# [Record] How to setup OpenSSH server in Windows ###### tags: `ssh`, `openssh`, `key-based authentication`, `password-based authentication` [toc] ## System info - Edition: Windows 11 Home - Version: 21H2 - OS build: 22000.1335 ## Setup OpenSSH ### Check this features ```bash PS C:\Windows\system32> Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*' Name : OpenSSH.Client~~~~0.0.1.0 State : Installed Name : OpenSSH.Server~~~~0.0.1.0 State : NotPresent ``` ### Install ```batch PS C:\Windows\system32> Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 Operation Running [oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo ] Path : Online : True RestartNeeded : False ``` ### Enable ```bash # Start the sshd service PS C:\Windows\system32> Start-Service sshd # OPTIONAL but recommended: PS C:\Windows\system32> Set-Service -Name sshd -StartupType 'Automatic' # Confirm the Firewall rule is configured. It should be created automatically by setup. Run the following to verify PS C:\Windows\system32> if (!(Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue | Select-Object Name, Enabled)) { Write-Output "Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it..." New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 } else { Write-Output "Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists." } Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists. ``` ### Configure After finishing the installation, the sshd config file is at *C:\ProgramData\ssh\sshd_config* or C:\Windows\System32\OpenSSH\sshd_config_default We usually use SSH **password-based authentication**. Therefore, we could configure it as ```bash Port 22 PasswordAuthentication yes ``` ### Create a net user ```bash # Add a new user PS C:\Windows\system32> net user tomas * /ADD Type a password for the user: Retype the password to confirm: The command completed successfully. PS C:\Windows\system32> net user User accounts for \\LAPTOP-V8LP6SGQ ------------------------------------------------------------------------------- Administrator chche DefaultAccount Guest tomas WDAGUtilityAccount The command completed successfully. ``` ### Change the net user's password ```bash net user "user name" newpassword123 ``` To successfully set a new password, you'll need to ensure that it meets the requirements set by the password policy. Here are common password policy requirements you should consider: Minimum Password Length: Ensure the password is long enough to meet or exceed the minimum length requirement set by the policy (usually around 8 characters or more). Password Complexity: The password might need to include a combination of different character types, such as uppercase letters, lowercase letters, numbers, and special characters (e.g., !, @, #, $, %, ^, &). Password History: Some policies prevent you from reusing a certain number of previous passwords. Account Lockout: After a certain number of failed password attempts, the account might be locked for a specified period. Expiration: Passwords might have an expiration period, requiring users to change them regularly. Account Policies: The domain or system might have specific policies regarding password settings. These can be set by administrators. Password Strength: Avoid using easily guessable passwords. Passwords should not be based on common words, phrases, or easily obtainable personal information. ### Verify Login ssh from localhost. ```bash PS C:\Windows\system32> ssh tomas@localhost tomas@localhost's password: Microsoft Windows [Version 10.0.22000.1335] (c) Microsoft Corporation. All rights reserved. tomas@LAPTOP C:\Users\tomas> ``` ## Key-based authentication in OpenSSH for Windows ### SSH key generation It is difficult to switch user in Windows PowerShell. Therefore, we can utilize ssh to do this. ```bash PS C:\Windows\system32> ssh tomas@localhost tomas@localhost's password: Microsoft Windows [Version 10.0.22000.1335] (c) Microsoft Corporation. All rights reserved. tomas@LAPTOP C:\Users\tomas> tomas@LAPTOP C:\Users\tomas>ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (C:\Users\tomas/.ssh/id_rsa): Created directory 'C:\Users\tomas/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in C:\Users\tomas/.ssh/id_rsa. Your public key has been saved in C:\Users\tomas/.ssh/id_rsa.pub. The key fingerprint is: SHA256:ZhAG2R709shRaZx9EibdOBA5AFh83hnidR6gFbPOIDA tomas@LAPTOP The key's randomart image is: +---[RSA 3072]----+ | EO*..oX@o+ | | o++oo+X=O o | | .o=*=.* = | | .=oBo . | | S + | | o | | | | | | | +----[SHA256]-----+ ``` And we can see two files, which are public key and private key, created at *C:\Users\tomas\.ssh* ```bash 01/15/2023 11:08 PM 2,610 id_rsa 01/15/2023 11:08 PM 576 id_rsa.pub ``` ### Config sshd_config ```bash PasswordAuthentication no StrictModes no PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys # Save it and restart the sshd serverice PS C:\Windows\system32> net stop sshd The OpenSSH SSH Server service was stopped successfully. PS C:\Windows\system32> net start sshd The OpenSSH SSH Server service is starting. The OpenSSH SSH Server service was started successfully. ``` ### SSH login without password There are two methods: 1. Add clients' public key to our server. We can create a new file named authorized_keys at *.ssh/* and add ssh clients' public keys in it. 2. Copy our server's private key (as an identity file) to clients. ```shell tomas@linux# ssh -i ~/.ssh/id_rsa_server tomas@win_host ``` ## Restart openssh In powershell, ``` Restart-Service sshd ``` ## Reference https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell https://blog.miniasp.com/post/2021/12/11/How-to-setup-OpenSSH-Server-in-Windows https://blog.miniasp.com/post/2021/12/12/Enhanced-Security-for-SFTP-SSH-File-Transfer-Protocol-on-Windows https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement https://woshub.com/using-ssh-key-based-authentication-on-windows/