Microsoft provides Secure Shell (SSH) server software with Windows 11 that you can use to listen for connections from remote SSH clients, but the server service is not installed by default. To install the Microsoft-provided SSH server software on a Windows 11 system, take the following steps:
If you scroll down the list of added features before closing the window, you should see OpenSSH Server below OpenSSH Client.
After installing the software, start the OpenSSH server service by taking the following steps:
If you then
open a
command prompt window and enter the
command netstat -an | find ":22 ", which
pipes the output
of the netstat command into
the find command
with the latter command searching for the instance of the default port that
SSH servers listen
on, i.e.,
TCP port 22, you should see the following output indicating
the system is now listening for incoming SSH connections.
C:\>netstat -an | find ":22 " TCP 0.0.0.0:22 0.0.0.0:0 LISTENING TCP [::]:22 [::]:0 LISTENING C:\>
The "0.0.0.0:22" indicates the system is listening for TCPv4 connections on that port while the "[::]:22" indicates it is listening for TCPv6 connections on that port.
If you are unsure of whether the Microsoft-provided OpenSSH server
software is installed on a system, you can check from a
PowerShell
prompt run with administrator access — you can open a PowerShell
window by typing powershell in the Windows Search
window and then clicking on Run as Administrator when it is found.
Once the windows is open, enter the command
Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'
and hit Enter.
Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows PS C:\windows\system32> Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*' Name : OpenSSH.Client~~~~0.0.1.0 State : Installed Name : OpenSSH.Server~~~~0.0.1.0 State : Installed PS C:\windows\system32>
When the software is installed and running, you also need to ensure that any firewall software on the system will allow incoming connections to the SSH server on the SSH port. The default firewall software on a Windows system is Microsoft Defender Firewall, but sometimes antivirus software will come with its own firewall software that will be installed as a replacement for Microsoft Defender Firewall. If you took the steps above and the firewall software in use on the system is Microsoft Defender Firewall, the firewall rule needed for inbound connections should be already present.
You can verify that the firewall software is active by running
netsh advfirewall show allprofiles state in a command
prompt window.
C:\>netsh advfirewall show allprofiles state Domain Profile Settings: ---------------------------------------------------------------------- State ON Private Profile Settings: ---------------------------------------------------------------------- State ON Public Profile Settings: ---------------------------------------------------------------------- State ON Ok. C:\>
From the above output, I can see that the Microsoft Defender Firewall
is active for all network connections, i.e., for
domain, private,
and public networks. If I wanted to check the default firewall settings,
I could use the command netsh advfirewall show allprofiles firewallpolicy
.
C:\>netsh advfirewall show allprofiles firewallpolicy Domain Profile Settings: ---------------------------------------------------------------------- Firewall Policy BlockInbound,AllowOutbound Private Profile Settings: ---------------------------------------------------------------------- Firewall Policy BlockInbound,AllowOutbound Public Profile Settings: ---------------------------------------------------------------------- Firewall Policy BlockInbound,AllowOutbound Ok. C:\>
Since the firewall software is enabled and by default will block
incoming connections, there will have to be a rule that specifically
allows incoming connections to the SSH port, TCP port 22. To verify
that one is present specifically for the OpenSSH server software provided
by Microsoft, you can use the command netsh advfirewall firewall show
rule name="OpenSSH SSH Server (sshd)".
C:\>netsh advfirewall firewall show rule name="OpenSSH SSH Server (sshd)" Rule Name: OpenSSH SSH Server (sshd) ---------------------------------------------------------------------- Enabled: Yes Direction: In Profiles: Private Grouping: OpenSSH Server LocalIP: Any RemoteIP: Any Protocol: TCP LocalPort: 22 RemotePort: Any Edge traversal: No Action: Allow Ok. C:\>
From the above output, I can see that inbound connectivity to port 22
is allowed bvy a firewall rule associated with the OpenSSH server software.
If you wished to check from a PowerShell window, instead, you could use
the command Get-NetFirewallPortFilter | Where-Object
{ $_.LocalPort -eq 22 } | Get-NetFirewallRule in a PowerShell window.
PS C:\windows\system32> Get-NetFirewallPortFilter | Where-Object { $_.LocalPort -eq 22 } | Get-NetFirewallRule Name : OpenSSH-Server-In-TCP DisplayName : OpenSSH SSH Server (sshd) Description : Inbound rule for OpenSSH SSH Server (sshd) DisplayGroup : OpenSSH Server Group : OpenSSH Server Enabled : True Profile : Private Platform : {} Direction : Inbound Action : Allow EdgeTraversalPolicy : Block LooseSourceMapping : False LocalOnlyMapping : False Owner : PrimaryStatus : OK Status : The rule was parsed successfully from the store. (65536) EnforcementStatus : NotApplicable PolicyStoreSource : PersistentStore PolicyStoreSourceType : Local RemoteDynamicKeywordAddresses : {} PolicyAppId : PackageFamilyName : PS C:\windows\system32>
The above output shows that inbound connections are allowed, since I see the following:
Direction : Inbound Action : Allow
Related:
References: