The latest builds of Windows 10 and Windows 11 include a build-in SSH server and client that are based on OpenSSH.This means now you can remotely connect to Windows 10/11 or Windows Server 2019 using any SSH client, like Linux distros.Let's see how to configure OpenSSH on Windows 10 and Windows 11, and connect to it using Putty or any other SSH client.

OpenSSH is an open-source, cross-platform version of Secure Shell (SSH) that is used by Linux users for a long time.This project is currently ported to Windows and can be used as an SSH server on almost any version of Windows.In the latest versions of Windows Server 2022/2019 and Windows 11, OpenSSH is built-in to the operating system image.

Make sure our build of Windows 10 is 1809 or newer. The easiest way to do this is by running the command:

winver

Note. If you have an older Windows 10 build installed, you can update it through Windows Update or using an ISO image with a newer version of Windows 10 (you can create an image using the Media Creation Tool). If you don’t want to update your Windows 10 build, you can manually install the Win32-OpenSSH port for Windows with GitHub.

We can enableOpenSSH server inWindows 10 through the graphicalSettings panel:

1. Go to theSettings >Apps >Apps and features >Optional features (or run thecommand ms-settings:appsfeatures)

2. Click Add a feature, selectOpenSSH Server (OpenSSH-based secure shell (SSH) server, for secure key management and access from remote machines), and clickInstall

We can also install sshd server using PowerShell:

Add-WindowsCapability-Online-Name OpenSSH.Server*

Or we can also install sshd server using DISM:

dism/Online/Add-Capability/CapabilityName:OpenSSH.Server~~~~0.0.1.0

If you want to make sure the OpenSSH server is installed, run the following PS command:

Get-WindowsCapability-Online|? Name-like'OpenSSH.Server*'

Use the following PowerShell command to uninstall the SSH server:

Remove-WindowsCapability-Online-Name OpenSSH.Server~~~~0.0.1.0

Also, you can add the OpenSSH Server on Windows 11.

1. Go to Settings > Apps > Optional features;
2. Click View Features;

Select OpenSSH Server from the list and click Next > Install;

Wait for the installation to complete.

The OpenSSH binaries are located in the C:\Windows\System32\OpenSSH\ folder.

Check the status of ssh-agent and sshd services using the PowerShell command Get-Service:

Get-Service-Name*ssh*

As we can see, both services are in a Stopped state and not added to the automatic startup list. To start services and configure autostart for them, run the following commands:

Start-Service sshdSet-Service-Name sshd-StartupType'Automatic'Start-Service'ssh-agent'Set-Service-Name'ssh-agent'-StartupType'Automatic'

We also need to allow incoming connections to TCP port 22 in the Windows Defender Firewall. We can open the port using netsh:

netsh advfirewall firewall add rule name=”SSHD service” dir=in action=allow protocol=TCP localport=22

Or we can add a firewall rule to allow SSH traffic using PowerShell:

New-NetFirewallRule-Name sshd-DisplayName'OpenSSH Server (sshd)'-Enabled True-Direction Inbound-Protocol TCP-Action Allow-LocalPort22

Now we can connect to Windows 10 using any SSH client. To connect from Linux, use the command:

ssh-p22 admin@192.168.1.90

Here, the admin is a local Windows user under which we want to connect.192.168.1.90 is an IP address of your Windows 10 computer.

After that, a new Windows command prompt window will open in SSH session.

Hint. To run the PowerShell.exe cli instead of cmd.exe shell when logging in via SSH on Windows 10, we need to run the following command in Windows 10 (under admin account):

New-ItemProperty-Path"HKLM:\SOFTWARE\OpenSSH"-Name DefaultShell-Value"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"-PropertyType String-Force

Now, we change the defaultOpenSSH shell. From here, when connecting to Windows via SSH, you will immediately see PowerShell prompt instead ofcmd.exe.

If you want to use key-based ssh authentication instead of password authentication, you need to generate a key usingssh-keygen on your client.

Then, the contents of theid_rsa.pub file must be copied to thec:\users\admin\.ssh\authorized_keys file in Windows 10.

After that, you can connect from your Linux client to Windows 10 without a password. Use the command:

ssh-l admin@192.168.1.90

We can configure variousOpenSSH server settings in Windows using the%programdata%\ssh\sshd_config configuration file.

For example, we can disable password authentication and leave only key-based auth with:

PubkeyAuthentication yesPasswordAuthentication no

Here we can also specify a new TCP port (instead of the default TCP 22 port) on which the SSHD will accept connections. For example:

Port2222

Using the directivesAllowGroups,AllowUsers,DenyGroups,DenyUsers, you can specify users and groups who are allowed or denied to connect to Windows via SSH:

• DenyUsers theitbros\jbrown@192.168.1.15 — blocks connections to username jbrown from 192.168.1.15 hostsж
• DenyUsers theitbros\* — prevent all users from theitbros domain to connect host using sshж
• AllowGroups theitbros\ssh_allow — only allow users from theitbtos\ssh_allow connect hostю
• The allow and deny rules of sshd are processed in the following order:DenyUsers,AllowUsers,DenyGroups, andAllowGroups.

After making changes to thesshd_config file, you need to restart the sshd service:

Get-Service sshd|Restart-Service –force

In previous versions ofOpenSSH on Windows, all sshd service logs were written to the text fileC:\ProgramData\ssh\logs\sshd.log by default.

On Windows 11, SSH logs can be viewed using theEvent Viewer console (eventvwr.msc). All SSH events are available in a separate sectionApplication and Services Logs >OpenSSH >Operational.

For example, the screenshot shows an example of an event with a successful connection to the computer via SSH. You can see the ssh client’s IP address (hostname) and the username used to connect.

sshd: Accepted password for jbrown from 192.168.14.14. port 49833 ssh2