INSTALL OPENSSH on WINDOWS 2019 | |
Link to online help | Install OpenSSH for Windows |
Prerequisites Before you start, your computer must meet the following requirements:
| |
Check I have a admin shell | PS C:\Windows\system32> (New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) True |
Current version of powershell | PS C:\Windows\system32> $PSVersionTable.PSVersion Major Minor Build Revision ----- ----- ----- -------- 5 1 17763 3770 |
My base level 2019 version | PS C:\Windows\system32> systeminfo |findstr "OS " OS Name: Microsoft Windows Server 2019 Datacenter OS Version: 10.0.17763 N/A Build 17763 |
My hot fix levels | PS C:\Windows\system32> Get-HotFix Source Description HotFixID InstalledBy InstalledOn ------ ----------- -------- ----------- ----------- W2019A Update KB5027131 NT AUTHORITY\SYSTEM 18/06/2023 00:00:00 W2019A Security Update KB4512577 07/09/2019 00:00:00 W2019A Update KB4589208 NT AUTHORITY\SYSTEM 18/06/2023 00:00:00 W2019A Security Update KB5027222 NT AUTHORITY\SYSTEM 18/06/2023 00:00:00 W2019A Security Update KB5023789 NT AUTHORITY\SYSTEM 18/06/2023 00:00:00 PS C:\Windows\system32> wmic qfe list Caption CSName Description FixComments HotFixID InstallDate InstalledBy InstalledOn Name ServicePackInEffect Status http://support.microsoft.com/?kbid=5027131 W2019A Update KB5027131 NT AUTHORITY\SYSTEM 6/18/2023 http://support.microsoft.com/?kbid=4512577 W2019A Security Update KB4512577 9/7/2019 https://support.microsoft.com/help/4589208 W2019A Update KB4589208 NT AUTHORITY\SYSTEM 6/18/2023 https://support.microsoft.com/help/5027222 W2019A Security Update KB5027222 NT AUTHORITY\SYSTEM 6/18/2023 W2019A Security Update KB5023789 NT AUTHORITY\SYSTEM 6/18/2023 PS C:\Windows\system32> |
Check the openssh packages available | PS C:\Windows\system32> Get-WindowsCapability -Online| out-string -stream |select-string -pattern "openssh" Name : OpenSSH.Client~~~~0.0.1.0 Name : OpenSSH.Server~~~~0.0.1.0 PS C:\Windows\system32> |
Install server & client | PS C:\Windows\system32> Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 Path : Online : True RestartNeeded : False PS C:\Windows\system32> Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0 Path : Online : True RestartNeeded : False PS C:\Windows\system32> |
Check the status of the new sshd service | PS C:\Windows\system32> Get-Service sshd | Select-Object -Property Name,Status,StartType Name Status StartType ---- ------ --------- sshd Stopped Manual PS C:\Windows\system32> |
Start it and set to automatic | PS C:\Windows\system32> Start-Service sshd PS C:\Windows\system32> Set-Service -Name sshd -StartupType 'Automatic' PS C:\Windows\system32> Get-Service sshd | Select-Object -Property Name,Status,StartType Name Status StartType ---- ------ --------- sshd Running Automatic PS C:\Windows\system32> |
Check Firewall is allowed for ssh | PS C:\Windows\system32> Get-NetFirewallRule -Name *ssh* Name : OpenSSH-Server-In-TCP DisplayName : OpenSSH SSH Server (sshd) Description : Inbound rule for OpenSSH SSH Server (sshd) DisplayGroup : OpenSSH Server Group : OpenSSH Server Enabled : True Profile : Any Platform : {} Direction : Inbound Action : Allow EdgeTraversalPolicy : Block LooseSourceMapping : False LocalOnlyMapping : False Owner : PrimaryStatus : OK Status : The rule was parsed successfully from the store. (65536) EnforcementStatus : NotApplicable PolicyStoreSource : PersistentStore PolicyStoreSourceType : Local PS C:\Windows\system32> |
Check the env variables | PS C:\Windows\system32> echo $env:ProgramData C:\ProgramData PS C:\Windows\system32> dir $env:ProgramData\ssh. Directory: C:\ProgramData\ssh Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 18/06/2023 10:23 logs -a---- 18/06/2023 10:23 6 sshd.pid -a---- 05/09/2018 15:07 2253 sshd_config -a---- 18/06/2023 10:23 672 ssh_host_dsa_key -a---- 18/06/2023 10:23 617 ssh_host_dsa_key.pub -a---- 18/06/2023 10:23 227 ssh_host_ecdsa_key -a---- 18/06/2023 10:23 189 ssh_host_ecdsa_key.pub -a---- 18/06/2023 10:23 419 ssh_host_ed25519_key -a---- 18/06/2023 10:23 109 ssh_host_ed25519_key.pub -a---- 18/06/2023 10:23 1679 ssh_host_rsa_key -a---- 18/06/2023 10:23 409 ssh_host_rsa_key.pub PS C:\Windows\system32> |
Generate new key pair I chose no password My user is robert so you would need to check that :) | PS C:\Windows\system32> ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (C:\Users\robert/.ssh/id_rsa): Created directory 'C:\Users\robert/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in C:\Users\robert/.ssh/id_rsa. Your public key has been saved in C:\Users\robert/.ssh/id_rsa.pub. The key fingerprint is: SHA256:K1R82wY75a/NDK4ltnHmAI7SzCJJNvgCLqNc8hzRaR0 rjruss\robert@w2019a The key's randomart image is: +---[RSA 2048]----+ | | | . | | Eo o . | | . . o... B | |o +. +..S + + | |o+ oo= o o o . | |+o+oo * o = = . | |+o=..o . . @ * | |.. o o.+ + | +----[SHA256]-----+ PS C:\Windows\system32> |
Use Puttygen to generate my client key pair | |
Follow the prompt to generate randomness | |
Save public and private keys – you can choose to use a password this will be required |
|
Export openssh key | |
3 files now available on my PC | |
Copy the public key section as directed by puttygen – we need this on the w2019 server |
|
Paste contents into authorized_keys file in the users .ssh directory (that was created by ssh-keygen) reminder I am using robert as the user - check your user | |
Check owner | PS C:\Windows\system32> (get-acl \users\robert\.ssh\authorized_keys).owner RJRUSS\robert |
Set the permissions on that file | PS C:\Windows\system32> cd \users\robert\.ssh PS C:\users\robert\.ssh> (get-acl ~\.ssh\authorized_keys).owner RJRUSS\robert PS C:\users\robert\.ssh> icacls \users\robert\.ssh\authorized_keys \users\robert\.ssh\authorized_keys NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) RJRUSS\robert:(F) Successfully processed 1 files; Failed processing 0 files PS C:\users\robert\.ssh> PS C:\users\robert\.ssh> icacls \users\robert\.ssh\authorized_keys /inheritance:r processed file: \users\robert\.ssh\authorized_keys Successfully processed 1 files; Failed processing 0 files PS C:\users\robert\.ssh> PS C:\users\robert\.ssh> icacls \users\robert\.ssh\authorized_keys /remove BUILTIN\Administrators processed file: \users\robert\.ssh\authorized_keys Successfully processed 1 files; Failed processing 0 files PS C:\users\robert\.ssh> |
Update the sshd config file | |
Remove the # from these two lines to prevent passwords - this disables passwords and only key based logon allowed | |
Comment out the match authorized keyfile line | SAVE changes |
Restart sshd service | PS C:\users\robert\.ssh> Stop-Service sshd PS C:\users\robert\.ssh> Start-Service sshd |
Setup new putty session User the user@x.x.x.x format | |
Add the ppk key in the auth section | |
Accept new host & Dos prompt should appear |
|
Change to powershell default | |
Download the required release of powershell | https://github.com/PowerShell/PowerShell/releases |
I used the installation version | https://github.com/PowerShell/PowerShell/releases/download/v7.3.4/PowerShell-7.3.4-win-x64.msi |
I selected all options you may want to consider deselecting if you don’t need/want the feature | |
I chose to update via Microsoft update – always worth considering | |
Launch it to test | |
Update ssh_config file | Subsystem powershell c:/progra~1/powershell/7/pwsh.exe -sshs -NoLogo |
Save | |
Check the openssh registry details | |
PS C:\Program Files\PowerShell\7> dir "c:/progra~1/powershell/7/pwsh.exe" Directory: C:\Program Files\powershell\7 Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 12/04/2023 18:07 293312 pwsh.exe PS C:\Program Files\PowerShell\7> | |
Update the registry | PS C:\users\robert\.ssh> New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "c:/progra~1/powershell/7/pwsh.exe" -PropertyType String -Force DefaultShell : c:/progra~1/powershell/7/pwsh.exe PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE PSChildName : OpenSSH PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry PS C:\users\robert\.ssh> |
Refresh openssh registry view and default shell appears | |
Open putty again and connect | |
Now defaults to powershell | |
Check if administrator | PowerShell 7.3.4 PS C:\Users\robert> (New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdent ity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) True PS C:\Users\robert> function Test-Administrator >> { >> $user = [Security.Principal.WindowsIdentity]::GetCurrent(); >> (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBu iltinRole]::Administrator) >> } PS C:\Users\robert> Test-Administrator True |