Page MenuHomePhorge

SSH on Windows
Updated 179 Days AgoPublic

As of Windows 10 (or Server 2019), Microsoft has basically added built-in support for OpenSSH as both a client and a host. Of course, it being #Windows, it's sometimes non-obvious and sub-par.

Server setup

Open up an elevated Powershell session (ex. right-click on any Powershell icon/listing and choose Run as Administrator), and then run the following:

Elevated Powershell session
# Install the actual component. Can also be done via the "Features" listing in Windows.
Add-WindowsCapability -Online -Name OpenSSH.Server

# Make sure the services are set to automatically start, since they often aren't
Set-Service ssh-agent -StartupType Automatic
Set-Service sshd -StartupType Automatic

# Manually start the services so they're running without rebooting, because we're using SSH because we're trying to *not* be all Windows-y about things
Start-Service ssh-agent
Start-Service sshd

# This will optionally install some utilities, but they don't actually work well last I checked, so you can skip this if you want
Install-Module -Force OpenSSHUtils

Voila! You should now be able to SSH into your Windows machine from any SSH client.

Client Setup

Non-Elevated Powershell session

# Create and enter .ssh directory for your user.
cd $env:USERPROFILE; mkdir .ssh; cd .ssh
# Generate identity keys, by default this will be `id_rsa` and `id_rsa.pub`
ssh-keygen.exe
# Create an authorized_keys file starting with your local public key
copy id_rsa.pub authorized_keys

# open an Explorer window in the current location, because I haven't yet bothered to figure out how to do the next portion with Powershell
start .

Using SSH keys

In the GUI:

  1. Right click authorized_keys, then PropertiesSecurityAdvanced
  2. Disable Inheritance
  3. Choose "Convert inherited permissions into explicit permissions on this object" when prompted
  4. Remove all permissions on file except for SYSTEM and yourself. There must be exactly two permission entries on the file.

Or using WinSCP (ewww).

Or on the commandline, https://superuser.com/questions/1451241/command-to-copy-client-public-key-to-windows-openssh-sftp-ssh-server-authorized has some details.

I wanna be admin

One rando's comment claims to the solution is to set ConsentPromptBehaviorAdmin, in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System. This is probably the right way to do it, but you'd still have to elevate via runas or such.

Conversely, the older since-redacted Microsoft documentation cited earlier in the same GitHub issue suggests using the key LocalAccountTokenFilterPolicy, and this is probably less safe but means all SSH logins will be elevated, which is lazily nice.

Microsoft-suggested one-liner for adding key and value
cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

To add:

Last Author
keithzg
Last Edited
Jun 25 2024, 12:35 PM

Event Timeline

keithzg edited the content of this document. (Show Details)
keithzg added a project: Restricted Project.
keithzg published a new version of this document.May 27 2020, 5:26 PM
keithzg published a new version of this document.
keithzg published a new version of this document.Apr 27 2021, 8:25 PM