Contents » Using WinSCP » Guides » Other »

Installing SFTP/SSH Server on Windows using OpenSSH

Recently, Microsoft has released an early version of OpenSSH for Windows. You can use the package to set up an SFTP/SSH server on Windows.

Installing SFTP/SSH Server

  • Download the latest OpenSSH for Windows binaries (package
  • Extract the package to a convenient location (we will use C:\openssh in this guide)
  • As the Administrator, install SSHD and ssh-agent services:
    powershell.exe -ExecutionPolicy Bypass -File install-sshd.ps1
  • Generate server keys by running the following commands from the C:\openssh:

    .\ssh-keygen.exe -A

  • Open a port for the SSH server in Windows Firewall:
    • Either run the following PowerShell command (Windows 8 and 2012 or newer only), as the Administrator:
      New-NetFirewallRule -Protocol TCP -LocalPort 22 -Direction Inbound -Action Allow -DisplayName SSH
    • or go to Control Panel > System and Security > Windows Firewall > Advanced Settings > Inbound Rules and add a new rule for port 22.
  • To allow a public key authentication, as an Administrator, from C:\openssh, run:
    powershell.exe -ExecutionPolicy Bypass -File install-sshlsa.ps1
    and restart the machine
  • In C:\openssh\sshd_config locate a Subsystem sftp directive and change the path to sftp-server to its Windows location:
    Subsystem sftp C:\openssh\sftp-server.exe
  • Start the service and/or configure automatic start:
    • Go to Control Panel > System and Security > Administrative Tools and open Services. Locate SSHD service.
    • If you want the server to start automatically when your machine is started: Go to Action > Properties. In the Properties dialog, change Startup type to Automatic and confirm.
    • Start the SSHD service by clicking the Start the service.

These instructions are partially based on the official deployment instructions.

Setting up SSH public key authentication

Follow a generic guide for Setting up SSH public key authentication in *nix OpenSSH server, with following differences:

  • Create the .ssh folder (for the authorized_keys file) in your Windows account profile folder (typically in C:\Users\username\.ssh).
  • Do not change permissions for the .ssh and the authorized_keys.

Connecting to the server

Before the first connection, find out fingerprint of the server’s RSA key by running ssh-keygen.exe -l -f ssh_host_rsa_key -E md5 from the C:\openssh:

C:\openssh>ssh-keygen.exe -l -f ssh_host_rsa_key -E md5
2048 MD5:94:93:fe:cc:c5:7d:d8:2a:33:21:0e:f3:91:11:8a:d9 martin@example (RSA)

Start WinSCP. Login dialog will appear. On the dialog:

  • Make sure New site node is selected.
  • On New site node, make sure the SFTP protocol is selected.
  • Enter your machine/server IP address (or a hostname) into the Host name box.
  • Enter your Windows account name to the User name box. It might have to be entered in the format user@domain, if running on a domain.
  • For a public key authentication:
  • For a password authentication:
    • Enter your Windows account password to the Password box.
    • If you Windows account does not have a password, you cannot authenticate with the password authentication (i.e. with an empty password), you need to use the public key authentication.
  • Save your site settings using the Save button.
  • Login using Login button.
  • Verify the host key by comparing fingerprint with the one collected before (see above).

Further reading

  guide_windows_openssh_server.txt · Last modified: by martin

Search Documentation

This page


About donations

$9   $19   $49   $99

About donations



Site design by Black Gate