How to Use SSH to Remotely Connect to Windows 10 or 11

3.9K

The latest versions of Windows come with a built-in SSH server and client, based on the OpenSSH open-source package. This means that you can now remotely connect to Windows 10/11 or Windows Server 2022/2019 machines using any SSH client, similar to Linux distros. In this article, we’ll show you how to enable and configure an SSH server on Windows and connect to it using Putty or another SSH client.

Installing SSH Server on Windows

The OpenSSH is part of Windows starting from Windows 10 build 1809 (April 2018 update).

On Windows 10 or 11, you can use the Settings panel to enable the OpenSSH server:

1. Go to Settings > Apps > Apps and features > Optional features. Or run the command:

   ms-settings:appsfeatures

   

2. Click Add a feature, select OpenSSH Server (OpenSSH-based secure shell (SSH) server, for secure key management and access from remote machines), and click Install.
   
3. Wait for the OpenSSH server installation to complete.

You can also use PowerShell to install the SSH server:

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Check if the OpenSSH server is installed:

Get-WindowsCapability -Online | ? Name -like 'OpenSSH.Server*'

Name : OpenSSH.Server~~~~0.0.1.0

State : Installed

To install OpenSSH, the Windows machine should be connected to the Internet. OpenSSH Server can be installed from an offline FoD ISO image in offline environments:

1. Download the Features on Demand (FoD) ISO image for your version of Windows from the Volume Licensing Service Centre (VLSC) or from My Visual Studio.
2. Mount the FoD ISO media to a virtual DVD drive in Windows;
3. Install the OpenSSH.Server with the command:

   Add-WindowsCapability -online -name OpenSSH.Server~~~~0.0.1.0 -source -Source "E:\" -LimitAccess

   Note. For previous Windows versions, you can manually install the Win32-OpenSSH port from the GitHub repository. The OpenSSH binaries are located in the C:\Windows\System32\OpenSSH\ folder.

How to Enable and Configure SSH Server on Windows

Use the PowerShell Get-Service command to check the status of the ssh-agent and sshd services:

Get-Service -Name *ssh*

By default, both services are stopped. Run the OpenSSH services and enable autostart for them using the commands:

Start-Service sshd

Set-Service -Name sshd -StartupType 'Automatic'

Start-Service ssh-agent

Set-Service -Name ssh-agent -StartupType 'Automatic'

Then enable the Windows Defender firewall rule that allows remote connections to the SSH server (TCP port 22):

Get-NetFirewallRule -Name *OpenSSH-Server*|Enable-NetFirewallRule

Check that the sshd service is running and listening on port TCP/22:

netstat -nao | find /i '":22"'

The configuration file %programdata%\ssh\sshd_config contains the OpenSSH server settings.

You can open and edit this file with Notepad. Open the sshd_config file for editing from elevated PowerShell prompt:

Notepad.exe $env:PROGRAMDATA\ssh\sshd_config

Let’s look at some of the sshd_config directives:

• Enable the SSH key-based authentication: PubkeyAuthentication yes
• Disable password auth: PasswordAuthentication no
• Change the SSH port number (from the default TCP 22): Port 22

Using the directives AllowGroups, AllowUsers, DenyGroups, DenyUsers, you can specify users and groups that are allowed or denied to connect to Windows via SSH:

• DenyUsers theitbros\jbrown@192.168.1.15 — denies connections to username jbrown from 192.168.1.15 host;
• DenyUsers theitbros\* — prevent all users from theitbros domain from connecting to the host via SSH;
• AllowGroups theitbros\ssh_allow — only allow users from theitbros\ssh_allow to connect host;
• AllowUsers mylocaluser1@192.168.31.100 – this will allow an SSH connection to be made under the mylocaluser1 account from the host 192.168.31.100.

The allow and deny rules of sshd are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and AllowGroups.

Restart the sshd service after making changes to the sshd_config file:

Get-Service sshd| Restart-Service –force

Connect to Windows via SSH

Now you can connect to Windows machine using any SSH client. To connect from Linux, use the command:

ssh -p 22 admin@192.168.1.90

• admin is a local Windows user that you want to connect as. This account must be a member of the built-in Administrators group.
• 192.168.1.90 is an IP address or FQDN of the remote Windows host.
  

Enter a Windows user password and a command prompt will open in the SSH session.

You can use the popular Putty client to connect to a Windows computer over the SSH protocol:

1. Download and run putty.exe;
2. Enter the hostname or IP address of the remote Windows host you want to connect;
3. Select the Connection type: SSH and make sure port number 22 is specified;
4. Click Open;
5. The first time you connect to a Windows host via SSH, a Security warning will appear asking you to confirm that you want to add the ssh-ed25519 key fingerprint of the remote machine to your local cache. If you trust this host, click the Accept button. This will add that server to the list of known SSH hosts;
   Note. OpenSSH server fingerprint stored in a file C:\ProgramData\ssh\ssh_host_ecdsa_key.pub. To view the fingerprint of an ECDSA key on a Windows host, use the command:
   ssh-keygen -lf C:\ProgramData\ssh\ssh_host_ed25519_key.pub
   
6. Enter the Windows user name and password to connect;
   
7. Once logged in, the remote Windows host command prompt opens;
8. You can now interactively run commands on the remote host.
   

You can also use the built-in Windows SSH client to connect to another Windows host. Install the ssh.exe client on Windows using the command:

Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

Now you can connect to a remote SSH host directly from the Windows command prompt:

ssh user123@192.168.13.202

The first time you connect, add the fingerprint of the SSH server’s ECDSA key to the list of known hosts (type yes > enter).

Enter the user’s password and a command prompt should appear.:

You can now use the OpenSSH.Client tools (scp.exe, sftp.exe) to copy a file between hosts using the SSH protocol. The following command will copy the local test1.log file to a remote Windows SSH-enabled host:

scp.exe D:\PS\test1.log root@192.168.13.202:c:\temp

If you prefer to use Windows Terminal, you can add the required SSH host profiles to it for quick connection:

1. Run Windows Terminal and go to Settings;
2. Click the Add a new profile button in the Profiles section;
3. Specify that you want to duplicate a PowerShell profile;
4. Specify a profile name (“SSH Windows 10 DEVPC” in this example);
5. In the Command line parameter, specify the connection string to your SSH host. For example: %SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe ssh root@192.168.13.202
6. Save the profile;
7. There is now a separate option in the Windows Terminal menu for a quick SSH connection to a Windows host.

Hint. You can change the default SSH shell on Windows from cmd.exe to PowerShell using the command:

New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force

Now when you connect to Windows via SSH, you will immediately see the PowerShell prompt instead of cmd.exe.

SSH Key-Based Authentication on Windows

You can use SSH key-based authentication instead of username/password pair auth on a Windows.

Generate public/private key pairs using the Ed25519 algorithm on a Windows client:

ssh-keygen -t ed25519

You can set a passphrase for additional protection of the key. The ssh-keygen tool will generate two key files and save them in the current user’s profile (C:\Users\username\.ssh):

• id_ed25519 – private key
• id_ed25519.pub – public key

The SSH keys can be loaded automatically using the ssh-agent service on the client. Check that the service is running and add your private key:

Start-Service ssh-agent

ssh-add $env:USERPROFILE\.ssh\id_ed25519

Now copy the key value from the id_ed25519.pub file and paste it into the administrators_authorized_keys file on the SSH server:

Notepad.exe $env:PROGRAMDATA\ssh\administrators_authorized_keys

Open the file C:\ProgramData\ssh\sshd_config and enable key-based authentication:

PubkeyAuthentication yes

Restart the sshd service:

Get-service sshd|Restart-Service

The ssh-agent will now automatically use the private key for authentication when connecting to a remote host.

Or you can manually specify the path to the key file:

ssh username1@192.168.13.202 -i "C:\Users\user\.ssh\id_ed25519"

On Windows, SSH logs can be viewed using the Event Viewer console (eventvwr.msc). Expand Application and Services Logs > OpenSSH > Operational.

For example, the screenshot shows an example of an event with a successful connection to the computer via SSH. You can see the ssh client’s IP address (hostname) and the username used to connect.

Sshd: Accepted password for jbrown from 192.168.14.14. port 49833 ssh2