How to: Install and Use OpenSSH on Windows for PowerShell Core Remoting via SSH

Summary

The integration of SSH has been a popular request among Windows users and SSH presents a renewed vision for remoting. Microsoft’s goal is to tightly integrate the open source Secure Shell (SSH) protocol with Windows and PowerShell. As a result, admins now have two-way remote management with PowerShell and SSH, from Linux to Windows and vice versa. We will also see that system administrators will be able to manage Linux servers, routers, switches, and other devices that allow for SSH. Realizing this vision is important as it allows traditional Windows and Linux admins to manage any operating system with a common skill set plus allowing for cross-platform code and scripts. What’s more, we see that configuration automation through Azure DSC can be leveraged for both Windows and Linux operating systems. Depending on the task, we can run the exact same PowerShell Core code on all platforms. Presently, there are caveats, limitations and the technology is continuing to evolve so keeping up to date is necessary. What this means for managing Office 365 in the future is also a question this author would like to know. Though, OpenSSH has arrived to the Windows OS after many years in development, and it’s still a work in progress as Microsoft’s PowerShell team is contributing to the development efforts of the open source OpenSSH community. This article will provide a step by step procedure for installing & configuring the new OpenSSH Server and client and also provide an explanation of the PowerShell remoting architecture as context. The article will cover remoting scenarios and steps however a walk-through for configuring Linux will not be part of this article.

Problem

1. Microsoft is transitioning to “PowerShell Core” and cross-OS compatibility, while moving away from “Windows PowerShell”. Microsoft recently explained its “Windows PowerShell” roadmap plans, which will focus on “PowerShell Core”, going forward.
2. There are now two editions of PowerShell called “Windows PowerShell” & “PowerShell Core”. However, there are no plans to introduce new functionality to “Windows PowerShell”.
3. PowerShell remoting normally uses WinRM for connection negotiation and data transport, which is not supported in .NET Core so SSH was chosen for remoting since it allows true multi-platform remoting.
4. Admins will be required to learn new remoting commands, use-cases and will need to update scripts.
5. OpenSSH has to be installed and configured manually on both the server and client.
6. Based on the various articles, there are a couple different ways to get SSH installed and configured on Windows OS.
7. The install and configuration process can be a bit involved and has proven to be difficult for some administrators.
8. Updated New-PSSession, Enter-PSSession and Invoke-Command cmdlets now have a new parameter set to facilitate the new remoting connections. Evolving cmdlets means admins must understand the differences and update their scripts at some point.

PowerShell Remoting Architecture

OpenSSH is a freely available collection of client/server utilities that enable secure remote login, remote file transfer, and public/private key pair management. As part of the OpenBSD project, the Secure Shell (SSH) protocol family of tools were developed and has been used for many years across the BSD, Linux, macOS, and Unix ecosystems. Back in 2015, the Microsoft PowerShell team announced support and commitment to the OpenSSH community and code base. This commitment resulted in direction and architectural changes for PowerShell.

Microsoft’s solution for PowerShell remoting was Windows Remote Management (WinRM) which handles remote connection negotiation and data transport by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol). WinRM is an implementation of the Web Services for Management (WS-Man) specification, which takes advantage of firewall-friendly HTTP (TCP port 5985) or HTTPS (TCP port 5986) protocols to establish the communications channel.

Although Windows PowerShell users are used to WinRM as their remoting protocol with PowerShell, both customers and internal Microsoft product teams wanted to enable Windows to use SSH. The ability to use SSH provides a common user experience for Linux users to connect to Windows systems remotely and vice versa. SSH will likely become the remoting protocol of choice for Windows users and as part of the future direction of all Microsoft applications.

Given Microsoft’s new cross platform vision, the WinRM service is now considered limited by being Windows-specific. WinRM is not yet available as part of multi-platform PowerShell Core therefore, SSH was chosen for the remoting implementation since it is now available for both Linux and Windows platforms and allows multi-platform PowerShell remoting. Of note, the PowerShell team has configured the Linux PowerShell engine to do WS-Man remoting. Linux supports WS-Man remoting through PowerShell Remoting Protocol (MS-PSRP) and with the Open Management Infrastructure (OMI) provider. Installation of both OMI and the OMI provider on Linux is required for PowerShell remoting. Currently, PowerShell Core supports PowerShell Remoting (PSRP) over WSMan with Basic authentication on macOS and Linux, and with NTLM-based authentication on Linux. (Kerberos-based authentication is not supported.)

PuTTY on Windows is the most common SSH client utility, as it allows a Windows user to SSH into a Linux system. There are other third-party SSH server solutions for Windows, however an integrated Microsoft solution will allow for further application integration, extended functionality and support.

Installing OpenSSH

Installing OpenSSH package Option 1) Manually from Github

1. Download the latest build of OpenSSH from a web browser.
2. Otherwise, download the latest build in an elevated PowerShell console, run the following:
   • Invoke-WebRequest https://github.com/PowerShell/Win32-OpenSSH/releases/download/v1.0.0.0/OpenSSH-Win64.zip -OutFile openssh.zip
3. Extract contents of the latest build to C:Program FilesOpenSSH
4. Otherwise, you can extract the zip file in an elevated Powershell console, run the following:
   • Expand-Archive .openssh.zip 'C:Program Files'
   • Verify the sub-directory name, as the command will create “OpenSSH-Win64”
5. Launch PowerShell as an Administrator and go to the directory where the files have been extracted to:
   • cd 'c:Program FilesOpenSSH'
6. In an elevated PowerShell console, run the following
   • powershell.exe -ExecutionPolicy Bypass -File install-sshd.ps1
7. Open the firewall for sshd.exe to allow inbound SSH connections
   • New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
8. If you are running these commands on Windows 10, run the command
   • netsh advfirewall firewall add rule name=sshd dir=in action=allow protocol=TCP localport=sshd
9. Start the windows service sshd (this will automatically generate host keys under %programdata%ssh if they don’t already exist)
10. Run the command: Start-Service sshd 
11. Migrate sshd configuration:
    • To use existing customized sshd_config, you need to copy it from binary location to %programdata%sshsshd_config (Note that %programdata% is a hidden directory).
    • To use existing host keys, you need to copy them from binary location to %programdata%ssh
    • Prior versions required SSHD resources (sshd_config, host keys and authorized_keys) to have READ access to “NT ServiceSSHD”. This is no longer a requirement and the corresponding ACL entry should be removed. Run Powershell.exe -ExecutionPolicy Bypass -Command '. .FixHostFilePermissions.ps1 -Confirm:$false'(Note the first “.” is a call operator.) to fix up these permissions.
12. Change the services sshd and ssh-agent to auto-start
    • Set-Service sshd -StartupType Automatic
    • Set-Service ssh-agent -StartupType Automatic
13. Verify the change in the GUI and check for the services sshd & ssh-agent with: services.msc
14. Configure the default ssh shell by running regedit.exe
15. On the server, configure the default ssh shell in the windows registry by navigating to the key: ComputerHKEY_LOCAL_MACHINESOFTWAREOpenSSH
16. Create a key called “DefaultShell” of type “REG_SZ”
17. Enter the string value as “C:windowssystem32WindowsPowerShellv1.0powershell.exe”
18. If PowerShell core is installed, then the string value will be “c:Program FilesPowerShell6.0.1pwsh.exe” (assuming version 6.0.1 however verify your installed version.)

Installing OpenSSH package Option 2) using PowerShell

1. 1. Open the PowerShell command prompt as Administrator
   2. Run the command: Get-WindowsCapability -Online | ? Name -like ‘OpenSSH*’
   3. Verify that the “State” displays “NotPresent

Name : OpenSSH.Client~~~~0.0.1.0
State : NotPresent
Name : OpenSSH.Server~~~~0.0.1.0
State : NotPresent


1. 1. Run the following commands to install the OpenSSH client and server.

Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0


1. 1. After the command prompt returns and the install is completed, verify the returned output as:

Path :
Online : True
RestartNeeded : False


Installing the OpenSSH package Option 3) using Chocolatey

1. There are multiple ways to install OpenSSH on Windows. Chocolatey automates a few of the tasks.
2. Open PowerShell command prompt (or cmd.exe) as Administrator
3. If Chocolatey is not installed, follow the steps documented on the chocolatey.org site
4. Run the command: choco install openssh -params ‘”/SSHServerFeature /KeyBasedAuthenticationFeature”‘ –y

 Installing OpenSSH package Option 4) using DISM.exe

1. 1. There are multiple ways to install OpenSSH on Windows. DISM automates a few of the tasks.
   2. Open PowerShell command prompt (or cmd.exe) as Administrator
   3. Run the command: dism /Online /Get-Capabilities | findstr OpenSSH
   4. Verify the OpenSSH features are available to install by viewing the output.

Capability Identity : OpenSSH.Client~~~~0.0.1.0
Capability Identity : OpenSSH.Server~~~~0.0.1.0

1. 1. Install the client and server features by running the following commands:

dism /Online /Add-Capability /CapabilityName:OpenSSH.Client~~~~0.0.1.0
dism /Online /Add-Capability /CapabilityName:OpenSSH.Server~~~~0.0.1.0

Installing OpenSSH package Option 5) using Windows Developer Mode

Windows Develop Mode is not Microsoft’s OpenSSH implementation.  Do not install SSH this way. SSH services are enabled when you enable Device Discovery on your device. This is used when your device is a remote deployment target for UWP applications. The names of the services are ‘SSH Server Broker’ and ‘SSH Server Proxy’. The existing SSH server used in Windows Developer Mode is not yet protocol compliant.

Installing OpenSSH package Option 6) using Enable-SSHRemoting PowerShell Core Cmdlet

This feature is a roadmap item as part of the PowerShell Core documentation published on github here. Once this feature is beta or fully released, it will be explained in more detail in this article.

Windows Client Configuration Steps

Client Authentication Option 1) Password-based authentication

1. Test the ssh command line by opening PowerShell command prompt (or cmd.exe) as Administrator.
2. Run the command but replace your “user-account” and “remotehost”: ssh user-account@remotehost

Client Authentication Option 2) Key-based authentication

Authenticating via SSH is more secure with a key than a password, therefore, these steps are required. To set up a key, you have to generate it from your client and provide a passphrase. The defaults “id_rsa” are used as the file and RSA as the type.

1. 1. Open PowerShell command prompt (or cmd.exe) as Administrator.
   2. Ensure the ssh-agent service is started by running: Get-Service ssh-agent
   3. Check that the status says “running” otherwise run the command: Start-Service ssh-agent
   4. Navigate to the OpenSSH directory that was create on the file system as part of the manual Github OpenSSH zip extraction or from the scripted OpenSSH install.
   5. Run the executable called “ssh-keygen.exe“
   6. The public/private key pair will generate with this output:

Generating public/private ed25519 key pair.
Enter file in which to save the key (C:Usersuser1.sshid_ed25519):

1. 1. Press Enter to accept the default file name and path of “id_rsa”. Otherwise you can specify a different name and path here.
   2. Enter a passphrase twice.
   3. The identification and public key files will be created called “id_rsa” and “id_rsa.pub” with the following output:

Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:Usersuser1.sshid_ed25519.
Your public key has been saved in C:Usersuser1.sshid_ed25519.pub.
The key fingerprint is:
SHA256:OIzc1yE7joL2Bzy8/gS0j8eGK7bYaH1FmF3sDuMeSj8 USER@HOSTNAME
The key's randomart image is:
+--[ED25519 256]--+
| . |
| o |
| . + + . |
| o B * = . |
| o= B S . |
| .=B O o |
| + =+% o |
| *oo.O.E |
|+.o+=o. . |
+----[SHA256]-----+


1. 1. We securely store the private keys within a Windows security context by running the command: Start-Service ssh-agent
   2. Verify the status of the service is “Running” with the command: Get-Service ssh-agent
   3. Load the key files into the ssh-agent with the command: ssh-add ~.sshid_ed25519
   4. We remove the key file for security purposes as we don’t need it anymore by running: Remove-Item ~.sshid_ed25519
   5. RDP into the Windows Server your users will SSH into, as an administrator.
   6. Make sure you already followed the steps for installing and configuring SSH on a server before continuing on the next steps.
   7. Move the contents of your public key (~.sshid_ed25519.pub) into a text file called “authorized_keys” in ~.ssh on your Windows SSH server that you will log into.
   8. Create the .ssh directory for the user that will log into the server by running the following command, making sure the username and domain is correct:
      • ssh user@domain.com mkdir C:usersuser1.ssh

   9. Copy the public key file that was generated in the earlier steps to the “authorized_keys” text file on the server.
   10. Modify the permissions to the the “authorized_keys” text file by running the following command:

ssh --% USER@DOMAIN.com powershell -c $ConfirmPreference = 'None'; Repair-AuthorizedKeyPermission "C:Usersuser1sshauthorized_keys"

Windows Server Configuration Steps of OpenSSH Server (sshd)

1. RDP into the Windows Sever as an administrator
2. Launch PowerShell command prompt (or cmd.exe) as Administrator
3. Verify that PowerShell Core has been installed with the command: $PSVersionTable
4. Check that PSEdition says “Core”, with the PSVersion at least 6.0.0.
5. Update the Windows Server Enviroment Variables Path:
   • ($env:path).split(“;”)

   • $oldpath = (Get-ItemProperty -Path ‘Registry::HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession ManagerEnvironment’ -Name PATH).path

   • $newpath = “$oldpath;C:Program FilesOpenSSH”

   • Set-ItemProperty -Path ‘Registry::HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession ManagerEnvironment’ -Name PATH -Value $newPath

6. Install the OpenSSHUtils as administrator by running: Install-Module -Force OpenSSHUtils
7. Ensure the ssh-agent service is started by running: Get-Service ssh-agent
8. Check that the status says “Running” otherwise
9. Run the command: Start-Service ssh-agent
10. Navigate to the OpenSSH folder: “C:Program FilesOpenSSH”
11. Run the command: ssh-keygen.exe -A
12. The public/private key pair will generate.
13. Press Enter to accept the default file name and path of “id_rsa”. Otherwise you can specify a different name and path here.
14. Enter a passphrase twice.
15. The identification and public key files will be created called “id_rsa” and “id_rsa.pub” with the following output: “C:Program FilesOpenSSHssh-keygen.exe: generating new host keys: ED25519”
16. Load the key files into the ssh-agent with the command: ssh-add ssh_host_ed25519_key
17. Run the command: Repair-SshdHostKeyPermission -FilePath “C:Program FilesOpenSSHssh_host_ed25519_key”
18. Chose “A” as the response.
19. Run the command: Start-Service sshd
20. Verify the service is in the Running state with the command: Get-Service sshd
21. Add the firewall rule that allows traffic on port 22 with the command: New-NetFirewallRule -Name sshd -DisplayName ‘OpenSSH Server (sshd)’ -Service sshd -Enabled True -Direction Inbound -Protocol TCP -Action Allow -Profile Domain
22. Go the the OpenSSH directory on the server.
23. Open the file “sshd_config” with notepad.exe and add the following to the section “# override default of no subsystems”
    Subsystem powershell C:Program FilesPowerShell6.0.0.16pwsh.exe.exe -sshs -NoLogo -NoProfile
    
24. Enable password authentication with the text: PasswordAuthentication yes
25. Enable key authentication with the text: PubkeyAuthentication yes
26. Close and save the sshd_config file.
27. Run the command: Restart-Service sshd

PowerShell remoting

PowerShell remoting cmdlets will only allow connection with the command Enter-PSSession, Invoke-Command, etc. It will not work using ssh.exe to connect from the client.

References

• OpenSSH
• Chocolatey OpenSSH
• Powershell OpenSSH
• https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH
• PSTools
• Powershell make a permanent change to the path environment variable
• Use Powershell to modify your enviromental path
• Powershell Set Service
• How do I open ports with Powershell
• Getting Started with PowerShell Core on Windows, Mac, and Linux
• Microsoft Transitioning Windows PowerShell 6.0 into PowerShell Core
• PowerShell 6.0 Roadmap: CoreCLR, Backwards Compatibility, and More!
• PowerShell Core 6.0: Generally Available (GA) and Supported! –
• PowerShell Remoting Over SSH
• Using the OpenSSH Beta in Windows 10 Fall Creators Update and Windows Server 1709
• Why Remoting vs. SSH Isn’t Even a Thing
• Porting to .NET Core – Libraries (See remoting section)
• Part 2 – Install .NET Core and PowerShell on Linux Using DSC
• Looking Forward: Microsoft Support for Secure Shell (SSH)