Setting Up Inbound OpenSSH (sshd) access on Windows 10 and 11

setup-sshd-windows.md

Setting Up Inbound OpenSSH (sshd) access on Windows 10 and 11

The OpenSSH SSHD service on Windows 10 an 11 is extremely useful, but a bit tricky to set up. Here are my notes on how to do it.

1. Follow the instructions from [1] to "Install OpenSSH" via Windows Settings. Alternately, use PowerShell:

   Add-WindowsCapability -Online -Name OpenSSH.Client
   Add-WindowsCapability -Online -Name OpenSSH.Server

   Installling OpenSSH.Server is often quite slow (it seems to hang for a minute or two). Be patient.

2. I'm assuming you're in the Administrators group on your Windows system. If so, and you want to login using your id (rather than logging in as a user that's not part of the Administrators group), you need to do some special configuration. In any case, you definitely do not want to login with your password, or leave password security enabled. We'll turn them off below.

3. The OpenSSH server creates a number of files the first time you start it, in the directory %programdata%\ssh (typically C:\ProgramData). One of them is sshd_config, and we want to edit it. So start and stop the service using an Administrative PowerShell window, thereby creating the files and leaving them accessible to us:

   PS> dir $env:ProgramData\ssh
   PS> # the dir is empty, so no output.
   PS> Start-Service sshd
   PS> Stop-Service sshd
   PS> dir $env:ProgramData\ssh
   
   
       Directory: C:\ProgramData\ssh
   
   
   Mode                 LastWriteTime         Length Name
   ----                 -------------         ------ ----
   d-----         6/24/2022   7:18 PM                logs
   -a----         6/24/2022   7:18 PM              6 sshd.pid
   -a----          6/4/2021   5:53 PM           2297 sshd_config
   -a----         6/24/2022   7:18 PM           1405 ssh_host_dsa_key
   -a----         6/24/2022   7:18 PM            620 ssh_host_dsa_key.pub
   -a----         6/24/2022   7:18 PM            525 ssh_host_ecdsa_key
   -a----         6/24/2022   7:18 PM            192 ssh_host_ecdsa_key.pub
   -a----         6/24/2022   7:18 PM            419 ssh_host_ed25519_key
   -a----         6/24/2022   7:18 PM            112 ssh_host_ed25519_key.pub
   -a----         6/24/2022   7:18 PM           2622 ssh_host_rsa_key
   -a----         6/24/2022   7:18 PM            584 ssh_host_rsa_key.pub
   
   PS>

4. Use an editor with administrative privileges to open the file %programdata%\ssh\sshd_config. You can use notepad for this, if you launch it from the elevated PowerShell prompt.

   Find the following lines:

   # To disable tunneled clear text passwords, change to no here!
   #PasswordAuthentication yes
   #PermitEmptyPasswords no

   Insert an uncommented line to disable PasswordAuthentication.

   # To disable tunneled clear text passwords, change to no here!
   #PasswordAuthentication yes
   PasswordAuthentication no
   #PermitEmptyPasswords no

5. Having made the above change, save the file. Then follow the instructions from [1] to "Start and configure OpenSSH Server".

6. On Linux or macOS, you'd add your SSH public key under your home directory, in .ssh\authorized_keys. However, because you're member of the Administrators group, you need to add your SSH key in a file named %programdata%\ssh\administrators_authorized_keys; both the location and the file name are unique to Windows. To add your public key, an administrator cmd.exe is best; PowerShell likes to create UTF-16 files, but sshd will only read ASCII (or perhaps UTF-8) files.

   So: use the Start menu to open a "Command Prompt (Admin)", and then enter the following commands

   cd C:\ProgramData\ssh
   echo ....yourkey.... >> administrators_authorized_keys
   cacls .\administrators_authorized_keys /e /r "NT AUTHORITY\Authenticated Users"

   Don't put quotes around "....yourkey.....", as cmd doesn't strip the quotes.

   The last line (with cacls) is important. The file administrators_authorized_keys may otherwise be created with read access given to Authenticated Users. If read access is given, sshd will notice, and will refuse to use the file.

   Note: if you use Notepad to create administrators_authorized_keys, be aware that it might put the UTF-8 prefix on the file. If you're not able to log in, enable logging per below and look for a line like this:

   10108 2023-08-21 12:04:01.373 debug2: __PROGRAMDATA__/ssh/administrators_authorized_keys:1: check options: 'ÿþs'
   

   The 'ÿþs' is your clue that there's a UTF-8 prefix on the file. The easiest way to remove it is to use the echo command and simply recreate the file. Or you can try opening the file with Notepad and use save as to recreate it with encoding ANSI. However, check the permissions after doing this, just to make sure.

7. Optional: if you want to log in with a Posix-like shell:

   a. make sure you have git bash installed.

   b. Change the remote login shell to git bash using the following PowerShell command:

   New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Program Files\Git\usr\bin\bash.exe" -PropertyType String -Force
   Restart-Service sshd

8. If you need to enable logging in order to debug connection problems, you must change two lines in your sshd_config, and restart the service.

   Change from:

   # Logging
   #SyslogFacility AUTH
   #LogLevel INFO

   To:

   # Logging
   SyslogFacility LOCAL0
   LogLevel DEBUG2

   Restart the daemon using PowerShell:

   Restart-Service sshd

9. If you enable logs, be sure to disable logging when you're finished debugging. Then for security, delete the logs using Admin PowerShell:

   Stop-Service sshd
   del c:\ProgrmData\ssh\logs\sshd.log
   Start-Service sshd

10. Be sure to set the ssh service to auto-start:

    Set-Service -Name sshd -StartupType 'Automatic'

References

[1] "Get started with OpenSSH", docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse