Differences
This shows you the differences between the selected revisions of the page.
guide_windows_openssh_server 2015-12-25 | guide_windows_openssh_server 2024-10-08 (current) | ||
Line 1: | Line 1: | ||
====== Installing SFTP/SSH Server on Windows using OpenSSH ====== | ====== Installing SFTP/SSH Server on Windows using OpenSSH ====== | ||
- | Recently, [[http://blogs.msdn.com/b/powershell/archive/2015/10/19/openssh-for-windows-update.aspx|Microsoft has released]] an early version of [[https://github.com/PowerShell/Win32-OpenSSH|OpenSSH for Windows]]. You can use the package to set up an SFTP/SSH server on Windows. | + | Microsoft maintains a port of [[https://github.com/PowerShell/Win32-OpenSSH|OpenSSH for Windows]]. You can use the package to set up an SFTP/SSH server on Windows. |
===== Installing SFTP/SSH Server ===== | ===== Installing SFTP/SSH Server ===== | ||
- | ··* Download the latest [[https://github.com/PowerShell/Win32-OpenSSH/releases/|OpenSSH for Windows binaries]] (package ''OpenSSH-Win32.zip'') | + | ==== [[win10]] On Windows 11 and Windows 10 ==== |
- | * Extract the package to a convenient location (we will use ''C:\openssh'' in this guide) | + | |
- | * Generate server keys by running the following commands from the ''C:\openssh'' (when asked for a passphrase, just press ''Enter'', as the server keys cannot be protected with a passphrase): <code> | + | |
- | ssh-keygen.exe -t rsa -f ssh_host_rsa_key | + | |
- | ssh-keygen.exe -t dsa -f ssh_host_dsa_key | + | |
- | ssh-keygen.exe -t ecdsa -f ssh_host_ecdsa_key | + | |
- | ssh-keygen.exe -t ed25519 -f ssh_host_ed25519_key | + | |
- | </code> | + | |
- | * Open a port for the %%SSH%% server in Windows Firewall: | + | |
- | * Either run the following PowerShell command (Windows 8 and 2012 or newer only), &win8 &win2012 as the Administrator: \\ ''New-NetFirewallRule -Protocol %%TCP%% -LocalPort 22 -Direction Inbound -Action Allow -DisplayName %%SSH%%'' | + | |
- | * or go to //Control Panel > System and Security > Windows Firewall > Advanced Settings > Inbound Rules// and add a new rule for port 22. &wincp | + | |
- | * fragment of setup-ssh-lsa.cmd (problem subfolder name (dp0x86) correct is x86 or x64): <code> | + | * On Windows 11: &win11 |
- | if %PROCESSOR_ARCHITECTURE%==x86 ( | + | * Go to //Settings > Apps > Optional features// and click on //View features//. |
- | ··set lsadll=%~dp0x86\ssh-lsa.dll | + | ···* Locate //"OpenSSH server"// feature, select it, click //Next//, and then click //Install//. |
- | ) | + | * On Windows 10 (version 1803 and newer): &win10 |
- | if %PROCESSOR_ARCHITECTURE%==AMD64 ( | + | * Go to //Settings > Apps > Apps & features > Optional features// and click on //Add a feature//. |
- | ···set lsadll=%~dp0x64\ssh-lsa.dll | + | ···* Locate //"OpenSSH server"// feature, expand it, and select //Install//. |
- | ) | + | |
- | </code> | + | Binaries are installed to ''%WINDIR%\System32\OpenSSH''. Configuration file (''sshd_config'') and host keys are installed to ''%ProgramData%\ssh'' (only after the server is started for the first time). |
- | * To allow a public key authentication, as an Administrator, run: \\ ''C:\openssh\setup-ssh-lsa.cmd'' \\ please before run setup-ssh-lsa-cmd verify that it is handling your subfolder where you unzip your files, if not please correct path \\ where your openssh x86 (32 bits) or x64 (64 bits) and restart the machine | + | |
- | ··· | + | You may still want to use the following manual installation if you want to install a newer version of OpenSSH than the one built into Windows. |
+ | |||
+ | ==== [[windows_older]] On earlier versions of Windows ==== | ||
+ | |||
+ | * Download the latest [[https://github.com/PowerShell/Win32-OpenSSH/releases|OpenSSH for Windows binaries]] (package ''OpenSSH-Win64.zip'' or ''OpenSSH-Win32.zip'') &win32 &win64 | ||
+ | * As the Administrator, extract the package to ''C:\Program Files\OpenSSH'' | ||
+ | * As the Administrator, install //sshd// and //ssh-agent// services: \\ <code batch>powershell.exe -ExecutionPolicy Bypass -File install-sshd.ps1</code> | ||
+ | |||
+ | ===== [[configuring_ssh_server]] Configuring SSH server ===== | ||
- | * In ''C:\openssh\sshd_config'' locate a ''Subsystem sftp'' directive and change the path to ''sftp-server'' to its Windows location: \\ ''Subsystem sftp C:\openssh\sftp-server.exe'' | + | * Allow incoming connections to %%SSH%% server in Windows Firewall: |
- | * As the Administrator, install an SSHD service: \\ ''sshd.exe install'' | + | ····* When installed as an optional feature, the firewall rule //"OpenSSH SSH Server (sshd)"// should have been created automatically. If not, proceed to create and enable the rule as follows. |
+ | * Either run the following PowerShell command as the Administrator: \\ <code powershell>New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH SSH Server' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 -Program "C:\Windows\System32\OpenSSH\sshd.exe"</code> Replace ''C:\Windows\System32\OpenSSH\sshd.exe'' with the actual path to the ''sshd.exe'' (''C:\Program Files\OpenSSH\ssh.exe'', had you followed the manual installation instructions above). | ||
+ | ···* or go to //Windows Security > Firewall & network protection//((//Control Panel > Windows Defender Firewall// (or //Windows Firewall//) on older versions of Windows.))// > Advanced Settings > Inbound Rules// and add a new rule for port 22. &wincp | ||
* Start the service and/or configure automatic start: | * Start the service and/or configure automatic start: | ||
- | * Go to //Control Panel > System and Security > Administrative Tools// and open //Services//. Locate //SSHD// service. &wincp | + | * Go to //Control Panel > System and Security > Administrative Tools// and open //Services//. Locate //%%OpenSSH SSH Server%%// service. &wincp |
- | * If you want the server to start automatically when your machine is started: Go to //Action > Properties//. In the Properties dialog, change //Startup type// to //Automatic// and confirm. | + | * If you want the server to start automatically when your machine is started: Go to //Action > Properties// (or just double-click the service). In the Properties dialog, change //Startup type// to //Automatic// and confirm. |
- | * Start the SSHD service by clicking the //Start the service//. | + | * Start the //%%OpenSSH SSH Server%%// service by clicking the //Start the service// link or //Action > Start// in the menu. |
- | //These instructions are partially based on [[https://github.com/PowerShell/Win32-OpenSSH/wiki/Deploy-Win32-OpenSSH|the official deployment instructions]].// | + | //These instructions are partially based on [[https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH|the official deployment instructions]].// |
- | ===== Setting up SSH public key authentication ===== | + | ===== [[key_authentication]] Setting up SSH public key authentication ===== |
- | Follow a generic guide for [[guide_public_key|Setting up SSH public key authentication]] in *nix OpenSSH server, with following differences: | + | Follow a generic guide for [[guide_public_key|Setting up SSH public key authentication]] in *nix OpenSSH server, with the following difference: |
- | * Create the ''.ssh'' folder (for the ''authorized_keys'' file) in your Windows account profile folder (typically in ''C:\Users\username\.ssh''). &winpath | + | * Create the ''.ssh'' folder (for the ''authorized_keys'' file) in your Windows account profile folder (typically in ''C:\Users\username\.ssh'').((Windows File Explorer does not allow you to create a folder starting with a dot directly. As a workaround, use ''.ssh.'', the trailing dot will allow you to bypass the restriction, but will not be included in the name.)) &winpath |
- | * Do not change permissions for the ''.ssh'' and the ''authorized_keys''. | + | * For permissions to the ''.ssh'' folder and the ''authorized_keys'' file, what matters are Windows ACL permissions, not simple *nix permissions. Set the %%ACL%% so that the respective Windows account is the owner of the folder and the file and is the only account that has a write access to them. The account that runs //OpenSSH %%SSH%% Server// service (typically ''SYSTEM'' or ''sshd'') needs to have read access to the file. |
+ | * Though, with the default Win32-OpenSSH configuration there is an exception set in ''sshd_config'' for accounts in ''Administrators'' group. For these, the server uses a different location for the authorized keys file: ''%ALLUSERSPROFILE%\ssh\administrators_authorized_keys'' (i.e. typically ''C:\ProgramData\ssh\administrators_authorized_keys''). &winpath | ||
- | ===== Connecting to the server ===== | + | ===== [[connecting]] Connecting to the server ===== |
- | Before the first connection, find out fingerprint of the server's RSA key by running ''ssh-keygen.exe -l -f ssh_host_rsa_key -E md5'' from the ''C:\openssh'': | + | ==== Finding Host Key ==== |
+ | |||
+ | Before the first connection, find out the fingerprint of the server's host key by using ·''%%ssh-keygen.exe%%'' for each file. | ||
+ | |||
+ | In Windows command-prompt (run as Administrator), use: | ||
+ | |||
+ | <code batch> | ||
+ | for %f in (%ProgramData%\ssh\ssh_host_*_key) do @%WINDIR%\System32\OpenSSH\ssh-keygen.exe -l -f "%f" | ||
+ | </code> | ||
+ | |||
+ | //Replace ''%WINDIR%\System32'' with ''%ProgramFiles%'', if appropriate.// | ||
+ | |||
+ | In PowerShell (run as Administrator), use: | ||
+ | |||
+ | <code powershell> | ||
+ | Get-ChildItem $env:ProgramData\ssh\ssh_host_*_key | ForEach-Object { . $env:WINDIR\System32\OpenSSH\ssh-keygen.exe -l -f $_ } | ||
+ | </code> | ||
+ | |||
+ | //Replace ''$env:WINDIR\System32'' with ''$env:ProgramFiles'', if appropriate.// | ||
+ | |||
+ | You will get an output like this: | ||
<code> | <code> | ||
- | C:\openssh>ssh-keygen.exe -l -f ssh_host_rsa_key -E md5 | + | C:\Windows\System32\OpenSSH>for %f in (%ProgramData%\ssh\ssh_host_*_key) do @%WINDIR%\System32\OpenSSH\ssh-keygen.exe -l -f "%f" |
- | 2048 MD5:94:93:fe:cc:c5:7d:d8:2a:33:21:0e:f3:91:11:8a:d9 martin@example (RSA) | + | 1024 SHA256:K1kYcE7GHAqHLNPBaGVLOYBQif04VLOQN9kDbiLW/eE martin@example (DSA) |
+ | 256 SHA256:7pFXY/Ad3itb6+fLlNwU3zc6X6o/ZmV3/mfyRnE46xg martin@example (ECDSA) | ||
+ | 256 SHA256:KFi18tCRGsQmxMPioKvg0flaFI9aI/ebXfIDIOgIVGU martin@example (ED25519) | ||
+ | 2048 SHA256:z6YYzqGiAb1FN55jOf/f4fqR1IJvpXlKxaZXRtP2mX8 martin@example (RSA) | ||
</code> | </code> | ||
+ | |||
+ | ==== [[connecting2]] Connecting ==== | ||
Start WinSCP. [[ui_login|Login dialog]] will appear. On the dialog: | Start WinSCP. [[ui_login|Login dialog]] will appear. On the dialog: | ||
Line 57: | Line 83: | ||
* On //New site node//, make sure the //%%SFTP%%// protocol is selected. | * On //New site node//, make sure the //%%SFTP%%// protocol is selected. | ||
* Enter your machine/server IP address (or a hostname) into the //Host name// box. | * Enter your machine/server IP address (or a hostname) into the //Host name// box. | ||
- | * Enter your Windows account name to the //User name// box. | + | * Enter your Windows account name to the //User name// box. It might have to be entered in the format ''user@domain'' if running on a domain. |
* For a public key authentication: | * For a public key authentication: | ||
* Press the //Advanced// button to open [[ui_login_advanced|Advanced site settings dialog]] and go to //[[ui_login_authentication|SSH > Authentication page]]//. | * Press the //Advanced// button to open [[ui_login_advanced|Advanced site settings dialog]] and go to //[[ui_login_authentication|SSH > Authentication page]]//. | ||
Line 64: | Line 90: | ||
* For a password authentication: | * For a password authentication: | ||
* Enter your Windows account password to the //Password// box. | * Enter your Windows account password to the //Password// box. | ||
- | * If you Windows account does not have a password, you cannot authenticate with the password authentication (i.e. with an empty password), you need to use the public key authentication. | + | * If your Windows account does not have a password, you cannot authenticate with the password authentication (i.e. with an empty password), you need to use the public key authentication. |
* Save your site settings using the //Save// button. | * Save your site settings using the //Save// button. | ||
* Login using //Login// button. | * Login using //Login// button. | ||
- | * [[ssh_verifying_the_host_key|Verify the host key]] by comparing fingerprint with the one collected before (see above). | + | * [[ssh_verifying_the_host_key|Verify the host key]] by comparing fingerprints with those collected before (see above). |
+ | |||
+ | If you cannot authenticate to the server and use Windows 10 //Developer mode//, make sure that your OpenSSH server does not conflict with an internal %%SSH%% server used by the //Developer mode//. You may need to turn off the //%%SSH%% Server Broker// and //%%SSH%% Server Proxy// Windows services. Or run your OpenSSH server on a different port than 22. | ||
===== Further reading ===== | ===== Further reading ===== | ||
Line 73: | Line 101: | ||
* Guide to [[guide_upload|uploading files to SFTP server]]; | * Guide to [[guide_upload|uploading files to SFTP server]]; | ||
* Guide to [[guide_automation|automating operations]] (including upload). | * Guide to [[guide_automation|automating operations]] (including upload). | ||
- |