Saturday, June 24, 2023

OpenSSH on Windows 2019 with Powershell as default ssh shell



Link to online help

Install OpenSSH for Windows


Before you start, your computer must meet the following requirements:

  1. A device running at least Windows Server 2019 or Windows 10 (build 1809).

  2. PowerShell 5.1 or later.

  3. An account that is a member of the built-in Administrators group.

Check I have a admin shell

PS C:\Windows\system32> (New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)


Current version of powershell

PS C:\Windows\system32> $PSVersionTable.PSVersion

Major  Minor  Build  Revision

-----  -----  -----  --------

5      1      17763  3770

My base level 2019 version

PS C:\Windows\system32> systeminfo |findstr "OS "

OS Name:                   Microsoft Windows Server 2019 Datacenter

OS Version:                10.0.17763 N/A Build 17763

My hot fix levels

PS C:\Windows\system32> Get-HotFix

Source        Description      HotFixID      InstalledBy          InstalledOn

------        -----------      --------      -----------          -----------

W2019A        Update           KB5027131     NT AUTHORITY\SYSTEM  18/06/2023 00:00:00

W2019A        Security Update  KB4512577                          07/09/2019 00:00:00

W2019A        Update           KB4589208     NT AUTHORITY\SYSTEM  18/06/2023 00:00:00

W2019A        Security Update  KB5027222     NT AUTHORITY\SYSTEM  18/06/2023 00:00:00

W2019A        Security Update  KB5023789     NT AUTHORITY\SYSTEM  18/06/2023 00:00:00

PS C:\Windows\system32> wmic qfe list

Caption                                     CSName  Description      FixComments  HotFixID   InstallDate  InstalledBy          InstalledOn  Name  ServicePackInEffect  Status  W2019A  Update                        KB5027131               NT AUTHORITY\SYSTEM  6/18/2023  W2019A  Security Update               KB4512577                                    9/7/2019  W2019A  Update                        KB4589208               NT AUTHORITY\SYSTEM  6/18/2023  W2019A  Security Update               KB5027222               NT AUTHORITY\SYSTEM  6/18/2023

                                            W2019A  Security Update               KB5023789               NT AUTHORITY\SYSTEM  6/18/2023

PS C:\Windows\system32>

Check the openssh packages available

PS C:\Windows\system32>  Get-WindowsCapability -Online| out-string  -stream |select-string -pattern "openssh"

Name  : OpenSSH.Client~~~~

Name  : OpenSSH.Server~~~~

PS C:\Windows\system32>

Install server & client

PS C:\Windows\system32> Add-WindowsCapability -Online -Name OpenSSH.Server~~~~

Path          :

Online        : True

RestartNeeded : False

PS C:\Windows\system32> Add-WindowsCapability -Online -Name OpenSSH.Client~~~~

Path          :

Online        : True

RestartNeeded : False

PS C:\Windows\system32>

Check the status of the new sshd service

PS C:\Windows\system32> Get-Service sshd | Select-Object -Property Name,Status,StartType

Name  Status StartType

----  ------ ---------

sshd Stopped    Manual

PS C:\Windows\system32>

Start it and set to automatic

PS C:\Windows\system32> Start-Service sshd

PS C:\Windows\system32> Set-Service -Name sshd -StartupType 'Automatic'

PS C:\Windows\system32> Get-Service sshd | Select-Object -Property Name,Status,StartType

Name  Status StartType

----  ------ ---------

sshd Running Automatic

PS C:\Windows\system32>

Check Firewall is allowed for ssh

PS C:\Windows\system32> Get-NetFirewallRule -Name *ssh*

Name                  : OpenSSH-Server-In-TCP

DisplayName           : OpenSSH SSH Server (sshd)

Description           : Inbound rule for OpenSSH SSH Server (sshd)

DisplayGroup          : OpenSSH Server

Group                 : OpenSSH Server

Enabled               : True

Profile               : Any

Platform              : {}

Direction             : Inbound

Action                : Allow

EdgeTraversalPolicy   : Block

LooseSourceMapping    : False

LocalOnlyMapping      : False

Owner                 :

PrimaryStatus         : OK

Status                : The rule was parsed successfully from the store. (65536)

EnforcementStatus     : NotApplicable

PolicyStoreSource     : PersistentStore

PolicyStoreSourceType : Local

PS C:\Windows\system32>

Check the env variables

PS C:\Windows\system32> echo $env:ProgramData


PS C:\Windows\system32> dir $env:ProgramData\ssh.

    Directory: C:\ProgramData\ssh

Mode                LastWriteTime         Length Name

----                -------------         ------ ----

d-----       18/06/2023     10:23                logs

-a----       18/06/2023     10:23              6

-a----       05/09/2018     15:07           2253 sshd_config

-a----       18/06/2023     10:23            672 ssh_host_dsa_key

-a----       18/06/2023     10:23            617

-a----       18/06/2023     10:23            227 ssh_host_ecdsa_key

-a----       18/06/2023     10:23            189

-a----       18/06/2023     10:23            419 ssh_host_ed25519_key

-a----       18/06/2023     10:23            109

-a----       18/06/2023     10:23           1679 ssh_host_rsa_key

-a----       18/06/2023     10:23            409

PS C:\Windows\system32>

Generate new key pair

I chose no password 

My user is robert so you would need to check that :)

PS C:\Windows\system32>  ssh-keygen

Generating public/private rsa key pair.

Enter file in which to save the key (C:\Users\robert/.ssh/id_rsa):

Created directory 'C:\Users\robert/.ssh'.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in C:\Users\robert/.ssh/id_rsa.

Your public key has been saved in C:\Users\robert/.ssh/

The key fingerprint is:

SHA256:K1R82wY75a/NDK4ltnHmAI7SzCJJNvgCLqNc8hzRaR0 rjruss\robert@w2019a

The key's randomart image is:

+---[RSA 2048]----+

|                 |

|       .         |

|       Eo o .    |

| .  . o... B     |

|o +. +..S + +    |

|o+ oo= o o o .   |

|+o+oo * o = = .  |

|+o=..o . . @ *   |

|.. o      o.+ +  |


PS C:\Windows\system32>

Use Puttygen to generate my client key pair

Follow the prompt to generate randomness

Save public and private keys – you can choose to use a password this will be required 

Export openssh key 

3 files now available on my PC

Copy the public key section as directed by puttygen – we need this on the w2019 server

Paste contents into authorized_keys file in the users .ssh directory (that was created by ssh-keygen) reminder I am using robert as the user - check your user

Check owner

PS C:\Windows\system32> (get-acl \users\robert\.ssh\authorized_keys).owner


Set the permissions on that file

PS C:\Windows\system32> cd \users\robert\.ssh

PS C:\users\robert\.ssh> (get-acl ~\.ssh\authorized_keys).owner


PS C:\users\robert\.ssh>  icacls \users\robert\.ssh\authorized_keys

\users\robert\.ssh\authorized_keys NT AUTHORITY\SYSTEM:(F)



Successfully processed 1 files; Failed processing 0 files

PS C:\users\robert\.ssh>

PS C:\users\robert\.ssh> icacls \users\robert\.ssh\authorized_keys /inheritance:r

processed file: \users\robert\.ssh\authorized_keys

Successfully processed 1 files; Failed processing 0 files

PS C:\users\robert\.ssh>

PS C:\users\robert\.ssh>  icacls \users\robert\.ssh\authorized_keys /remove BUILTIN\Administrators

processed file: \users\robert\.ssh\authorized_keys

Successfully processed 1 files; Failed processing 0 files

PS C:\users\robert\.ssh>

Update the sshd config file

Remove the # from these two lines to prevent passwords - this disables passwords and only key based logon allowed

Comment out the match authorized keyfile line

SAVE changes

Restart sshd service

PS C:\users\robert\.ssh> Stop-Service sshd

PS C:\users\robert\.ssh> Start-Service sshd

Setup new putty session

User the user@x.x.x.x format

Add the ppk key in the auth section

Accept new host & Dos prompt should appear

Change to powershell default

Download the required release of powershell

I used the installation version

I selected all options you may want to consider deselecting if you don’t need/want the feature

I chose to update via Microsoft update – always worth considering

Launch it to test

Update ssh_config file

Subsystem powershell c:/progra~1/powershell/7/pwsh.exe -sshs -NoLogo


Check the openssh registry details

PS C:\Program Files\PowerShell\7> dir "c:/progra~1/powershell/7/pwsh.exe"

    Directory: C:\Program Files\powershell\7

Mode                 LastWriteTime         Length Name

----                 -------------         ------ ----

-a---          12/04/2023    18:07         293312 pwsh.exe

PS C:\Program Files\PowerShell\7>

Update the registry

PS C:\users\robert\.ssh> New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "c:/progra~1/powershell/7/pwsh.exe" -PropertyType String -Force

DefaultShell : c:/progra~1/powershell/7/pwsh.exe

PSPath       : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH

PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE

PSChildName  : OpenSSH

PSDrive      : HKLM

PSProvider   : Microsoft.PowerShell.Core\Registry

PS C:\users\robert\.ssh>

Refresh openssh registry view and default shell appears

Open putty again and connect

Now defaults to powershell

Check if administrator 

PowerShell 7.3.4

PS C:\Users\robert> (New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdent



PS C:\Users\robert> function Test-Administrator

>> {

>>     $user = [Security.Principal.WindowsIdentity]::GetCurrent();

>>     (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBu


>> }

PS C:\Users\robert> Test-Administrator


Google +