{"id":13846,"date":"2017-12-15T15:05:46","date_gmt":"2017-12-15T23:05:46","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/powershell\/?p=13846"},"modified":"2019-04-13T13:43:57","modified_gmt":"2019-04-13T21:43:57","slug":"using-the-openssh-beta-in-windows-10-fall-creators-update-and-windows-server-1709","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/powershell\/using-the-openssh-beta-in-windows-10-fall-creators-update-and-windows-server-1709\/","title":{"rendered":"Using the OpenSSH Beta in Windows 10 Fall Creators Update and Windows Server 1709"},"content":{"rendered":"
\n

I’m thrilled to share that a Beta OpenSSH client and server daemon are available as a Feature-on-Demand in Windows 10 Fall Creators Update and Windows Server 1709<\/a>. Since our last update blog<\/a>, we’ve been working hard on a Win32 port of OpenSSH<\/a> and working closely with members of the OpenSSH Portable and OpenBSD projects with the eventual goal of bringing Win32 support upstream into OpenSSH Portable.<\/p>\n

Until then, you should expect OpenSSH support in Windows to continue to improve in future updates of Windows, including upcoming Windows Insider builds. You can track our progress on GitHub<\/a> where you can find our wiki<\/a> and the latest builds<\/a> that include tons of fixes and support for operating systems downlevel to Windows 7 and Server 2008 R2.<\/p>\n

Overview<\/h2>\n

OpenSSH<\/a> is a collection of client\/server utilities that enable secure remote login, remote file transfer, and public\/private key pair management. It’s an extremely powerful tool that originated as part of the OpenBSD project, and has been used for many years across the BSD, Linux, macOS, and Unix ecosystems.<\/p>\n

Note: The OpenSSH client and server are still very much in Beta,<\/strong> so we do not recommend using them in production environments.<\/strong><\/p>\n

Installation<\/h2>\n

Great! So how do I install the bits?<\/p>\n

Installing with the Settings UI<\/h3>\n

To install it using the Settings UI, go to Apps -> Apps and Features -> Manage optional features -> Add a feature:<\/p>\n

\"Apps<\/a>\"Manage<\/a><\/p>\n

Then select OpenSSH Client (Beta) or OpenSSH Server (Beta) and Install:<\/p>\n

\"Add<\/a><\/p>\n

Installing with PowerShell<\/h3>\n

To install OpenSSH using PowerShell, first launch PowerShell as an Administrator.<\/p>\n

To make sure that the OpenSSH features are available for install:<\/p>\n

\n
Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'<\/pre>\n
 <\/p>\n<\/div>\n
This should return the following output:<\/p>\n
Name  : OpenSSH.Client~~~~0.0.1.0\r\nState : NotPresent\r\n\r\nName  : OpenSSH.Server~~~~0.0.1.0\r\nState : NotPresent\r\n<\/code><\/pre>\n
Then, install the server and\/or client features:<\/p>\n
\n
# Install the OpenSSH Client\r\nAdd-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0\r\n\r\n# Install the OpenSSH Server\r\nAdd-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0<\/pre>\n
 <\/p>\n<\/div>\n
Both of these should return the following output:<\/p>\n
<\/code><\/pre>\n
Path          :\r\nOnline        : True\r\nRestartNeeded : False<\/pre>\n
<\/code><\/pre>\n
 <\/p>\n
<\/code><\/pre>\n
Installing with DISM.exe<\/h3>\n
To install OpenSSH with DISM.exe, first open CMD as an Administrator.<\/p>\n
To make sure that OpenSSH features are available for install:<\/p>\n
\n
dism \/Online \/Get-Capabilities |<\/span> findstr<\/span> OpenSSH<\/pre>\n<\/div>\n
This should return the following output:<\/p>\n
Capability Identity : OpenSSH.Client~~~~0.0.1.0\r\nCapability Identity : OpenSSH.Server~~~~0.0.1.0\r\n<\/code><\/pre>\n
Then, install the server and\/or client features:<\/p>\n
\n
dism \/Online \/Add-Capability \/CapabilityName:OpenSSH.Client~~~~0.0.1.0\r\ndism \/Online \/Add-Capability \/CapabilityName:OpenSSH.Server~~~~0.0.1.0<\/pre>\n<\/div>\n
Configuration<\/h2>\n
Great! You’ve installed OpenSSH. What now?<\/p>\n
Configuring the SSH Client (ssh.exe)<\/h3>\n
Password-based authentication<\/h4>\n
If you want to use the SSH client with password authentication, no configuration is necessary. Just pop open PowerShell or cmd, and use ssh<\/code> to connect to your SSH server:<\/p>\n
\n
ssh user1@contoso.com\r\n\r\n# You can also use domain accounts to login\r\n\r\n# UPN syntax works...\r\nssh user1@domain1@contoso.com\r\n# ...as does NetBIOS syntax\r\nssh user1\\domain1@contoso.com<\/pre>\n<\/div>\n
Key-based authentication<\/h4>\n
If you want to use key-based authentication, you first need to generate some public\/private key pairs for your client. From PowerShell or cmd, use ssh-keygen<\/code> to generate some key files.<\/p>\n
\n
cd ~\\.ssh\\\r\nssh-<\/span>keygen<\/pre>\n<\/div>\n
This should output something like:<\/p>\n
Generating public\/private ed25519 key pair.\r\nEnter file in which to save the key (C:\\Users\\user1\\.ssh\\id_ed25519):\r\n<\/code><\/pre>\n
You can hit Enter to accept the default or specify a path where you’d like your keys to be generated. At this point, you’ll be prompted to use a passphrase to encrypt your private key files.<\/p>\n
Enter passphrase (empty for no passphrase):\r\nEnter same passphrase again:\r\nYour identification has been saved in C:\\Users\\user1\\.ssh\\id_ed25519.\r\nYour public key has been saved in C:\\Users\\user1\\.ssh\\id_ed25519.pub.\r\nThe key fingerprint is:\r\nSHA256:OIzc1yE7joL2Bzy8\/gS0j8eGK7bYaH1FmF3sDuMeSj8 user1@CONTOSO@LOCAL-HOSTNAME\r\nThe key's randomart image is:\r\n+--[ED25519 256]--+\r\n|        .        |\r\n|         o       |\r\n|    . + + .      |\r\n|   o B * = .     |\r\n|   o= B S .      |\r\n|   .=B O o       |\r\n|  + =+% o        |\r\n| *oo.O.E         |\r\n|+.o+=o. .        |\r\n+----[SHA256]-----+\r\n<\/code><\/pre>\n
Now you have a public\/private ED25519 key pair\n(the .pub files are public keys and the rest are private keys):<\/p>\n
Mode                LastWriteTime         Length Name\r\n----                -------------         ------ ----\r\n-a----        11\/8\/2017  11:09 AM           1679 id_ed25519\r\n-a----        11\/8\/2017  11:09 AM            414 id_ed25519.pub\r\n<\/code><\/pre>\n
Your private key files are the equivalent of a password. <\/strong>You should protect them under any and all circumstances. <\/strong>If someone acquires your private key, <\/strong>they can log in to any SSH server as an identity that authorizes the corresponding public key to log in.<\/strong><\/p>\n
For that reason, we should take advantage of ssh-agent<\/code> to securely store the private keys within a Windows security context. To do that, we simply start the ssh-agent<\/code> service (as Administrator) and use ssh-add<\/code> to store our private key. Then, whenever a private key is needed for authentication, ssh-agent<\/code> will automatically retrieve your local user’s private key and pass it to your SSH client.<\/p>\n
\n
# Make sure you're running as an Administrator\r\nStart-Service ssh-agent\r\n\r\n# This should return a status of Running\r\nGet-Service ssh-agent\r\n\r\n# Now load your key files into ssh-agent\r\nssh-add ~\\.ssh\\id_ed25519\r\n\r\n# Now that it's loaded into ssh-agent,\r\n# we don't have to keep the key file anymore\r\nRemove-Item ~\\.ssh\\id_ed25519<\/pre>\n
 <\/p>\n<\/div>\n
Move the contents of your public key (~\\.ssh\\id_ed25519.pub<\/code>) into a text file called authorized_keys<\/code> in ~\\.ssh\\<\/code> on your server\/host.<\/p>\n
Note: these directions assume your sshd server is a Windows-based machine using our OpenSSH-based server, and that you’ve properly configured it based on the instructions below (including the installation of the OpenSSHUtils<\/code> PowerShell module). If you’re using a non-Windows machine, you should replace all remote instances of C:\\users\\user1<\/code> with something like \/home\/user1<\/code>. Additionally, the ACL line should be unnecessary that uses PowerShell should be unnecessary.<\/p>\n
\n
# Make sure that the .ssh directory exists in your server's home folder\r\nssh user1@domain1@contoso.com mkdir C:\\users\\user1\\.ssh\\\r\n\r\n# Copy your public key file to authorized_keys on your server\r\nscp C:\\Users\\user1\\.ssh\\id_ed25519.pub user1@domain1@contoso.com:C:\\Users\\user1\\.ssh\\authorized_keys\r\n\r\n# Appropriately ACL the authorized_keys file on your server\r\nssh --% user1@domain1@contoso.com powershell -c $ConfirmPreference = 'None'; Repair-AuthorizedKeyPermission C:\\Users\\user1\\.ssh\\authorized_keys<\/pre>\n
 <\/p>\n<\/div>\n
Congrats! You should no longer need a password when authenticating as User1<\/code> against contoso.com<\/code>.<\/p>\n
Configuring the OpenSSH Server (sshd)<\/h3>\n
First, it’s worth noting again that this OpenSSH for Windows is still very much in beta form. <\/strong>It should only be used in safe, testing environments.<\/strong><\/p>\n
To enable authentication into an SSH server on Windows, you first have to generate host keys. As an Administrator:<\/p>\n
\n
Start-Service ssh-agent\r\n\r\ncd C:\\Windows\\System32\\OpenSSH\r\n.\\ssh-keygen -A\r\n# C:\\Windows\\System32\\OpenSSH\\ssh-keygen.exe: generating new host keys: ED25519\r\n.\\ssh-add ssh_host_ed25519_key\r\n# Identity added: .\\ssh_host_ed25519_key (User1@CONTOSO@LOCAL-HOSTNAME)<\/pre>\n
 <\/p>\n<\/div>\n
Due to certain security requirements, you will also have to install our OpenSSHUtils<\/code> helper module to appropriately ACL your host keys. As an Administrator:<\/p>\n
\n
Install-Module -Force OpenSSHUtils\r\n\r\nRepair-SshdHostKeyPermission -FilePath C:\\Windows\\System32\\OpenSSH\\ssh_host_ed25519_key\r\n\r\n# Use A or Y as your response to the prompts to set file owners<\/pre>\n
 <\/p>\n<\/div>\n
Then you can start sshd and your server is ready to go:<\/p>\n
\n
Start-Service sshd\r\n\r\n# This should return a Status of Running\r\nGet-Service sshd<\/pre>\n
 <\/p>\n<\/div>\n
Note: currently only the built-in ED25519 authentication key type is supported. In the future, we plan to add support for LibreSSL which will enable additional authentication key types. In the meantime, you can experiment with LibreSSL builds on GitHub<\/a>.<\/p>\n
You may also need to add a firewall rule like this one that allows traffic on port 22 (though your requirements may vary based on your environment, e.g. Domain<\/code> might be Private<\/code>):<\/p>\n
\n
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Service sshd -Enabled True -Direction Inbound -Protocol TCP -Action Allow -Profile Domain<\/pre>\n
 <\/p>\n<\/div>\n
Stay tuned!<\/h2>\n
Enjoy playing with OpenSSH on Windows, and keep your eyes peeled on the PowerShell blog for upcoming news.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
I’m thrilled to share that a Beta OpenSSH client and server daemon are available as a Feature-on-Demand in Windows 10 Fall Creators Update and Windows Server 1709. Since our last update blog, we’ve been working hard on a Win32 port of OpenSSH and working closely with members of the OpenSSH Portable and OpenBSD projects with […]<\/p>\n","protected":false},"author":657,"featured_media":13641,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-13846","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-powershell"],"acf":[],"blog_post_summary":"
I’m thrilled to share that a Beta OpenSSH client and server daemon are available as a Feature-on-Demand in Windows 10 Fall Creators Update and Windows Server 1709. Since our last update blog, we’ve been working hard on a Win32 port of OpenSSH and working closely with members of the OpenSSH Portable and OpenBSD projects with […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts\/13846","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/users\/657"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/comments?post=13846"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts\/13846\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/media\/13641"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/media?parent=13846"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/categories?post=13846"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/tags?post=13846"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}