How to SSH into Windows 10 or 11 from Remote Computer?

3.1K

The latest Windows versions include a built-in SSH server and client that are based on OpenSSH. This means now you can remotely connect to Windows 10/11 or Windows Server 2022/2019 computer using any SSH client, similar to Linux distros. In this article, we’ll show you how to configure OpenSSH on Windows 10 and Windows 11, and connect to it using Putty or any other SSH client.

OpenSSH is an open-source, cross-platform version of Secure Shell (SSH) that is used by Linux users for a long time. This project is currently ported to Windows and can be used as an SSH server on almost any version of Windows.

How to Install SSH Server on Windows 10 or 11

Starting with Windows 10 build 1809, OpenSSH Server is included in all Windows operating system images.

You can enable the OpenSSH server in Windows 10 or 11 through the graphical Settings panel:

1. Go to Settings > Apps > Apps and features > Optional features (or run the command ms-settings:appsfeatures);
2. Click Add a feature, select OpenSSH Server (OpenSSH-based secure shell (SSH) server, for secure key management and access from remote machines), and click Install.
   
3. Wait for the OpenSSH server installation to complete.

You can also install the sshd server using PowerShell:

Add-WindowsCapability -Online -Name OpenSSH.Server*

Or using DISM:

dism /Online /Add-Capability /CapabilityName:OpenSSH.Server~~~~0.0.1.0

If you want to make sure the OpenSSH server is installed, run the following PS command:

Get-WindowsCapability -Online | ? Name -like 'OpenSSH.Server*'

Name : OpenSSH.Server~~~~0.0.1.0

State : Installed

OpenSSH Server on Windows delivered as a Feature on Demand (FoD). This means that Windows does not store the binaries for OpenSSH installation locally. During installation of optional features, Windows downloads feature files from Microsoft Update servers. If your computer is located on an offline environment (not connected to the Internet), you can install OpenSSH Server from an offline FoD ISO image:

1. You can download the FoD ISO image for your version of Windows from the Volume Licensing Service Centre (VLSC) or from My Visual Studio.
2. Mount the FoD ISO media to a virtual DVD drive in Windows;
3. Install the OpenSSH.Server with the command:

   Add-WindowsCapability -online -name OpenSSH.Server~~~~0.0.1.0 -source -Source "E:\" -LimitAccess

Use the following PowerShell command to uninstall the SSH server:

Remove-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Note. On earlier versions of Windows (prior to Windows 10 1809), you can manually install the Win32-OpenSSH port for Windows from the GitHub repository.

The OpenSSH binary files are located in the C:\Windows\System32\OpenSSH\ folder.

This path is also added to the Path environment variable in Windows:

$Env:Path

How to Enable and Configure SSH Server on Windows

Check the status of ssh-agent and sshd services using the PowerShell Get-Service command:

Get-Service -Name *ssh*

By default, both services are stopped and not added to the automatic startup. Run the following commands to start OpenSSH services and configure autostart for them:

Start-Service sshd

Set-Service -Name sshd -StartupType 'Automatic'

Start-Service ssh-agent

Set-Service -Name ssh-agent -StartupType 'Automatic'

Check if sshd service is running and listening on port TCP/22:

netstat -nao | find /i '":22"'

A rule allowing remote connections to the SSH server is added to the Windows Defender firewall when OpenSSH Server is installed (with the description Inbound rule for OpenSSH SSH Server (sshd)). Use the PowerShell command to check that the rule for the OpenSSH server is enabled:

Get-NetFirewallRule -Name *OpenSSH-Server* |select Name, DisplayName, Description, Enabled

If the rule is disabled, you must enable it:

Get-NetFirewallRule -Name *OpenSSH-Server*|Enable-NetFirewallRule

You can configure a number of settings for the OpenSSH server in Windows by using the %programdata%\ssh\sshd_config configuration file.

Note. Read our guide on how to use Amazon SES as SMTP Relay.

For example, you can disable SSH password authentication and leave only key-based auth by enabling the following directives in the sshd_config file:

PubkeyAuthentication yes

PasswordAuthentication no

Here you can also specify a new TCP port (instead of the default TCP 22 port) on which the SSHD will accept connections. For example:

Port 2222

Using the directives AllowGroups, AllowUsers, DenyGroups, DenyUsers, you can specify users and groups who are allowed or denied to connect to Windows via SSH:

• DenyUsers theitbros\jbrown@192.168.1.15 — denies connections to username jbrown from 192.168.1.15 host;
• DenyUsers theitbros\* — prevent all users from theitbros domain to connect host via SSH;
• AllowGroups theitbros\ssh_allow — only allow users from theitbros\ssh_allow to connect host.

The allow and deny rules of sshd are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and AllowGroups.

For example, to allow an SSH connection under the mylocaluser1 account from host 192.168.31.100, add the following directive

AllowUsers mylocaluser1@192.168.31.100

After making changes to the sshd_config file, you need to restart the sshd service:

Get-Service sshd| Restart-Service –force

Connect to Windows via SSH

Now you can connect to Windows computer using any SSH client. To connect from Linux, use the command:

ssh -p 22 admin@192.168.1.90

• admin is a local Windows user that you want to connect as. This account must be a member of the built-in Administrators group.
• 192.168.1.90 is an IP address or FQDN of the remote Windows host.

After that, a Windows command prompt window will open in the SSH session.

You can use the popular Putty client to connect to a Windows computer via SSH:

1. Download and run putty.exe;
2. Enter the hostname or IP address of the remote Windows host you want to connect over SSH;
3. Select the Connection type: SSH and make sure port 22 is specified;
4. Click Open;
5. The first time you connect to a Windows host via SSH, a Security Alert will appear asking you to confirm that you want to add the ssh-ed25519 key fingerprint of the remote machine to your local cache. If you trust this host, click the Accept button. This will add that server to the list of known SSH hosts;
   Note. OpenSSH server fingerprint stored in a file C:\ProgramData\ssh\ssh_host_ecdsa_key.pub. You can view the current ECDSA key fingerprint on a Windows host with the command:

   ssh-keygen -lf C:\ProgramData\ssh\ssh_host_ed25519_key.pub
   

6. A Putty window will appear. Here you need to specify the Windows username and password that you want to use to connect;
   
7. Once you have logged in, the command prompt of the remote Windows host will be opened;
8. You can now interactively run commands on the remote host.
   

You can also use the built-in Windows SSH client to connect to another Windows host. Install the ssh.exe client on Windows using the command:

Add-WindowsCapability -Online -Name OpenSSH.Client*

Now you can connect to a remote SSH host directly from the Windows command prompt. Use the following command:

ssh root@192.168.13.202

The first time you connect, you will also need to add the fingerprint of the SSH server’s ECDSA key to the list of known hosts. To do this, type “yes” > “enter”.

Enter the user’s password. The command line C:\Windows\system32\conhost.exe should appear:

You can now use the OpenSSH.Client tools (scp.exe, sftp.exe) to copy a file between hosts using the SSH protocol. The following command will copy the local test1.log file to a remote Windows SSH host:

scp.exe D:\PS\test1.log root@192.168.13.202:c:\temp

If you prefer to use Windows Terminal, you can add the required SSH host profiles to it for quick connection:

1. Run Windows Terminal and go to its Settings;
2. Click the Add a new profile button in the Profiles section;
3. Specify that you want to create a duplicate of Windows PowerShell profile;
4. Specify a profile name (“SSH Windows 10 DEVPC” in this example);
5. In the Command line parameter, specify the connection string to your SSH host. For example: %SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe ssh root@192.168.13.202
6. Save the profile;
7. Now in the Windows Terminal menu you will have a separate option for a quick SSH connection to a Windows host.

Hint. You can change the default SSH shell on Windows from cmd.exe to PowerShell CLI. To do this, run the following on the host running the OpenSSH server:

New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force

From here, when connecting to Windows via SSH, you will immediately see PowerShell prompt instead of cmd.exe.

If you want to use key-based ssh authentication instead of password authentication, you need to generate a key using ssh-keygen on your client. In such a case, the contents of the id_rsa.pub file must be copied to the c:\users\admin\.ssh\authorized_keys file in Windows 10.

After that, you can connect from your Linux client to Windows 10 without a password. Use the command:

ssh -l admin@192.168.1.90

In previous versions of OpenSSH on Windows, all of the sshd service logs were written to the text file C:\ProgramData\ssh\logs\sshd.log by default.

On Windows 11, SSH logs can be viewed using the Event Viewer console (eventvwr.msc). All SSH events are available in a separate section Application and Services Logs > OpenSSH > Operational.

For example, the screenshot shows an example of an event with a successful connection to the computer via SSH. You can see the ssh client’s IP address (hostname) and the username used to connect.

Sshd: Accepted password for jbrown from 192.168.14.14. port 49833 ssh2