Puget Systems print logo

https://www.pugetsystems.com

Read this article at https://www.pugetsystems.com/guides/1470
Dr Donald Kinghorn (Scientific Computing Advisor )

How To Use SSH Client and Server on Windows 10

Written on May 31, 2019 by Dr Donald Kinghorn
Share:

Introduction

Secure Shell (ssh) is a standard tool included on most "network" operating systems i.e. Linux, UNIX, MacOS, etc.. In the past Windows required a 3rd party application to get even a usable ssh client. For users who needed to connect securely to the rest of the world with a command line interface PuTTY has been a common addition. After several decades Microsoft finally has a native ssh client AND server on Windows! Both the client and server are standard (and in stable versions) on Windows 10 since the 1809 "October Update".

For a developer or researcher it's not unusual to be working with several machines at the same time. Connecting remotely to servers or other workstations in a mixed OS environment is a common need. You can now connect from a Windows 10 system to Linux servers or workstations easily and you can go the other direction too. You can "ssh into" a Windows 10 machine from Linux or other Windows machines. For me personally this kind of connectivity is essential. I may be using 3 or 4 different machine at the same time and I always have several terminal's open. I typically work with Linux and Windows 10 (locally or remotely) at the same time. The interoperability between Linux and Windows 10 has become very good.

This post is a setup guide and introduction to ssh client and server on Windows 10. I'm doing this partly as a reference for other posts that I'll be doing where this functionality will be utilized.

I am not going to cover much detail about using ssh. If ssh is new to you then note that Microsoft ssh is a native port of the widely used standard OpenSSH client and server. That means that most information about using ssh that you find online will apply even though those sources will likely be references from Linux, UNIX or MacOS. The official documentation for components of OpenSSH is the standard reference. The Windows Server documentation has a section titled "OpenSSH in Windows"

The normal suite of of functions are included with the Windows 10 port,

  • ssh.exe, which is the SSH client used from the user's local system
  • sshd.exe, which is the SSH server that accept connections from other systems
  • ssh-keygen.exe generates, manages and converts authentication keys for SSH
  • ssh-agent.exe stores private keys used for public key authentication
  • ssh-add.exe adds private keys to the list allowed by the server
  • ssh-keyscan.exe aids in collecting the public SSH host keys from a number of- hosts
  • sftp.exe is the service that provides the Secure File Transfer Protocol, and- runs over SSH
  • scp.exe is a file copy utility that runs on SSH

The user applications that you will use most frequently are; ssh (secure shell), for connecting to other systems, and scp (secure copy) for for copying files and directories back and forth with remote systems.

Enable ssh and ssh server on Windows 10

I am using a fresh install of Windows 10 Pro 1903. I have done this on Windows 10 Home too.

The simplest way to setup ssh and ssh server is to use PowerShell. After all you do want to use the command-line, right?

You need administrator privileges to enable services so open Powershell as Administrator, (right click on the Powershell icon in the application menu)

powershell as admin

The following command will show you the name and state of OpenSSH on your system,

Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'

You should see something like,

Name : OpenSSH.Client~~~~0.0.1.0
State : Installed

Name : OpenSSH.Server~~~~0.0.1.0
State : NotPresent

That is telling you that the ssh client is installed. (It's ready to use by default in recent Windows 10 builds.) The server is not setup yet.

Add the OpenSSh server component,

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

That command will download the server component and install it. Output will look like,

Path :
Online : True
RestartNeeded : False

Note: If for some reason your systems showed "NotPresent" for the client too then you would do the same command above but using "OpenSSH.Client~~~~0.0.1.0"

You now have the ssh server installed but it is not running. The next command will start the service,

Start-Service sshd

That will start silently. You can see that it is running with Get-Service,

PS C:Windowssystem32> Get-Service sshd

Status Name DisplayName
------ ---- -----------
Running sshd OpenSSH SSH Server

You could stop it with, you guessed it, "Stop-Service sshd"

Note: the name of the ssh server application is "sshd". This is a typical naming convention from UNIX. The "d" means "daemon". Services in Linux/UNIX are called daemons. Now you understand the meaning of the BSD UNIX mascot "Beastie" which you may have seen before.

In order to avoid having to manually start sshd you can do the following to have it start on boot.

Set-Service -Name sshd -StartupType 'Automatic'

The last thing to check is the firewall setting for sshd. It by default uses the port number 22. Enabling the service automatically created the following firewall rules,

PS C:Windowssystem32> Get-NetFirewallRule -Name *ssh*


Name                  : OpenSSH-Server-In-TCP
DisplayName           : OpenSSH SSH Server (sshd)
Description           : Inbound rule for OpenSSH SSH Server (sshd)
DisplayGroup          : OpenSSH Server
Group                 : OpenSSH Server
Enabled               : True
Profile               : Any
Platform              : {}
Direction             : Inbound
Action                : Allow
EdgeTraversalPolicy   : Block
LooseSourceMapping    : False
LocalOnlyMapping      : False
Owner                 :
PrimaryStatus         : OK
Status                : The rule was parsed successfully from the store. (65536)
EnforcementStatus     : NotApplicable
PolicyStoreSource     : PersistentStore
PolicyStoreSourceType : Local

Note: If you enable sshd you are creating an "open port" for port 22. (Otherwise you wouldn't be able to connect to it.) If your system is exposed to the outside world then that might bother you. You can do things to tighten up security like disallowing passwords and requiring only "public-key" access. I'm not going to cover any of that here. If you are on a private LAN you don't have too much to worry about, but always be security conscious and use good passwords!

Now that you have the server up and running you should close the Powershell that you were running as Administrator. Start another Powershell as your normal user for the examples below.

Using ssh on Windows 10

Now the fun stuff.

The basic connection command (on any OS) for ssh looks like,

ssh user-name-on-remote-sys@ip-address-of-remote-sys

If your user name on the system you are connecting from is the same as your user name on the system you are connecting to, then you can leave out the "user-name-on-remote-sys@" part. There are a lot of options for ssh, to dig deeper look at the docs

If you are on a network with "name resolution i.e. DNS" then you can use the name for the machine rather than it's ip address.

ssh from Windows 10 to Linux

For this example I'll go through the details you see when connecting to a Linux machine. I'm using Powershell on Windows 10.

The following shows my Powershell command prompt with my user name "don". I'm connecting to one of my Linux systems on a local network. My user name is "kinghorn" on that machine.

PS C:Usersdon> ssh kinghorn@192.168.3.70

When you first connect to a machine that you haven't accessed before you will see something like,

The authenticity of host '192.168.3.70 (192.168.3.70)' can't be established.
ECDSA key fingerprint is SHA256:(a bunch of stuff...).
Are you sure you want to continue connecting (yes/no)? yes

Saying "yes" adds a key entry to your ".sshknown_hosts" file. The next time you connect ssh will check that key and will either silently connect or give you a scary message if the key doesn't match. [A key mismatch can happen if you reinstall the remote system and it still has the same ip address. It will have a new ssh key. To fix that you will need to remove the old key from the "known-hosts" file.]

After your first connection with ssh look in your user directory and you should see a new directory named .ssh There is a lot of configuration options that can be set in various files in that directory but you usually don't need to do anything in there unless you start doing "public key exchange" for connecting to systems securely without passwords.

ssh directory

Here's an example Powershell session "ssh-ing" into a Linux system,

PS C:Usersdon> ssh kinghorn@192.168.3.90
The authenticity of host '192.168.3.90 (192.168.3.90)' can't be established.
ECDSA key fingerprint is SHA256:(a bunch of stuff...).
Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.3.90' (ECDSA) to the list of known hosts.

kinghorn@192.168.3.90's password:
Welcome to Ubuntu 19.04 (GNU/Linux 5.0.0-15-generic x86_64)

...
then a long default login message from Ubuntu...
...

Last login: Tue May 28 09:27:03 2019 from 192.168.3.105

kinghorn@U19:~$ ls
anaconda3  bin  Desktop  Documents  Downloads  Music  Pictures  projects  Public  snap  Templates  tmp  Videos

From there I am securely connected to my Linux system with a command prompt ready for what ever I need to do.

ssh From Linux to Windows 10

Since we have the OpenSSH server running on the Windows 10 system we can ssh into that now too.

You might not think you wouldn't do that much but I actually do that fairly often. Right now I have 3 Windows 10 machines running and 3 Linux machines including one at a remote location that I am doing testing on. I can connect from any of these machines to any other with ssh. I am writing this post on a Linux machine and I just used the "scp" command (part of the ssh bundle) to copy a directory of screen shots from a Windows 10 machine here. And, I didn't even have to go near the Windows machine to do that.

Here is a session where I log into my Windows 10 laptop from an Ubuntu 19.04 machine.

When you connect to the ssh server on Windows 10 you are given a CMD shell (the old DOS like shell). From there I started Powershell and then started bash on Ubuntu 18.04 using WSL (Windows Subsystem for Linux). The interoperability between Windows 10 and Linux is getting very good!

kinghorn@U19:~$ ssh don@192.168.3.105
don@192.168.3.105's password: 

Microsoft Windows [Version 10.0.17763.529]
(c) 2018 Microsoft Corporation. All rights reserved.

don@DLAP C:Usersdon>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:Usersdon> bash
kinghorn@Dlap:/mnt/c/Users/don$  

Note: On that laptop I am using a Microsoft account so my password was for that account.

ssh from Windows 10 to Windows 10

This works the same as any other combination of OS's. From Windows 10 you can use Powershell or CMD to run ssh. [If you have WSL installed you can use that too.] By default when you ssh to a Windows 10 machine you will login to CMD, it doesn't matter what you use to connect from.

In this example I am connecting to the the Windows 10 machine that I used for the ssh setup testing. I'm connecting from the laptop I connected to in the example above. (I'm not anywhere near that laptop.)

don@DLAP C:Usersdon>ssh don@192.168.3.111

Microsoft Windows [Version 10.0.18362.116]
(c) 2019 Microsoft Corporation. All rights reserved.

don@DESKTOP-Q36DH26 C:Usersdon>

No big surprises here, it just works. It's basically the same connecting from any OS to another. The main difference is the "shell" command that you connect from and the shell you connect to.

scp Secure Copy

One of the most useful tools in the ssh suite is "scp". This gives you a simple to use encrypted remote copy capability. It uses ssh as a "tunnel" for the copy.

The basic usage of scp for a single file copy to a remote machine is

scp file1  username@machine-ip:path-to-directory

The important thing to note here is that after "machine-ip" ( : ) is the top level directory of the machine. The path-to-the directory should use the syntax of the machine you are connecting to i.e. for Linux the directory separator is (/) for Windows it's (). Also, on Linux (~) is shorthand for the login users home directory. Connecting to windows you have to give the full path. And, on Linux when accessing Windows you have to quote (") the username and path because of the backslashes.

To copy a file from a remote machine to your local machine it's,

scp  username@machine-ip:path-to-file(/or)file1 path-to-directory-on-local-machine 

You can use dot (.) to indicate the current directory on the local machine.

To copy directories use, -r (recursive)

scp -r director-on-local-machine username@machine-ip:path-to-directory

or

scp -r  username@machine-ip:path-to-remote-directory  path-to-directory

That may be confusing so here are some real examples.

Copy a directory named "ssh-images" from Windows 10 to Linux starting on the Windows machine with Powershell.

PS C:Usersdon> scp -r ssh-images kinghorn@192.168.3.90:~/tmp/

That put the ssh-images in "tmp" in my Linux home directory.

Now the same thing but starting from the Linux machine (using dot (.) for the current directory)

scp -r "don@192.168.3.111:Usersdonssh-images" .

Note the full path and quotes.

Conclusions

I hope this guide is helpful to both Windows and Linux users who want better interoperability. I also hope this is encouraging for user who may have never used ssh. I think it's great how easy it is getting to be to work productively in a mixes OS environment. Microsoft, much to their credit, keeps making Windows more useful for mixed environments. I'm looking forward to the terminal application they will have out soon and to the release of WSL2. With those 2 application in place windows will be nicely interoperable and will be much improved as a solid developers system.

One of the main reasons I wrote this post is because I want to refer to it in a post about using Python Jupyter notebooks remotely between machines with different OS's. Expect to see that post soon. I may also write about using WSL and an Xwindow server on Windows 10.

Happy computing! --dbk @dbkinghorn

Looking for a
Scientific Compute System?

Do you have a project that needs serious compute power, and you don't know where to turn? Puget Systems offers a range of HPC workstations and servers tailored for both CPU and GPU workloads.

Why Choose Puget Systems?


Built specifically for you

Rather than getting a generic workstation, our systems are designed around your unique workflow and are optimized for the work you do every day.

Fast Build Times

By keeping inventory of our most popular parts, and maintaining a short supply line to parts we need, we are able to offer an industry leading ship time of 7-10 business days on nearly all our system orders.

We're Here, Give Us a Call!

We make sure our representatives are as accessible as possible, by phone and email. At Puget Systems, you can actually talk to a real person!

Lifetime Support/Labor Warranty

Even when your parts warranty expires, we continue to answer your questions and even fix your computer with no labor costs.

Click here for even more reasons!

Puget Systems Hardware Partners

Tags: Windows 10, ssh, Linux, ssh server
Emmanuel Lopez Torres

Bless your soul. I went two weeks looking for SSH solutions and this was straight to the point. Thank you.

Posted on 2019-10-18 17:00:47
Phillip Walker

Amazing after all my hours of searching and failed attempts by trying advice from other sites (and almost giving up as half of the sites say it is not possible), you actually have a working solution for Windows 10 Home. Thank you!

Posted on 2019-11-28 10:37:11
Barney Barnes

This is a lucid, well-written post. But my problem is that, while I can ssh from my kali box over the LAN, the password(s) are NOT accepted when I try to ssh over the internet to my domain. I am absolutely certain my domain is pointed to my windows box and the OpenSSH server answers by presenting the password prompts. Do you have any idea what is causing this? Thanks.

Posted on 2019-12-07 20:20:34
Donald Kinghorn

the first thing that comes to mind is "username" I have different user names in my Linux and Windows accounts. If you don't specify the username to ssh then it defaults to your current user ... which may be different from your username on the machine you are trying to connect to. You can use
ssh name@192..... or ssh -u name 192.....

If your domainname is public you could also be hitting a firewall rule. On Win ssh LAN connections are allowed but I'm not sure about Public WAN (that should be blocked by default) ... but I would think you would not get a prompt in this case

It could even be a ssh-config problem like "strict host checking" or something ??? Win10 has a hosts file and you could try adding an entry there C:\Windows\System32\drivers\etc\hosts You will probably have to run an editor "as Administrator" to edit it.

It's hard to say for sure. You will have to do some network debugging ... Try the "name" thing first! I get caught by that quite often :-)

Posted on 2019-12-09 16:58:46
Barney Barnes

Ok thanks for your prompt response. Problem was solved earlier. My Pioneer FW required me to specify port 22 instead of a blanket open of all the tcp ports. BTW since your articles are articulate, do you have any interest in trojan technology? I ask this because I have developed a library of windows trojans which can be deployed via github and powershell.

Posted on 2019-12-09 18:01:25
Barney Barnes

Sorry about this. I didn't really want to advertise that even though your website is not exactly well-travelled. Would you please remove it? If you want to pursue the topic further, direct me an email address. Thanks.

Posted on 2019-12-09 19:23:23
Donald Kinghorn

Got you covered on the other part of this comment thread ... best wishes --dbk

Posted on 2019-12-09 20:13:56
Evan Cooch

Superb and thorough review - thanks! I found the step-by-step instructions, clear, and accurate. Was wondering if there is an easy way with WIn 10's implementation of openSSH to change the default port? For example, on my other machines (which run either GNU/Linux, or Win 7 with the Cygwin sshd as a service), I use a non-standard port (say 2234). On a Linux box this might be in /etc/ssh/sshd_config, or in the /etc/hosts file for Cygwin. Any such options using Windows 10's 'native' sshd?

p.s. I'll be trying this at some point in the near future on a couple of different Puget systems ;-)

Posted on 2019-12-26 21:24:42
Evan Cooch

Figured it out. The challenge (verging on nuisance) is that the MS incarnation of openSSH bundles a sshd_config_default that is not 'editable' -- it points at port 22, and at first attempt, you think you're stuck (you can't even 'advance permissions' your way around it). But....I realized that openssh is writing things out to the hidden \programdata subdirectory, and sure enough, in said subdir, there is a copy of sshd_config that the server is actually generating and using. It is admin writable, so, edit it, point it at whatever port you want, open up said port in the WIndows firewall, and it works perfectly.

Posted on 2019-12-28 12:48:52
Donald Kinghorn

Hi Evan, Thanks for posting that! I hadn't seen your question ... I'm glad you found that. I haven't tried to change any defaults but, yes, changing the port is something I need to do sometimes too.

Posted on 2019-12-30 17:01:14
Evan Cooch

Sure. Turns out that if you read the MS documentation (https://docs.microsoft.com/..., you'll find reference to the %ProgramData% location for the active/working sshd_config. You'll also see that MS's version of openSSH is 'different' than the standard versio (in that some options don't work, or are hard-wired in...).

Posted on 2019-12-30 17:16:07