OpenSSH Server for
Windows 10 requires at
least Windows 10 (build 1809).
You can determine the build number for Windows 10 by typing winver
in the Windows "Type here to search" field at the bottom of the screen or
at a
PowerShell prompt. Or
you can use the
systeminfo utility and pipe it's output into the
findstr command, filtering
on the line that has "OS" at the beginning of the line and also "Version" in
the line.
PS C:\> systeminfo | findstr -B "OS" | findstr "Version" OS Version: 10.0.19045 N/A Build 19045 PS C:\>
The SSH Client software may already be installed. You can determine if
it is already installed by opening a PowerShell prompt and typing
ssh. If it is installed, as it was on the Windows 10 Professional
Version 22H2 (OS Build 19045.6466) system on which I wanted to set up
the OpenSSH Server software, you will see a response like the following one:
PS C:\> ssh
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] [-b bind_address]
[-c cipher_spec] [-D [bind_address:]port] [-E log_file]
[-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file]
[-J destination] [-L address] [-l login_name] [-m mac_spec]
[-O ctl_cmd] [-o option] [-P tag] [-p port] [-Q query_option]
[-R address] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]
destination [command [argument ...]]
PS C:\>If it isn't installed, you will see an error message in red stating
"The term 'ssh' is not recognized as a cmdlet." If it is installed, you can
determine the version of the OpenSSH software installed with
ssh -V (capital "V").
PS C:\> ssh -V OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2 PS C:\>
You can also determine whether either the OpenSSH Client or Server software
is installed using the Get-WindowsCapability -Online | ? Name -like
'OpenSSH*' command.
PS C:\Windows\system32> Get-WindowsCapability -Online | ? Name -like 'OpenSSH*' Name : OpenSSH.Client~~~~0.0.1.0 State : Installed Name : OpenSSH.Server~~~~0.0.1.0 State : NotPresent PS C:\Windows\system32>
For more details on the SSH software, you can use the command below.
PS C:\Windows\system32> Get-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 Name : OpenSSH.Server~~~~0.0.1.0 State : NotPresent DisplayName : OpenSSH Server Description : OpenSSH-based secure shell (SSH) server, for secure key management and access from remote machines. DownloadSize : 1290075 InstallSize : 9894430 PS C:\Windows\system32>
To install the OpenSSH Server software with PowerShell, you will need
to open a PowerShell window with administrator privileges. You can do that
by typing powershell in the Windows "Type here to search" window
and, when the application is found, select "Run as Administrator". If you
try to install the OpenSSH Server program from a PowerShell window that doesn't
have administrator privileges, you will see the message "The requested operation
requires elevation." From the output above, I can see that the SSH client
software is installed, but not the server software. To install the server
software, you can use the cmdlet Add-WindowsCapability as
shown below.
PS C:\Windows\system32> Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 Path : Online : True RestartNeeded : False PS C:\Windows\system32>
After the above command has successfully completed, the SSH server software
will be installed, but the SSH server service, sshd, will not be running.
You can see the status of the service with the command
Get-Service -Name ssh*.
PS C:\Windows\system32> Get-Service -Name ssh* Status Name DisplayName ------ ---- ----------- Stopped ssh-agent OpenSSH Authentication Agent Stopped sshd OpenSSH SSH Server PS C:\Windows\system32>
Assuming you will want to have the service start automatically whenever
the system boots, issue the command Set-Service -Name sshd -StartupType
'Automatic'.
PS C:\Windows\system32> Set-Service -Name sshd -StartupType 'Automatic' PS C:\Windows\system32>
To start the service, you can use Start-Service -Name sshd.
You should then see that the service is running and the system is listening
on the default SSH server port of 22. Note: when you pipe the output
of the netstat command into the findstr command and filter on
ports on which the system is listening, you will either have to put
"listening" in all capital letters or use the /i option
with the findstr command, which notifies the utility to ignore the
case of text, i.e. findstr /i "Listening".
PS C:\Windows\system32> Start-Service -Name sshd WARNING: Waiting for service 'OpenSSH SSH Server (sshd)' to start... PS C:\Windows\system32> Get-Service -Name ssh* Status Name DisplayName ------ ---- ----------- Stopped ssh-agent OpenSSH Authentication Agent Running sshd OpenSSH SSH Server PS C:\Windows\system32> netstat -an | findstr ":22" | findstr "LISTENING" TCP 0.0.0.0:22 0.0.0.0:0 LISTENING TCP [::]:22 [::]:0 LISTENING PS C:\Windows\system32>
If the Microsoft Defender Firewall is running on the system, an appropriate firewall rule will have been created to allow inbound connectivity on the default SSH port, 22. You can verify that with the PowerShell cmdlets shown below.
PS C:\Windows\system32> Get-NetFirewallPortFilter | Where-Object { $_.LocalPort -eq 22 } | Get-NetFirewallRule Name : OpenSSH-Server-In-TCP DisplayName : OpenSSH SSH Server (sshd) Description : Inbound rule for OpenSSH SSH Server (sshd) DisplayGroup : OpenSSH Server Group : OpenSSH Server Enabled : True Profile : Any Platform : {} Direction : Inbound Action : Allow EdgeTraversalPolicy : Block LooseSourceMapping : False LocalOnlyMapping : False Owner : PrimaryStatus : OK Status : The rule was parsed successfully from the store. (65536) EnforcementStatus : NotApplicable PolicyStoreSource : PersistentStore PolicyStoreSourceType : Local RemoteDynamicKeywordAddresses : PolicyAppId : PS C:\Windows\system32>
If you wish to change the
Transmission Control Protocol (TCP)
port that
the SSH server service listens on from the default value of 22 to another port, you can edit the configuration file for the service, sshd_config,
which is under the ProgramData directory. You can issue the command
echo %programdata% at a command prompt to see the location,
but it will usually be C:\ProgramData and the subdirectory
will be C:\ProgramData\ssh\sshd_config.
C:\>echo %programdata% C:\ProgramData C:\>
You can edit the file in the Windows Notepad application.
PS C:\Windows\system32> notepad C:\ProgramData\ssh\sshd_config
PS C:\Windows\system32>Look for the line #Port 22. Remove the pound
sign, which turns the line into a comment, and replace 22 with whatever
port you wish to use. Keep in mind that you probably should not use a
well-known port, i.e., a port between 0 and 1023, that is normally
used for other purposes. And it may be better to avoid
registered ports as well, to prevent any future conflict with
some other application that might later be installed on the system. After
you've made the change, save the file and then stop and restart the service.
PS C:\Windows\system32> Stop-Service -Name sshd PS C:\Windows\system32> Start-Service -Name sshd PS C:\Windows\system32>
If you then use the netstat and findstr commands to verify that the
system is now listening on the chose port, you should see it listening
on that new port. If the Windows Firewall is enabled, you will also need
to change the port number in the relevant firewall rule. You can do that with
the Set-NetFirewallRule cmdlet by specifying the DisplayName
for the rule, in this case, "OpenSSH SSH Server (sshd)", and then specifying
the new LocalPort value. E.g., if I wanted to change the default port from
22 to 22022, I could use the command Set-NetFirewallRule -DisplayName
"OpenSSH SSH Server (sshd)" -LocalPort 22022. I could then verify that
the rule had been updated to reflect the new value using the
Get-NetFirewallPortFilter command.
PS C:\Windows\system32> Set-NetFirewallRule -DisplayName "OpenSSH SSH Server (sshd)" -LocalPort 22022 PS C:\Windows\system32> Get-NetFirewallPortFilter | Where-Object { $_.LocalPort -eq 22022 } | Get-NetFirewallRule Name : OpenSSH-Server-In-TCP DisplayName : OpenSSH SSH Server (sshd) Description : Inbound rule for OpenSSH SSH Server (sshd) DisplayGroup : OpenSSH Server Group : OpenSSH Server Enabled : True Profile : Any Platform : {} Direction : Inbound Action : Allow EdgeTraversalPolicy : Block LooseSourceMapping : False LocalOnlyMapping : False Owner : PrimaryStatus : OK Status : The rule was parsed successfully from the store. (65536) EnforcementStatus : NotApplicable PolicyStoreSource : PersistentStore PolicyStoreSourceType : Local RemoteDynamicKeywordAddresses : PolicyAppId : PS C:\Windows\system32>
References:
Related articles: