» Using WinSCP » Guides
» Other »
Installing SFTP/SSH Server on Windows using OpenSSH
Installing SFTP/SSH Server
- Download the latest OpenSSH for Windows binaries (package
- Extract the package to a convenient location (we will use
C:\openssh in this guide)
- As the Administrator, install SSHD and ssh-agent services:
- Generate server keys by running the following commands from the
- Open a port for the SSH server in Windows Firewall:
- Either run the following PowerShell command (Windows 8 and 2012 or newer only), as the Administrator:
New-NetFirewallRule -Protocol TCP -LocalPort 22 -Direction Inbound -Action Allow -DisplayName SSH
- or go to Control Panel > System and Security > Windows Firewall > Advanced Settings > Inbound Rules and add a new rule for port 22.
- To allow a public key authentication, as an Administrator, from
and restart the machine
C:\openssh\sshd_config locate a
Subsystem sftp directive and change the path to
sftp-server to its Windows location:
Subsystem sftp C:\openssh\sftp-server.exe
- Start the service and/or configure automatic start:
- Go to Control Panel > System and Security > Administrative Tools and open Services. Locate SSHD service.
- If you want the server to start automatically when your machine is started: Go to Action > Properties. In the Properties dialog, change Startup type to Automatic and confirm.
- Start the SSHD service by clicking the Start the service.
These instructions are partially based on the official deployment instructions.
Setting up SSH public key authentication
Follow a generic guide for Setting up SSH public key authentication in *nix OpenSSH server, with following differences:
- Create the
.ssh folder (for the
authorized_keys file) in your Windows account profile folder (typically in
- Do not change permissions for the
.ssh and the
Connecting to the server
Before the first connection, find out fingerprint of the server’s RSA key by running
ssh-keygen.exe -l -f ssh_host_rsa_key -E md5 from the
C:\openssh>ssh-keygen.exe -l -f ssh_host_rsa_key -E md5
2048 MD5:94:93:fe:cc:c5:7d:d8:2a:33:21:0e:f3:91:11:8a:d9 martin@example (RSA)
Start WinSCP. Login dialog will appear. On the dialog:
- Make sure New site node is selected.
- On New site node, make sure the SFTP protocol is selected.
- Enter your machine/server IP address (or a hostname) into the Host name box.
- Enter your Windows account name to the User name box.
- For a public key authentication:
- For a password authentication:
- Enter your Windows account password to the Password box.
- If you Windows account does not have a password, you cannot authenticate with the password authentication (i.e. with an empty password), you need to use the public key authentication.
- Save your site settings using the Save button.
- Login using Login button.
- Verify the host key by comparing fingerprint with the one collected before (see above).