplayName, Status, StartType
checks if the settings for the two services are correct and whether they were started successfully. Now you can verify if the firewall rule for incoming SSH connections has been properly activated:
Get-NetFirewallRule -Name *SSH*
Testing the connection ^
If this condition is also fulfilled, the connection test is good to go. From a Windows 10 PC or a Linux computer, you can connect to the freshly configured server:
This will direct you at the old command prompt, but you can also start PowerShell there.
Subscribe to 4sysops newsletter!
Finally, you should consider whether you would like to use public key authentication for security reasons. This also increases user comfort because you no longer have to enter a password. This guide describes how to do this.