Differences

This shows you the differences between the selected revisions of the page.

guide_windows_openssh_server 2015-10-24 guide_windows_openssh_server 2024-10-08 (current)
Line 1: Line 1:
====== Installing SFTP/SSH Server on Windows using OpenSSH ====== ====== Installing SFTP/SSH Server on Windows using OpenSSH ======
-Recently, [[http://blogs.msdn.com/b/powershell/archive/2015/10/19/openssh-for-windows-update.aspx|Microsoft has released]] an early version of [[https://github.com/PowerShell/Win32-OpenSSH|OpenSSH for Windows]]. You can use the package to set up an SSH/SFTP server on Windows.+Microsoft maintains a port of [[https://github.com/PowerShell/Win32-OpenSSH|OpenSSH for Windows]]. You can use the package to set up an SFTP/SSH server on Windows.
-===== Installing FTP Server =====+===== Installing SFTP/SSH Server =====
-··* Download the latest [[https://github.com/PowerShell/Win32-OpenSSH/releases/|OpenSSH for Windows binaries]] (package ''OpenSSH-Win32.zip'') +==== [[win10]] On Windows 11 and Windows 10 ====
-  * Extract the package to a convenient location (we will use ''C:\openssh'' in this guide) +
-  * Generate server keys by running the following commands from the ''C:\openssh'' (when asked for a passphrase, just press ''Enter'', as the server keys cannot be protected with a passphrase): <code> +
-ssh-keygen.exe -t rsa -f ssh_host_rsa_key +
-ssh-keygen.exe -t dsa -f ssh_host_dsa_key +
-ssh-keygen.exe -t ecdsa -f ssh_host_ecdsa_key +
-ssh-keygen.exe -t ed25519 -f ssh_host_ed25519_key +
-</code> +
-  * Open a port for the %%SSH%% server in Windows Firewall: +
-    * Either run the following PowerShell command (Windows 8 and 2012 or newer only), &win8 &win2012 as an Administrator: \\ ''New-NetFirewallRule -Protocol %%TCP%% -LocalPort 22 -Direction Inbound -Action Allow -DisplayName %%SSH%%'' +
-    * or go to //Control Panel > System and Security > Windows Firewall > Advanced Settings > Inbound Rules// and add a new rule for port 22. &wincp +
-  * To allow a public key authentication, as an Administrator, run: \\ ''C:\openssh\setup-ssh-lsa.cmd'' +
-  * Restart the machine  +
-  * In ''C:\openssh\sshd_config'' locate a ''Subsystem sftp'' directive and change the path to ''sftp-server'' to its Windows location: \\ ''Subsystem sftp C:\openssh\sftp-server.exe'' +
-  * [[https://technet.microsoft.com/en-us/sysinternals/bb897553|Download PsTools]] and extract ''PsExec.exe'' to ''C:\openssh''+
-//These instructions are partially based on [[https://github.com/PowerShell/Win32-OpenSSH/wiki/Deploy-Win32-OpenSSH|the official deployment instructions]].//+  * On Windows 11: &win11 
 +    * Go to //Settings > Apps > Optional features// and click on //View features//
 +    * Locate //"OpenSSH server"// feature, select it, click //Next//, and then click //Install//. 
 +··* On Windows 10 (version 1803 and newer): &win10 
 +    * Go to //Settings > Apps > Apps & features > Optional features// and click on //Add a feature//.  
 +    * Locate //&quot;OpenSSH server&quot;// feature, expand it, and select //Install//.
-===== Setting up SSH public key authentication =====+Binaries are installed to ''%WINDIR%\System32\OpenSSH''. Configuration file (''sshd_config'') and host keys are installed to ''%ProgramData%\ssh'' (only after the server is started for the first time).
-Follow a generic guide for [[guide_public_key|Setting up SSH public key authentication]] in *nix OpenSSH server, with following differences:+You may still want to use the following manual installation if you want to install a newer version of OpenSSH than the one built into Windows.
-··* Create the ''.ssh'' folder (for the ''authorized_keys'' file) in your Windows account profile folder (typically in ''C:\Users\username\.ssh''). &winpath +==== [[windows_older]] On earlier versions of Windows ====
-  * Do not change permissions for the ''.ssh'' and the ''authorized_keys''.+
-===== Running the server =====+··* Download the latest [[https://github.com/PowerShell/Win32-OpenSSH/releases|OpenSSH for Windows binaries]] (package ''OpenSSH-Win64.zip'' or ''OpenSSH-Win32.zip'') &win32 &win64 
 +  * As the Administrator, extract the package to ''C:\Program Files\OpenSSH'' 
 +  * As the Administrator, install //sshd// and //ssh-agent// services: \\ <code batch>powershell.exe -ExecutionPolicy Bypass -File install-sshd.ps1</code&gt;
-To start the server, run the following command as an Administrator:+===== [[configuring_ssh_server]] Configuring SSH server =====
-<code> +  * Allow incoming connections to %%SSH%% server in Windows Firewall: 
-C:\openssh\PsExec.exe -i -s -w &quot;C:\openssh&quot; C:\openssh\sshd.exe+    * When installed as an optional feature, the firewall rule //"OpenSSH SSH Server (sshd)"// should have been created automatically. If not, proceed to create and enable the rule as follows. 
 +    * Either run the following PowerShell command as the Administrator: \\ <code powershell>New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH SSH Server' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 -Program "C:\Windows\System32\OpenSSH\sshd.exe"</code> Replace ''C:\Windows\System32\OpenSSH\sshd.exe'' with the actual path to the ''sshd.exe'' (''C:\Program Files\OpenSSH\ssh.exe'', had you followed the manual installation instructions above). 
 +    * or go to //Windows Security > Firewall & network protection//((//Control Panel > Windows Defender Firewall// (or //Windows Firewall//) on older versions of Windows.))// > Advanced Settings > Inbound Rules// and add a new rule for port 22. &wincp 
 +  * Start the service and/or configure automatic start: 
 +    * Go to //Control Panel > System and Security > Administrative Tools// and open //Services//. Locate //%%OpenSSH SSH Server%%// service. &wincp 
 +    * If you want the server to start automatically when your machine is started: Go to //Action > Properties// (or just double-click the service). In the Properties dialog, change //Startup type// to //Automatic// and confirm. 
 +    * Start the //%%OpenSSH SSH Server%%// service by clicking the //Start the service// link or //Action &gt; Start// in the menu. 
 + 
 +//These instructions are partially based on [[https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH|the official deployment instructions]].// 
 + 
 +===== [[key_authentication]] Setting up SSH public key authentication ===== 
 + 
 +Follow a generic guide for [[guide_public_key|Setting up SSH public key authentication]] in *nix OpenSSH server, with the following difference: 
 + 
 +  * Create the ''.ssh'' folder (for the ''authorized_keys'' file) in your Windows account profile folder (typically in ''C:\Users\username\.ssh'').((Windows File Explorer does not allow you to create a folder starting with a dot directly. As a workaround, use ''.ssh.'', the trailing dot will allow you to bypass the restriction, but will not be included in the name.)) &amp;winpath 
 + * For permissions to the ''.ssh'' folder and the ''authorized_keys'' file, what matters are Windows ACL permissions, not simple *nix permissions. Set the %%ACL%% so that the respective Windows account is the owner of the folder and the file and is the only account that has a write access to them. The account that runs //OpenSSH %%SSH%% Server// service (typically ''SYSTEM'' or ''sshd'') needs to have read access to the file. 
 +  * Though, with the default Win32-OpenSSH configuration there is an exception set in ''sshd_config'' for accounts in ''Administrators'' group. For these, the server uses a different location for the authorized keys file: ''%ALLUSERSPROFILE%\ssh\administrators_authorized_keys'' (i.e. typically ''C:\ProgramData\ssh\administrators_authorized_keys''). &winpath 
 + 
 +===== [[connecting]] Connecting to the server ===== 
 + 
 +==== Finding Host Key ==== 
 + 
 +Before the first connection, find out the fingerprint of the server's host key by using  ''%%ssh-keygen.exe%%'' for each file. 
 + 
 +In Windows command-prompt (run as Administrator), use: 
 + 
 +<code batch> 
 +for %f in (%ProgramData%\ssh\ssh_host_*_key) do @%WINDIR%\System32\OpenSSH\ssh-keygen.exe -l -f "%f"
</code> </code>
-The OpenSSH for Windows does not support running as a service yet, but it [[http://blogs.msdn.com/b/powershell/archive/2015/10/19/openssh-for-windows-update.aspx|should be available soon]].+//Replace ''%WINDIR%\System32'' with ''%ProgramFiles%'', if appropriate.//
-===== Connecting to the server =====+In PowerShell (run as Administrator), use:
-Before the first connection, find out fingerprint of the server's RSA key by running ''ssh-keygen.exe -l -f ssh_host_rsa_key -E md5'' from the ''C:\openssh'':+<code powershell
 +Get-ChildItem $env:ProgramData\ssh\ssh_host_*_key | ForEach-Object { . $env:WINDIR\System32\OpenSSH\ssh-keygen.exe -l -f $_ } 
 +</code> 
 + 
 +//Replace ''$env:WINDIR\System32'' with ''$env:ProgramFiles'', if appropriate.// 
 + 
 +You will get an output like this:
<code> <code>
-C:\openssh>ssh-keygen.exe -l -f ssh_host_rsa_key -E md5 +C:\Windows\System32\OpenSSH>for %f in (%ProgramData%\ssh\ssh_host_*_key) do @%WINDIR%\System32\OpenSSH\ssh-keygen.exe -l -f &quot;%f" 
-2048 MD5:94:93:fe:cc:c5:7d:d8:2a:33:21:0e:f3:91:11:8a:d9 martin@example (RSA)+1024 SHA256:K1kYcE7GHAqHLNPBaGVLOYBQif04VLOQN9kDbiLW/eE martin@example (DSA) 
 +256 SHA256:7pFXY/Ad3itb6+fLlNwU3zc6X6o/ZmV3/mfyRnE46xg martin@example (ECDSA) 
 +256 SHA256:KFi18tCRGsQmxMPioKvg0flaFI9aI/ebXfIDIOgIVGU martin@example (ED25519) 
 +2048 SHA256:z6YYzqGiAb1FN55jOf/f4fqR1IJvpXlKxaZXRtP2mX8 martin@example (RSA)
</code> </code>
 +
 +==== [[connecting2]] Connecting ====
Start WinSCP. [[ui_login|Login dialog]] will appear. On the dialog: Start WinSCP. [[ui_login|Login dialog]] will appear. On the dialog:
Line 53: Line 83:
  * On //New site node//, make sure the //%%SFTP%%// protocol is selected.   * On //New site node//, make sure the //%%SFTP%%// protocol is selected.
  * Enter your machine/server IP address (or a hostname) into the //Host name// box.   * Enter your machine/server IP address (or a hostname) into the //Host name// box.
-  * Enter your Windows account name to the //User name// box.+  * Enter your Windows account name to the //User name// box. It might have to be entered in the format ''user@domain'' if running on a domain.
  * For a public key authentication:   * For a public key authentication:
    * Press the //Advanced// button to open [[ui_login_advanced|Advanced site settings dialog]] and go to //[[ui_login_authentication|SSH > Authentication page]]//.     * Press the //Advanced// button to open [[ui_login_advanced|Advanced site settings dialog]] and go to //[[ui_login_authentication|SSH > Authentication page]]//.
Line 60: Line 90:
  * For a password authentication:   * For a password authentication:
    * Enter your Windows account password to the //Password// box.     * Enter your Windows account password to the //Password// box.
-    * If you Windows account does not have a password, you cannot authenticate with the password authentication (i.e. with an empty password), you need to use the public key authentication.+    * If your Windows account does not have a password, you cannot authenticate with the password authentication (i.e. with an empty password), you need to use the public key authentication.
  * Save your site settings using the //Save// button.   * Save your site settings using the //Save// button.
  * Login using //Login// button.   * Login using //Login// button.
-  * [[ssh_verifying_the_host_key|Verify the host key]] by comparing fingerprint with the one collected before (see above).+  * [[ssh_verifying_the_host_key|Verify the host key]] by comparing fingerprints with those collected before (see above)
 + 
 +If you cannot authenticate to the server and use Windows 10 //Developer mode//, make sure that your OpenSSH server does not conflict with an internal %%SSH%% server used by the //Developer mode//. You may need to turn off the //%%SSH%% Server Broker// and //%%SSH%% Server Proxy// Windows services. Or run your OpenSSH server on a different port than 22.
===== Further reading ===== ===== Further reading =====
 +  * Guide to [[guide_windows_ftps_server|Installing Secure FTP Server on Windows using IIS]];
  * Guide to [[guide_upload|uploading files to SFTP server]];   * Guide to [[guide_upload|uploading files to SFTP server]];
  * Guide to [[guide_automation|automating operations]] (including upload).   * Guide to [[guide_automation|automating operations]] (including upload).
- 

Last modified: by martin