Login With Github

Windows Supports OpenSSH, Here Is The Graphic Configuration Tutorial

Windows starts to support OpenSSH Server since Win10 1809 and Windows Server 2019. We'll introduce the basic concepts and configuration methods in this article. The environment demonstrated in this article is Win10 1809 (ssh client) and Windows Server 2019 (ssh server).

Install OpenSSH Server

The OpenSSH Client has been installed by default. Open the Settings->Apps->Manage optional features:

OpenSSH Server isn't installed by default, so we need to install it manually. Click the "Add a feature" button in the image above, and then select OpenSSH Server and click the "Install" button:

Startup the services

Startup the Service Manager after the installation. Set the Startup Type of the OpenSSH Authentication Agent and OpenSSH SSH Server to Atomatic, and startup the two services:

Listening port

After starting the services, you can use the netstat command to check whether the SSH Server has started listening to the default port 22:

Firewall rules

When installing OpenSSH Server, a record will be added to the inbound rules of firewall to let the firewall allow the access to port 22:

Configuration file directory on the server side

The server-side configuration file is in the C:\ProgramData\ssh directory. Note that C:\ProgramData is a hidden directory:

Installation directory

The installation directory of OpenSSH on Windows system is C:\Windows\System32\OpenSSH, no matter it is a client or a server.

The default configuration file for the OpenSSH server, sshd_config_default, is also in this directory. And the directory will be added to the PATH environment variable:

Then you can execute related commands directly in PowerShell without having to write the full path.

OpenSSH Client That Comes With Win10

Because the directory where the SSH client is located is added to the PATH environment variable, you can execute OpenSSH client commands in PowerShell directly, such as ssh:

Connect to a remote Linux host

Use the ssh command to connect to the Linux host. My Linux host is Ubuntu16.04, which can be connected, but the welcome message is displayed twice:

View the version of the ssh command, which is

Try it on another machine with an older version (

The problem of outputting the welcome message repeatedly does not appear now. I think that maybe there has been a bug introduced by the new version.

Connect to a remote Windows host

You can connect via a remote client after you have installed OpenSSH Server on your Windows system and start listening on the port. Connecting to a remote Windows host is the same as connecting to a remote Linux host. Here's the way how to log in with a password (nick is a local user on a Windows system):

The default shell after a successful connection is the Windows Command shell (cmd.exe) program:

PowerShell has become very popular in Windows systems. So we can set the default shell to PowerShell, which actually means to add a configuration item to the registry of the Windows system running OpenSSH Server. The registry path is HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH, the name of the item is DefaultShell, and the value of the item is C:\Windows\System32\WindowsPowerShell\v1.0 \powershell.exe. You can start PowerShell as an administrator and then execute the following command to complete the addition for the registry entry:

> New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force

Now reconnect to the remote server, and the default shell has become PowerShell:

Log in by Key Authentication

The ssh command we introduced earlier is connected to the server through password authentication. Here is how to log into the server through key authentication.

ssh-keygen command

The ssh-keygen command is used to generate the key pair used for public key authentication. The created key is usually stored in the .ssh directory of the user's home directory along with the ssh client configuration (similar to Linux):

Execute the ssh-keygen command:

> ssh-keygen

By default, you just have to press the Enter key all the way, and use the default file name and storage directory:

Unfortunately, the ssh-copy-id command is not available under Windows currently. You need to add the user's public key to the authorized_keys file of the user on the remote host system manually. The steps on the host running OpenSSH Server are as follows:

1. Create a .ssh directory under the user's home directory

Open PowerShell, go to the user's home directory, and create the .ssh directory with the mkdir command:

> cd ~
> mkdir .ssh

2. Create an authorized_keys file and add the public key

Execute the notepad .ssh\authorized_keys command in PowerShell to create a text file, and then copy the client's public key into this file and save it.

Change the name of the text file as authorized_keys:

3. Modify the configuration file of ssh service

Open PowerShell as an administrator and execute the command notepad C:\ProgramData\ssh\sshd_config.

Comment the last two lines in the configuration file and then save it:

#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Finally, restart OpenSSH SSH Server in the service manager, and then you can log in to the remote server from the client through public key authentication.


Never use the Repair-AuthorizedKeyPermission command to fix the permissions for the .ssh\authorized_keys file.

Don't create the .ssh\authorized_keys file in the following way either:

echo "publickey" > .ssh\authorized_keys
echo $null > .ssh\authorized_keys

Sum up

The support for OpenSSH gives system administrators a convenient tool to manage Windows systems, and I believe that the combination of OpenSSH + PowerShell will be a best pair for managing Windows systems. This article just introduces some of the basic concepts for getting started, but it makes the impression that the OpenSSH tool on Windows still needs to be improved (There are a lot of problems, and you may feel confused when configuring the public key authentication according to the documentation).


0 Comment