This documentation was forked from teocci/how-to-ssh-into-windows.md and revised to focus on Windows 11 and limit install options to Powershell. teocci's documentation offers more options for install, whereas this documentation provides additional information regarding key-based authentication and the nessesary steps for using the authorized_keys file.
Add-WindowsCapability -Online -Name OpenSSH.Server*Remove-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0Check the status of ssh-agent and sshd services using the PowerShell command Get-Service:
Get-Service -Name *ssh*Set ssh services to start automatically
Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic'
Start-Service 'ssh-agent'
Set-Service -Name 'ssh-agent' -StartupType 'Automatic'Add a firewall rule to allow SSH traffic using PowerShell:
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
# Same, but restricting access to only a few systems
New-NetFirewallRule -Name sshd -DisplayName "OpenSSH Server (sshd)" -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 -RemoteAddress @("192.168.168.10", "192.168.168.40")Now we can connect to Windows using any SSH client.
Hint. To run the PowerShell.exe cli instead of cmd.exe shell when logging in via SSH on Windows 10, we need to run the following command in Windows 10 (under admin account):
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force # To omit the Powershell banner, add this key. You can also add "-NoLogo -NoProfile" New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShellArguments -Value "-NoLogo" -PropertyType String -Force
See here for more information on shell options
If you want to use key-based ssh authentication instead of password authentication, you need to generate a key using ssh-keygen on your client.
Your public key must be copied to the %UserProfile%\.ssh\authorized_keys file for regular users and C:\ProgramData\ssh\administrators_authorized_keys if the user has Administrative privledges.
The %UserProfile%\.ssh\authorized_keys and C:\ProgramData\ssh\administrators_authorized_keys files must have the proper file permissions set:
- Right click on the
authorized_keysfile and select Security - Select Advanced
- Disable inheritance and Convert inherited permissions
- Remove
Authrenticated Users - The only remaining Users\Permissions should be SYSTEM and the ssh User
We can configure various OpenSSH server settings in Windows using the %programdata%\ssh\sshd_config configuration file.
For example, we can disable password authentication and leave only key-based auth with:
PubkeyAuthentication yes
PasswordAuthentication noHere we can also specify a new TCP port (instead of the default TCP 22 port) on which the SSHD will accept connections. For example:
Port 2222After making changes to the sshd_config file, you need to restart the sshd service:
Get-Service sshd | Restart-Service –forceOn Windows 11, SSH logs can be viewed using the Event Viewer console (eventvwr.msc). All SSH events are available in a separate section Application and Services Logs > OpenSSH > Operational.
- Open
Computer Management -> System Tools -> Local Users and Groups - Add the ssh user to
Remote Management Usersgroup - Expand
Services and Applications - Right Click and select
PropertiesthenSecurity - Expand
Root, then highlightCIMV2 - Select
Security - Add
Remote Management Users - Add the following permissions for
Remote Management Users:Enable AccountRemote Enable
Make sure the VSCode User Settings for the host is set to windows; ex:
"remote.SSH.remotePlatform": {
"*": "linux",
"wincomputer.local": "windows"
},