Installing OpenSSH Server on Windows 10

So in yesterday’s post we learned that the OpenSSH client is included with the Windows 10, Update 1803!  Guess, what else is included in this server, an OpenSSH Server! Yes, that’s right…you can now run an OpenSSH server on your Windows 10 system and get a remote terminal! So in this post, let’s check out what we need to do to get OpenSSH Server up and running.

First, we’ll need to ensure we update the system to Windows 10, Update 1803. Do that using your normal update mechanisms.

With that installed, let’s check out the new Windows Capabilities (Features) available in this Update, we can use PowerShell to search through them.

PS C:\> Get-WindowsCapability -Online | Where-Object -Property Name -Like "OpenSSH*"

Name : OpenSSH.Client~~~~
State : Installed

Name : OpenSSH.Server~~~~
State : NotPresent

Now to install OpenSSH server, we can use the Add-WindowsCapability cmdlet

PS C:\WINDOWS\system32> Add-WindowsCapability -Online -Name  OpenSSH.Server~~~~

To confirm it’s installation we can use the Get-WindowsCapability cmdlet again, and this time it’s state is “Installed”

PS C:\WINDOWS\system32> Get-WindowsCapability -Online | Where-Object -Property Name -Like "OpenSSH.Server*"

Name  : OpenSSH.Server~~~~
State : Installed

With that installed, let’s take a look at where sshd lives on our Windows system and that’s in C:\Windows\System32\OpenSSH\

PS C:\> Get-ChildItem C:\Windows\System32\OpenSSH\

Directory: C:\Windows\System32\OpenSSH

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/10/2018 12:20 PM 343552 scp.exe
-a---- 3/10/2018 8:20  PM 355840 sftp-server.exe
-a---- 3/10/2018 12:20 PM 408064 sftp.exe
-a---- 3/10/2018 12:20 PM 531968 ssh-add.exe
-a---- 3/10/2018 12:20 PM 495616 ssh-agent.exe
-a---- 3/10/2018 12:20 PM 657920 ssh-keygen.exe
-a---- 3/10/2018 12:20 PM 594944 ssh-keyscan.exe
-a---- 3/10/2018 8:20  PM 154624 ssh-shellhost.exe
-a---- 3/10/2018 12:20 PM 894464 ssh.exe
-a---- 3/10/2018 8:20  PM 970752 sshd.exe
-a---- 1/30/2018 7:55  PM 2143   sshd_config_default

On Windows systems, network daemons run as “Services”. We can see with the Get-Service cmdlet, the installer added ssd and also ssh-agent!

PS C:\Users\aen> Get-Service -Name *ssh*

Status   Name               DisplayName
------   ----               -----------
Stopped  ssh-agent          OpenSSH Authentication Agent
Stopped  sshd               OpenSSH SSH Server

As you can see the state is stopped, so let’s start the Services and also set them to start on boot

PS C:\WINDOWS\system32> Get-Service -Name *ssh* | Set-Service -StartupType Automatic
PS C:\WINDOWS\system32> Get-Service -Name *ssh* | Start-Service

We can use netstat to see if we’re up and running

PS C:\WINDOWS\system32> netstat -bano | more

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP                 LISTENING       12764

So now that it’s up and running, you should know that the configuration files and host keys live in ProgramData\ssh\ so if you need to change the behavior of SSH you’ll head for the sshd_config file and when finished, restart your service with Restart-Service -Name sshd 

PS C:\Users\aen> Get-ChildItem -Path 'C:\ProgramData\ssh\'

    Directory: C:\ProgramData\ssh

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        5/17/2018   8:35 AM                logs
-a----        5/17/2018   8:35 AM              7
-a----        1/30/2018   4:55 PM           2143 sshd_config
-a----        5/17/2018   8:35 AM            668 ssh_host_dsa_key
-a----        5/17/2018   8:35 AM            613
-a----        5/17/2018   8:35 AM            227 ssh_host_ecdsa_key
-a----        5/17/2018   8:35 AM            185
-a----        5/17/2018   8:35 AM            419 ssh_host_ed25519_key
-a----        5/17/2018   8:35 AM            105
-a----        5/17/2018   8:35 AM           1675 ssh_host_rsa_key
-a----        5/17/2018   8:35 AM            405

You’ll likely need to open your Windows firewall, which can be done with the following cmdlet on PowerShell 5.1

New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

So let’s test it out, I’m going to ssh from my Mac into my Windows 10 laptop

My-MacBook-Pro:~ aen$ ssh demo@
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:eQti/VKAXhTgbLGTqD3n/QOxcPvfdIT6rwuIK+8F5Vs.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
demo@'s password:

Microsoft Windows [Version 10.0.17134.48]
(c) 2018 Microsoft Corporation. All rights reserved.

demo@W10LAPPY C:\Users\demo>

And that’s it, you can now install OpenSSH server on your Windows 10 system. I can only imagine it’s a matter of time before this hits the server side of things! Bravo PowerShell Team, bravo!