Installing and Configuring OpenSSH on Windows Server 2019

While I've never had a problem with PowerShell remoting for remote command line interaction with Windows Server, I've often found that it isn't something that many systems administrators, especially those that work in heterogeneous environments, are entirely at ease with. I've lost count of the number of times that I've seen experienced admins across to a box running Windows Server so that they can interact with the operating system through a command prompt.

Windows and the most recent version of Windows 10 include the ability to install both an SSH client and an SSH server. Because most of us work with heterogenous systems, we are familiar with SSH'ing into a server or device to perform admin tasks. Now that it's available and easy to configure on Windows , I find myself using SSH, rather than other remote connection methods, as my default method of remotely connecting to servers, be they proximate or running in Azure.

To get an SSH client onto Windows 10 or Windows , without using 3rd party software or installing Windows Subsystem for , use the PowerShell command:

Add-WindowsCapability -Online -Name OpenSSH.Client~~~~

To add an SSH client and SSH server to Windows Server 2019, use the following PowerShell commands:

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~

I have found it useful to add both client and server capability to Windows Server. This is also useful if the server will function a jump box. Once you've added the capability, you need to do a few things to get the SSH server working before you're ready to go.

If you're intending to use key based, rather than password based, , you should also run the following command on the server to install an OpenSSH related PowerShell module that includes tools to help you configure that functionality:

Install-Module -Force OpenSSHUtils -Scope AllUsers

I also recommend running the following PowerShell commands on the server to install the Nano text editor, which allows you to edit text files through an SSH session. If you're going to use key based rather than passwords, you'll need to edit one of the config files (I'll explain what you need to do a little later in the article):

Set-ExecutionPolicy Bypass
Iwr -UseBasicParsing | iex
choco install nano -y

The next thing you'll need to do on your server is to configure the disabled ssh-agent service to automatically start and also configure the sshd service to automatically start. To do this, run the following PowerShell commands:

Set-Service -Name ssh-agent -StartupType ‘Automatic'
Set-Service -Name sshd -StartupType ‘Automatic'

The final step in getting SSH running on Windows Server 2019 is to run the following commands to start the relevant services:

Start-Service ssh-agent
Start-Service sshd

If you do all of this, you'll be able to connect using password passed from an SSH client using the syntax:

ssh username@hostname_or_IP_address

If you're connecting to a domain account the format is

ssh username@domain@hostname_or_IP_address

The reality of SSH is that the vast majority of people that use it, use key based authentication rather than password based authentication. To get key based authentication working with Windows Server 2019's SSH server, you'll need to the following:

On the client change to the .ssh directory and run the command ssh-keygen accepting the defaults (you can change the name of the keys and provide a key password if you really want to, but that's beyond the scope of this article)

Cd ~.ssh

Doing this with the default values will create a public and private key. The private key will be id_rsa and the public key will be

The next thing you should do is add your private key to your Windows security context. You can do this by running the following three commands:

Set-Service ssh-agent -StartupType ‘Automatic'
Start-service ssh-agent
Ssh-add ~.sshid_rsa

Once you've done this, you'll want to deploy your public key to the Windows Server 2019 server that you want to use SSH key based authentication with. To do this, perform the following steps (where chancellor is the name of the user account you're configuring SSH key based authentication for):

Ssh chancellor@ mkdir c:userschancellor.ssh
Scp chancellor@

You'll then need to run the following PowerShell command, located in that OpenSSHUtils PowerShell module I mentioned earlier, to configure some of the permissions for the authorized keys file. You might even want to SSH across to the server using password based authentication to do this:

Repair-AuthorizedKeyPermission C:usersChancellor.sshauthorized_keys

Because the PowerShell cmdlet doesn't entirely work as it should, you'll also need to run the following command as “NT SERVICEsshd” should not have any permissions to the authorized_keys file (if it does, key based authentication doesn't seem to work)

Icacls authorized_keys /remove “NT SERVICEsshd”

The final step you'll need to take requires you to edit the c:ProgramDatasshsshd_config file, which you can do using the nano text editor and comment out the following lines (which are at the end of the file):

# Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

You may need to do this locally on the Windows Server 2019 box. Once this is done, you can restart the sshd service (restart-service sshd) and you will be able to connect from your client using key based authentication.



This article was originally published by Microsoft's ITOps Talk Blog. You can find the original article here.