Differences
This shows you the differences between the selected revisions of the page.
2021-03-05 | 2021-04-21 | ||
correcting ACL requirements (martin) | no summary (168.149.169.117) | ||
Line 12: | Line 12: | ||
Binaries are installed to ''%WINDIR%\System32\OpenSSH''. Configuration file (''sshd_config'') and host keys are installed to ''%ProgramData%\ssh'' (only after the server is started for the first time). | Binaries are installed to ''%WINDIR%\System32\OpenSSH''. Configuration file (''sshd_config'') and host keys are installed to ''%ProgramData%\ssh'' (only after the server is started for the first time). | ||
- | You may still want to use the following manual installation, if you want to install a newer version of OpenSSH than the one built into Windows 10. | + | You may still want to use the following manual installation if you want to install a newer version of OpenSSH than the one built into Windows 10. |
==== [[windows_older]] On earlier versions of Windows ==== | ==== [[windows_older]] On earlier versions of Windows ==== | ||
Line 38: | Line 38: | ||
* Create the ''.ssh'' folder (for the ''authorized_keys'' file) in your Windows account profile folder (typically in ''C:\Users\username\.ssh'').((Windows File Explorer does not allow you to create a folder starting with a dot directly. As a workaround, use ''.ssh.'', the trailing dot will allow you to bypass the restriction, but will not be included in the name.)) &winpath | * Create the ''.ssh'' folder (for the ''authorized_keys'' file) in your Windows account profile folder (typically in ''C:\Users\username\.ssh'').((Windows File Explorer does not allow you to create a folder starting with a dot directly. As a workaround, use ''.ssh.'', the trailing dot will allow you to bypass the restriction, but will not be included in the name.)) &winpath | ||
- | * For permissions to the ''.ssh'' folder and the ''authorized_keys'' file, what matters are Windows ACL permissions, not simple *nix permissions. Set the %%ACL%% so that the respective Windows account is the owner of the folder and the file and is the only account that have a write access to them. The account that runs //OpenSSH %%SSH%% Server// service (typically ''SYSTEM'' or ''sshd'') needs to have a read access to the file. | + | * For permissions to the ''.ssh'' folder and the ''authorized_keys'' file, what matters are Windows ACL permissions, not simple *nix permissions. Set the %%ACL%% so that the respective Windows account is the owner of the folder and the file and is the only account that has to write access to them. The account that runs //OpenSSH %%SSH%% Server// service (typically ''SYSTEM'' or ''sshd'') needs to have read access to the file. |
* Though, with the default Win32-OpenSSH configuration there is an exception set in ''sshd_config'' for accounts in ''Administrators'' group. For these, the server uses a different location for the authorized keys file: ''%ALLUSERSPROFILE%\ssh\administrators_authorized_keys'' (i.e. typically ''C:\ProgramData\ssh\administrators_authorized_keys''). &winpath | * Though, with the default Win32-OpenSSH configuration there is an exception set in ''sshd_config'' for accounts in ''Administrators'' group. For these, the server uses a different location for the authorized keys file: ''%ALLUSERSPROFILE%\ssh\administrators_authorized_keys'' (i.e. typically ''C:\ProgramData\ssh\administrators_authorized_keys''). &winpath | ||
Line 45: | Line 45: | ||
==== Finding Host Key ==== | ==== Finding Host Key ==== | ||
- | Before the first connection, find out fingerprint of the server's host key by using ''%%ssh-keygen.exe%%'' for each file. | + | Before the first connection, find out the fingerprint of the server's host key by using ''%%ssh-keygen.exe%%'' for each file. |
In Windows command-prompt, use: | In Windows command-prompt, use: | ||
Line 79: | Line 79: | ||
* On //New site node//, make sure the //%%SFTP%%// protocol is selected. | * On //New site node//, make sure the //%%SFTP%%// protocol is selected. | ||
* Enter your machine/server IP address (or a hostname) into the //Host name// box. | * Enter your machine/server IP address (or a hostname) into the //Host name// box. | ||
- | * Enter your Windows account name to the //User name// box. It might have to be entered in the format ''user@domain'', if running on a domain. | + | * Enter your Windows account name to the //User name// box. It might have to be entered in the format ''user@domain'' if running on a domain. |
* For a public key authentication: | * For a public key authentication: | ||
* Press the //Advanced// button to open [[ui_login_advanced|Advanced site settings dialog]] and go to //[[ui_login_authentication|SSH > Authentication page]]//. | * Press the //Advanced// button to open [[ui_login_advanced|Advanced site settings dialog]] and go to //[[ui_login_authentication|SSH > Authentication page]]//. | ||
Line 86: | Line 86: | ||
* For a password authentication: | * For a password authentication: | ||
* Enter your Windows account password to the //Password// box. | * Enter your Windows account password to the //Password// box. | ||
- | * If you Windows account does not have a password, you cannot authenticate with the password authentication (i.e. with an empty password), you need to use the public key authentication. | + | * If your Windows account does not have a password, you cannot authenticate with the password authentication (i.e. with an empty password), you need to use the public key authentication. |
* Save your site settings using the //Save// button. | * Save your site settings using the //Save// button. | ||
* Login using //Login// button. | * Login using //Login// button. | ||
- | * [[ssh_verifying_the_host_key|Verify the host key]] by comparing fingerprint with those collected before (see above). | + | * [[ssh_verifying_the_host_key|Verify the host key]] by comparing fingerprints with those collected before (see above). |
- | If you cannot authenticate to the server, and you are using Windows 10 //Developer mode//, make sure that your OpenSSH server does not conflict with an internal %%SSH%% server used by the //Developer mode//. You may need to turn off the //%%SSH%% Server Broker// and //%%SSH%% Server Proxy// Windows services. Or run your OpenSSH server on a different port than 22. | + | If you cannot authenticate to the server and use Windows 10 //Developer mode//, make sure that your OpenSSH server does not conflict with an internal %%SSH%% server used by the //Developer mode//. You may need to turn off the //%%SSH%% Server Broker// and //%%SSH%% Server Proxy// Windows services. Or run your OpenSSH server on a different port than 22. |
===== Further reading ===== | ===== Further reading ===== |