openssh

Introduction

The integration of SSH with Windows represents a significant advancement for system administrators working in cross-platform environments. Microsoft’s goal has been to tightly integrate the open source Secure Shell (SSH) protocol with Windows and PowerShell, enabling two-way remote management between Linux and Windows systems. This approach provides administrators with a unified method for managing diverse environments, from Windows servers to Linux machines, network devices, and cloud infrastructure.

SSH is the standard remoting tool for Linux, and Microsoft has added native support for it on clients running Windows 10 build 1809 or newer and Windows Server 2019 or newer. Starting with Windows Server 2025, OpenSSH now comes pre-installed, further simplifying deployment in enterprise environments. This evolution highlights Microsoft’s commitment to embracing open standards and fostering cross-platform compatibility.

Problem Definition

Traditionally, PowerShell remoting relied on Windows Remote Management (WinRM) using the WS-Management protocol. WinRM handles remote connection negotiation and data transport through SOAP (Simple Object Access Protocol) and takes advantage of firewall-friendly HTTP (TCP port 5985) or HTTPS (TCP port 5986) protocols. While effective within Windows environments, this approach presents challenges when working with non-Windows systems or in scenarios without Active Directory.

Managing systems without Active Directory using WinRM requires configuring trusted hosts and setting up PowerShell remoting for HTTPS, as the default HTTP protocol is not secure outside a domain. This process can be complex and requires managing SSL/TLS certificates. Additionally, WinRM is not natively supported in .NET Core, which powers PowerShell Core (now simply known as PowerShell 7+), limiting cross-platform remoting capabilities.

The need for a universal, secure, and platform-agnostic remoting protocol has become increasingly important as organizations adopt hybrid infrastructure models spanning on-premises Windows servers, Linux systems, and cloud platforms.

Solution Options

Installing OpenSSH on Windows

There are several methods to install OpenSSH on Windows, depending on your operating system version:

For Windows 10 (build 1809 or later) and Windows Server 2019/2022/2025:

OpenSSH is available as an optional feature that can be installed directly through Windows. Starting with Windows Server 2025, OpenSSH is now installed by default.

To check if OpenSSH is already installed and install it if needed:

# Check if OpenSSH is installed
Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'

# Install OpenSSH Client (if needed)
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

# Install OpenSSH Server (if needed)
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

For older Windows versions:

For systems running older versions of Windows, you can download OpenSSH from GitHub or use package managers like Chocolatey for installation.

Using Chocolatey is recommended for simplicity as it automates several necessary tasks.

Configuring OpenSSH Server

After installation, the SSH server needs to be configured to work with PowerShell remoting:

  1. Start and configure the SSH service:
# Start the SSH service
Start-Service sshd

# Set the service to start automatically
Set-Service -Name sshd -StartupType 'Automatic'

# Verify the firewall rule is configured
Get-NetFirewallRule -Name *ssh*
  1. Configure PowerShell as a subsystem:

Edit the sshd_config file located at $Env:ProgramData\ssh to add PowerShell as a subsystem.

Add the following line to the file:

Subsystem    powershell    C:/Program~1/PowerShell/7/pwsh.exe -NoProfile -sshs

Starting in PowerShell 7.4, you no longer need to use the -NoLogo parameter when running PowerShell in SSH server mode.

  1. Restart the SSH service to apply changes:
Restart-Service sshd

Using PowerShell Remoting Over SSH

PowerShell 7+ includes enhanced cmdlets that support SSH as a transport protocol:

You can use PowerShell remoting cmdlets such as Enter-PSsession and Invoke-Command on a PowerShell 7 console via SSH. The key difference is using the -HostName parameter instead of -ComputerName to specify SSH as the transport protocol.

# Connect to a remote session using SSH
Enter-PSSession -HostName server.example.com -UserName username

# Run commands remotely using SSH
Invoke-Command -HostName server.example.com -UserName username -ScriptBlock { Get-Process }

For added security, you can configure SSH to use key-based authentication instead of passwords:

# Create an SSH key pair
ssh-keygen -t rsa -b 4096

# Copy your public key to the remote server
ssh-copy-id username@server.example.com

Automating Management

The ability to use PowerShell over SSH opens up new possibilities for automation in cross-platform environments:

  1. Configuration Management Tools: If you’re introducing Windows into a Linux environment where your configuration management tool, such as Ansible, is already configured for SSH, you can continue using your existing automation infrastructure. Ansible now supports managing Windows over SSH, although it is considered experimental at this stage.
  2. Scheduled Tasks and Scripts: Create scheduled tasks that use PowerShell remoting over SSH to manage systems across your infrastructure, regardless of operating system.
  3. CI/CD Pipelines: Integrate SSH-based PowerShell remoting into your deployment pipelines for consistent application and configuration deployment across heterogeneous environments.
  4. PowerShell Modules: The Microsoft.PowerShell.RemotingTools module provides additional functionality to simplify SSH remoting configuration:
# Install the RemotingTools module
Install-Module Microsoft.PowerShell.RemotingTools

# Enable SSH remoting with a single command
Enable-SSHRemoting

Conclusion

PowerShell remoting over SSH represents a significant advancement in Microsoft’s cross-platform strategy. SSH is likely to become the remoting protocol of choice for Windows users and as part of the future direction of all Microsoft applications. The native integration of OpenSSH with Windows and PowerShell provides administrators with a unified, secure method for managing diverse IT environments.

While WinRM still offers certain advantages within pure Windows environments, such as Just Enough Administration (JEA) and custom session configurations, SSH provides a more universal approach that works seamlessly across operating systems. As organizations continue to adopt hybrid infrastructure models, the ability to use a common remoting protocol becomes increasingly valuable.

The evolution of OpenSSH support in Windows—from a manual installation process to being included by default in Windows Server 2025—demonstrates Microsoft’s commitment to embracing open standards and supporting heterogeneous environments.

We Can Assist

Need help implementing PowerShell remoting over SSH in your environment? Have questions about specific configurations or automation scenarios? Contact us for personalized assistance tailored to your organization’s needs. Our team of Microsoft-certified experts can help you design and implement a secure, efficient remote management solution that leverages the full potential of PowerShell and OpenSSH.

References

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply