Installing and Configuring OpenSSH on Windows Server 2019

While I’ve never had a problem with PowerShell remoting for remote command line interaction with Windows Server, I’ve often found that it isn’t something that many systems administrators, especially those that work in heterogeneous environments, are entirely at ease with. I’ve lost count of the number of times that I’ve seen experienced admins RDP across to a box running Windows Server so that they can interact with the operating system through a command prompt.


Windows Server 2019 and the most recent version of Windows 10 include the ability to install both an SSH client and an SSH server. Because most of us work with heterogenous systems, we are familiar with SSH’ing into a server or device to perform admin tasks. Now that it’s available and easy to configure on Windows Server 2019, I find myself using SSH, rather than other remote connection methods, as my default method of remotely connecting to servers, be they proximate or running in Azure.


To get an SSH client onto Windows 10 or Windows Server 2019, without using 3rd party software or installing Windows Subsystem for Linux, use the PowerShell command:


Add-WindowsCapability -Online -Name OpenSSH.Client~~~~

To add an SSH client and SSH server to Windows Server 2019, use the following PowerShell commands:


Add-WindowsCapability -Online -Name OpenSSH.Server~~~~
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~

I have found it useful to add both client and server capability to Windows Server. This is also useful if the server will function a jump box. Once you’ve added the capability, you need to do a few things to get the SSH server working before you’re ready to go.


If you’re intending to use key based, rather than password based, authentication, you should also run the following command on the server to install an OpenSSH related PowerShell module that includes tools to help you configure that functionality:


Install-Module -Force OpenSSHUtils -Scope AllUsers

I also recommend running the following PowerShell commands on the server to install the Nano text editor, which allows you to edit text files through an SSH session. If you’re going to use key based authentication rather than passwords, you’ll need to edit one of the config files (I’ll explain what you need to do a little later in the article):


Set-ExecutionPolicy Bypass
Iwr https://chocolatey.org/install.ps1 -UseBasicParsing | iex
choco install nano -y

The next thing you’ll need to do on your server is to configure the disabled ssh-agent service to automatically start and also configure the sshd service to automatically start. To do this, run the following PowerShell commands:


Set-Service -Name ssh-agent -StartupType ‘Automatic’
Set-Service -Name sshd -StartupType ‘Automatic’

The final step in getting SSH running on Windows Server 2019 is to run the following commands to start the relevant services:


Start-Service ssh-agent
Start-Service sshd

If you do all of this, you’ll be able to connect using password passed authentication from an SSH client using the syntax:


ssh username@hostname_or_IP_address

If you’re connecting to a domain account the format is


ssh username@domain@hostname_or_IP_address

The reality of SSH is that the vast majority of people that use it, use key based authentication rather than password based authentication. To get key based authentication working with Windows Server 2019’s SSH server, you’ll need to the following:


On the client change to the .ssh directory and run the command ssh-keygen accepting the defaults (you can change the name of the keys and provide a key password if you really want to, but that’s beyond the scope of this article)


Cd ~\.ssh\

Doing this with the default values will create a public and private key. The private key will be id_rsa and the public key will be id_rsa.pub.


The next thing you should do is add your private key to your Windows security context. You can do this by running the following three commands:


Set-Service ssh-agent -StartupType ‘Automatic’
Start-service ssh-agent
Ssh-add ~\.ssh\id_rsa

Once you’ve done this, you’ll want to deploy your public key to the Windows Server 2019 server that you want to use SSH key based authentication with. To do this, perform the following steps (where chancellor is the name of the user account you’re configuring SSH key based authentication for):


Ssh chancellor@ mkdir c:\users\chancellor\.ssh\
Scp c:\users\chancellor\.ssh\id_rsa.pub chancellor@\Users\Administrator\.ssh\authorized_keys

You’ll then need to run the following PowerShell command, located in that OpenSSHUtils PowerShell module I mentioned earlier, to configure some of the permissions for the authorized keys file. You might even want to SSH across to the server using password based authentication to do this:


Repair-AuthorizedKeyPermission C:\users\Chancellor\.ssh\authorized_keys

Because the PowerShell cmdlet doesn’t entirely work as it should, you’ll also need to run the following command as “NT SERVICE\sshd” should not have any permissions to the authorized_keys file (if it does, key based authentication doesn’t seem to work)


Icacls authorized_keys /remove “NT SERVICE\sshd”

The final step you’ll need to take requires you to edit the c:\ProgramData\ssh\sshd_config file, which you can do using the nano text editor and comment out the following lines (which are at the end of the file):


# Match Group administrators                                                   
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys 

You may need to do this locally on the Windows Server 2019 box. Once this is done, you can restart the sshd service (restart-service sshd) and you will be able to connect from your client using key based authentication.