Skip to content

Instantly share code, notes, and snippets.

@Aldaviva

Aldaviva/Enable OpenSSH SSH server in Windows Server 2019.md

Last active April 17, 2024 06:52
Show Gist options
  • Save Aldaviva/107bdff6352807681069f242cc906ec0 to your computer and use it in GitHub Desktop.
Save Aldaviva/107bdff6352807681069f242cc906ec0 to your computer and use it in GitHub Desktop.
Download ZIP
OpenSSH sshd is sort of straightforward, and better than Cygwin.
Raw
Enable OpenSSH SSH server in Windows Server 2019.md

Assumptions

  • Your server is running Windows Server 2019.
  • Your client is using PuTTY or OpenSSH Client, and you know how to connect to servers and set private keys.
  • Your server user is an administrator.

Steps

  1. Install the OpenSSH Server feature.
    1. Go to Settings › Apps › Apps & features › Manage optional features.
    2. Select + Add a feature.
    3. Select OpenSSH Server, then select Install.
  2. Use services.msc to start the OpenSSH SSH Server service and set its startup type to Automatic.
    1. The OpenSSH Authentication Agent is not needed for SSH servers, so you can leave it stopped.
  3. Try logging in with your username and password. This will show that the service, firewall rules, and host key were automatically set up.
  4. Set up public-key–based authentication.
    1. If you don't already have a public-private keypair, you can generate one with PuTTYgen.
      1. Choose ED25519 as the type of key to generate.
      2. Click Generate and move your mouse around the window for a second.
      3. Save the private key file (*.ppk) somewhere PuTTY can read it.
      4. Copy the "Public key for pasting into OpenSSH authorized_keys file" at the top of the window.
    2. Save the OpenSSH public key string to the end of the correct authorized keys file, depending on whether you want to log in to the server over SSH as an administrator user or not.
      • For administrators, this file is %PROGRAMDATA%\ssh\administrators_authorized_keys.
      • For non-administrators, this file is %USERPROFILE%\.ssh\authorized_keys.
      • Multiple entries must be separated by newlines.
      • Ensure the filename has no extension.
    3. For administrative users, set the administrators_authorized_keys file permissions.
      1. Disable permissions inheritance, copying existing entries.
      2. Remove the Authenticated Users entry.
      3. Once you're done, the access control list should only allow full access to SYSTEM and the Administrators group, and the owner should be Administrators.
    4. If you don't want any users to be able to attempt to log in with a password over SSH, you can set PasswordAuthentication no in %PROGRAMDATA%\ssh\sshd_config and restart the sshd service.
  5. If you want to change the default shell from Command Prompt to PowerShell, you can set a registry value: 
    New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force
@Aldaviva
Copy link
Author

Aldaviva commented Nov 5, 2022

See also PowerShell remoting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment