Installing SFTP/SSH Server on Windows using OpenSSH

• Download the latest OpenSSH for Windows binaries (package OpenSSH-Win32.zip)
• Extract the package to a convenient location (we will use C:\openssh in this guide)
• Generate server keys by running the following commands from the C:\openssh (when asked for a passphrase, just press Enter, as the server keys cannot be protected with a passphrase):

  ssh-keygen.exe -t rsa -f ssh_host_rsa_key
  ssh-keygen.exe -t dsa -f ssh_host_dsa_key
  ssh-keygen.exe -t ecdsa -f ssh_host_ecdsa_key
  ssh-keygen.exe -t ed25519 -f ssh_host_ed25519_key
  

• Open a port for the SSH server in Windows Firewall:
  • Either run the following PowerShell command (Windows 8 and 2012 or newer only), as an Administrator:
    New-NetFirewallRule -Protocol TCP -LocalPort 22 -Direction Inbound -Action Allow -DisplayName SSH
  • or go to Control Panel > System and Security > Windows Firewall > Advanced Settings > Inbound Rules and add a new rule for port 22.
• To allow a public key authentication, as an Administrator, run:
  C:\openssh\setup-ssh-lsa.cmd
  and restart the machine
• In C:\openssh\sshd_config locate a Subsystem sftp directive and change the path to sftp-server to its Windows location:
  Subsystem sftp C:\openssh\sftp-server.exe
• Download PsTools and extract PsExec.exe to C:\openssh

These instructions are partially based on the official deployment instructions.

Follow a generic guide for Setting up SSH public key authentication in *nix OpenSSH server, with following differences:

• Create the .ssh folder (for the authorized_keys file) in your Windows account profile folder (typically in C:\Users\username\.ssh).
• Do not change permissions for the .ssh and the authorized_keys.

To start the server, run the following command as an Administrator:

C:\openssh\PsExec.exe -i -s -w "C:\openssh" C:\openssh\sshd.exe

The OpenSSH for Windows does not support running as a service yet, but it should be available soon.

Before the first connection, find out fingerprint of the server’s RSA key by running ssh-keygen.exe -l -f ssh_host_rsa_key -E md5 from the C:\openssh:

C:\openssh>ssh-keygen.exe -l -f ssh_host_rsa_key -E md5
2048 MD5:94:93:fe:cc:c5:7d:d8:2a:33:21:0e:f3:91:11:8a:d9 martin@example (RSA)

Start WinSCP. Login dialog will appear. On the dialog:

• Make sure New site node is selected.
• On New site node, make sure the SFTP protocol is selected.
• Enter your machine/server IP address (or a hostname) into the Host name box.
• Enter your Windows account name to the User name box.
• For a public key authentication:
  • Press the Advanced button to open Advanced site settings dialog and go to SSH > Authentication page.
  • In Private key file box select your private key file.
  • Submit Advanced site settings dialog with the OK button.
• For a password authentication:
  • Enter your Windows account password to the Password box.
  • If you Windows account does not have a password, you cannot authenticate with the password authentication (i.e. with an empty password), you need to use the public key authentication.
• Save your site settings using the Save button.
• Login using Login button.
• Verify the host key by comparing fingerprint with the one collected before (see above).

• Guide to Installing Secure FTP Server on Windows using IIS;
• Guide to uploading files to SFTP server;
• Guide to automating operations (including upload).