Differences
This shows you the differences between the selected revisions of the page.
guide_windows_openssh_server 2018-02-12 | guide_windows_openssh_server 2024-10-08 (current) | ||
Line 1: | Line 1: | ||
====== Installing SFTP/SSH Server on Windows using OpenSSH ====== | ====== Installing SFTP/SSH Server on Windows using OpenSSH ====== | ||
- | Recently, [[https://blogs.msdn.microsoft.com/powershell/2015/10/19/openssh-for-windows-update/|Microsoft has released]] an early version of [[https://github.com/PowerShell/Win32-OpenSSH|OpenSSH for Windows]]. You can use the package to set up an SFTP/SSH server on Windows. | + | Microsoft maintains a port of [[https://github.com/PowerShell/Win32-OpenSSH|OpenSSH for Windows]]. You can use the package to set up an SFTP/SSH server on Windows. |
===== Installing SFTP/SSH Server ===== | ===== Installing SFTP/SSH Server ===== | ||
+ | |||
+ | ==== [[win10]] On Windows 11 and Windows 10 ==== | ||
+ | |||
+ | * On Windows 11: &win11 | ||
+ | * Go to //Settings > Apps > Optional features// and click on //View features//. | ||
+ | * Locate //"OpenSSH server"// feature, select it, click //Next//, and then click //Install//. | ||
+ | * On Windows 10 (version 1803 and newer): &win10 | ||
+ | * Go to //Settings > Apps > Apps & features > Optional features// and click on //Add a feature//. | ||
+ | * Locate //"OpenSSH server"// feature, expand it, and select //Install//. | ||
+ | |||
+ | Binaries are installed to ''%WINDIR%\System32\OpenSSH''. Configuration file (''sshd_config'') and host keys are installed to ''%ProgramData%\ssh'' (only after the server is started for the first time). | ||
+ | |||
+ | You may still want to use the following manual installation if you want to install a newer version of OpenSSH than the one built into Windows. | ||
+ | |||
+ | ==== [[windows_older]] On earlier versions of Windows ==== | ||
* Download the latest [[https://github.com/PowerShell/Win32-OpenSSH/releases|OpenSSH for Windows binaries]] (package ''OpenSSH-Win64.zip'' or ''OpenSSH-Win32.zip'') &win32 &win64 | * Download the latest [[https://github.com/PowerShell/Win32-OpenSSH/releases|OpenSSH for Windows binaries]] (package ''OpenSSH-Win64.zip'' or ''OpenSSH-Win32.zip'') &win32 &win64 | ||
- | * Extract the package to ''C:\Program Files\OpenSSH'' | + | * As the Administrator, extract the package to ''C:\Program Files\OpenSSH'' |
- | * As the Administrator, install SSHD and ssh-agent services: \\ ''powershell.exe -ExecutionPolicy Bypass -File install-sshd.ps1'' | + | * As the Administrator, install //sshd// and //ssh-agent// services: \\ <code batch>powershell.exe -ExecutionPolicy Bypass -File install-sshd.ps1</code> |
- | * As the Administrator, generate server keys and restrict an access to them, by running the following commands from the ''C:\Program Files\OpenSSH'' directory: \\ ''.\ssh-keygen.exe -A'' \\ ''%%powershell.exe -ExecutionPolicy Bypass -Command ". .\FixHostFilePermissions.ps1 -Confirm:$false%%"'' \\ (when using Windows PowerShell instead of Command Prompt, use single quotes around ''-Command'' switch value) | + | |
+ | ===== [[configuring_ssh_server]] Configuring SSH server ===== | ||
* Allow incoming connections to %%SSH%% server in Windows Firewall: | * Allow incoming connections to %%SSH%% server in Windows Firewall: | ||
- | * Either run the following PowerShell command (Windows 8 and 2012 or newer only), &win8 &win2012 as the Administrator: \\ ''%%New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Service sshd -Enabled True -Direction Inbound -Protocol TCP -Action Allow%%'' | + | * When installed as an optional feature, the firewall rule //"OpenSSH SSH Server (sshd)"// should have been created automatically. If not, proceed to create and enable the rule as follows. |
- | * or go to //Control Panel > System and Security > Windows Firewall//((//Windows Defender Firewall// on Windows 10.))// > Advanced Settings > Inbound Rules// and add a new rule for ''sshd'' service (or port 22). &wincp | + | * Either run the following PowerShell command as the Administrator: \\ <code powershell>New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH SSH Server' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 -Program "C:\Windows\System32\OpenSSH\sshd.exe"</code> Replace ''C:\Windows\System32\OpenSSH\sshd.exe'' with the actual path to the ''sshd.exe'' (''C:\Program Files\OpenSSH\ssh.exe'', had you followed the manual installation instructions above). |
+ | * or go to //Windows Security > Firewall & network protection//((//Control Panel > Windows Defender Firewall// (or //Windows Firewall//) on older versions of Windows.))// > Advanced Settings > Inbound Rules// and add a new rule for port 22. &wincp | ||
* Start the service and/or configure automatic start: | * Start the service and/or configure automatic start: | ||
- | * Go to //Control Panel > System and Security > Administrative Tools// and open //Services//. Locate //SSHD// service. &wincp | + | * Go to //Control Panel > System and Security > Administrative Tools// and open //Services//. Locate //%%OpenSSH SSH Server%%// service. &wincp |
- | * If you want the server to start automatically when your machine is started: Go to //Action > Properties//. In the Properties dialog, change //Startup type// to //Automatic// and confirm. | + | * If you want the server to start automatically when your machine is started: Go to //Action > Properties// (or just double-click the service). In the Properties dialog, change //Startup type// to //Automatic// and confirm. |
- | * Start the SSHD service by clicking the //Start the service//. | + | * Start the //%%OpenSSH SSH Server%%// service by clicking the //Start the service// link or //Action > Start// in the menu. |
//These instructions are partially based on [[https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH|the official deployment instructions]].// | //These instructions are partially based on [[https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH|the official deployment instructions]].// | ||
Line 21: | Line 39: | ||
===== [[key_authentication]] Setting up SSH public key authentication ===== | ===== [[key_authentication]] Setting up SSH public key authentication ===== | ||
- | Follow a generic guide for [[guide_public_key|Setting up SSH public key authentication]] in *nix OpenSSH server, with following differences: | + | Follow a generic guide for [[guide_public_key|Setting up SSH public key authentication]] in *nix OpenSSH server, with the following difference: |
- | * Create the ''.ssh'' folder (for the ''authorized_keys'' file) in your Windows account profile folder (typically in ''C:\Users\username\.ssh'').((Windows Explorer does not allow you to create a folder starting with a dot directly. As a workaround, use ''.ssh.'', the trailing dot will allow you to bypass the restriction, but will not be included in the name.))&winpath | + | * Create the ''.ssh'' folder (for the ''authorized_keys'' file) in your Windows account profile folder (typically in ''C:\Users\username\.ssh'').((Windows File Explorer does not allow you to create a folder starting with a dot directly. As a workaround, use ''.ssh.'', the trailing dot will allow you to bypass the restriction, but will not be included in the name.))·&winpath |
- | * Grant the %%SSH%% server read permissions to the ''.ssh'' folder. As the Administrator, run: \\ ''%%icacls C:\users\username\.ssh /grant "NT Service\sshd:R" /T%%'' | + | * For permissions to the ''.ssh'' folder and the ''authorized_keys'' file, what matters are Windows ACL permissions, not simple *nix permissions. Set the %%ACL%% so that the respective Windows account is the owner of the folder and the file and is the only account that has a write access to them. The account that runs //OpenSSH %%SSH%% Server// service (typically ''SYSTEM'' or ''sshd'') needs to have read access to the file. |
+ | * Though, with the default Win32-OpenSSH configuration there is an exception set in ''sshd_config'' for accounts in ''Administrators'' group. For these, the server uses a different location for the authorized keys file: ''%ALLUSERSPROFILE%\ssh\administrators_authorized_keys'' (i.e. typically ''C:\ProgramData\ssh\administrators_authorized_keys''). &winpath | ||
===== [[connecting]] Connecting to the server ===== | ===== [[connecting]] Connecting to the server ===== | ||
- | Before the first connection, find out fingerprint of the server's ED25519 key by running ''.\ssh-keygen.exe -l -f ssh_host_ed25519_key -E md5'' from the ''C:\Program Files\OpenSSH'': | + | ==== Finding Host Key ==== |
+ | |||
+ | Before the first connection, find out the fingerprint of the server's host key by using ·''%%ssh-keygen.exe%%'' for each file. | ||
+ | |||
+ | In Windows command-prompt (run as Administrator), use: | ||
+ | |||
+ | <code batch> | ||
+ | for %f in (%ProgramData%\ssh\ssh_host_*_key) do @%WINDIR%\System32\OpenSSH\ssh-keygen.exe -l -f "%f" | ||
+ | </code> | ||
+ | |||
+ | //Replace ''%WINDIR%\System32'' with ''%ProgramFiles%'', if appropriate.// | ||
+ | |||
+ | In PowerShell (run as Administrator), use: | ||
+ | |||
+ | <code powershell> | ||
+ | Get-ChildItem $env:ProgramData\ssh\ssh_host_*_key | ForEach-Object { . $env:WINDIR\System32\OpenSSH\ssh-keygen.exe -l -f $_ } | ||
+ | </code> | ||
+ | |||
+ | //Replace ''$env:WINDIR\System32'' with ''$env:ProgramFiles'', if appropriate.// | ||
+ | |||
+ | You will get an output like this: | ||
<code> | <code> | ||
- | C:\Program Files\OpenSSH>.\ssh-keygen.exe -l -f ssh_host_ed25519_key -E md5 | + | C:\Windows\System32\OpenSSH>for %f in (%ProgramData%\ssh\ssh_host_*_key) do @%WINDIR%\System32\OpenSSH\ssh-keygen.exe -l -f "%f" |
- | 256 MD5:0d:df:0a:db:b4:e9:f1:08:d5:59:2b:91:8e:08:1c:78 martin@example (ED25519) | + | 1024 SHA256:K1kYcE7GHAqHLNPBaGVLOYBQif04VLOQN9kDbiLW/eE martin@example (DSA) |
+ | 256 SHA256:7pFXY/Ad3itb6+fLlNwU3zc6X6o/ZmV3/mfyRnE46xg martin@example (ECDSA) | ||
+ | 256 SHA256:KFi18tCRGsQmxMPioKvg0flaFI9aI/ebXfIDIOgIVGU martin@example (ED25519) | ||
+ | 2048 SHA256:z6YYzqGiAb1FN55jOf/f4fqR1IJvpXlKxaZXRtP2mX8 martin@example (RSA) | ||
</code> | </code> | ||
+ | |||
+ | ==== [[connecting2]] Connecting ==== | ||
Start WinSCP. [[ui_login|Login dialog]] will appear. On the dialog: | Start WinSCP. [[ui_login|Login dialog]] will appear. On the dialog: | ||
Line 39: | Line 83: | ||
* On //New site node//, make sure the //%%SFTP%%// protocol is selected. | * On //New site node//, make sure the //%%SFTP%%// protocol is selected. | ||
* Enter your machine/server IP address (or a hostname) into the //Host name// box. | * Enter your machine/server IP address (or a hostname) into the //Host name// box. | ||
- | * Enter your Windows account name to the //User name// box. It might have to be entered in the format ''user@domain'', if running on a domain. | + | * Enter your Windows account name to the //User name// box. It might have to be entered in the format ''user@domain'' if running on a domain. |
* For a public key authentication: | * For a public key authentication: | ||
* Press the //Advanced// button to open [[ui_login_advanced|Advanced site settings dialog]] and go to //[[ui_login_authentication|SSH > Authentication page]]//. | * Press the //Advanced// button to open [[ui_login_advanced|Advanced site settings dialog]] and go to //[[ui_login_authentication|SSH > Authentication page]]//. | ||
Line 46: | Line 90: | ||
* For a password authentication: | * For a password authentication: | ||
* Enter your Windows account password to the //Password// box. | * Enter your Windows account password to the //Password// box. | ||
- | * If you Windows account does not have a password, you cannot authenticate with the password authentication (i.e. with an empty password), you need to use the public key authentication. | + | * If your Windows account does not have a password, you cannot authenticate with the password authentication (i.e. with an empty password), you need to use the public key authentication. |
* Save your site settings using the //Save// button. | * Save your site settings using the //Save// button. | ||
* Login using //Login// button. | * Login using //Login// button. | ||
- | * [[ssh_verifying_the_host_key|Verify the host key]] by comparing fingerprint with the one collected before (see above). | + | * [[ssh_verifying_the_host_key|Verify the host key]] by comparing fingerprints with those collected before (see above). |
- | If you cannot authenticate to the server, and you are using Windows 10 //Developer mode//, make sure that your OpenSSH server does not conflict with an internal %%SSH%% server used by the //Developer mode//. You may need to turn off the //%%SSH%% Server Broker// and //%%SSH%% Server Proxy// Windows services. Or run your OpenSSH server on a different port than 22. | + | If you cannot authenticate to the server and use Windows 10 //Developer mode//, make sure that your OpenSSH server does not conflict with an internal %%SSH%% server used by the //Developer mode//. You may need to turn off the //%%SSH%% Server Broker// and //%%SSH%% Server Proxy// Windows services. Or run your OpenSSH server on a different port than 22. |
===== Further reading ===== | ===== Further reading ===== | ||
Line 57: | Line 101: | ||
* Guide to [[guide_upload|uploading files to SFTP server]]; | * Guide to [[guide_upload|uploading files to SFTP server]]; | ||
* Guide to [[guide_automation|automating operations]] (including upload). | * Guide to [[guide_automation|automating operations]] (including upload). | ||
- |