title | description | ms.date | ms.topic | ms.author | author | ms.custom | zone_pivot_groups |
---|---|---|---|---|---|---|---|
Get started with OpenSSH for Windows |
Learn how to install and connect to remote machines using the OpenSSH Client and Server for Windows. |
08/16/2024 |
quickstart |
roharwoo |
robinharwood |
se-defect-target |
openssh-windows-version |
OpenSSH is a connectivity tool for remote sign-in that uses the SSH protocol. It encrypts all traffic between client and server to eliminate eavesdropping, connection hijacking, and other attacks.
An OpenSSH-compatible client can be used to connect to Windows Server and Windows client devices.
Important
If you downloaded the OpenSSH beta from the GitHub repo at PowerShell/Win32-OpenSSH, follow the instructions listed there, not the ones in this article. Some information in the Win32-OpenSSH repository relates to prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided there.
Before you start, your computer must meet the following requirements:
-
A device running at least Windows Server 2019 or Windows 10 (build 1809).
-
PowerShell 5.1 or later.
-
An account that is a member of the built-in Administrators group.
To validate your environment, open an elevated PowerShell session and do the following:
-
Enter winver.exe and press enter to see the version details for your Windows device.
-
Run
$PSVersionTable.PSVersion
. Verify your major version is at least 5, and your minor version at least 1. Learn more about installing PowerShell on Windows. -
Run the following command. The output shows
True
when you're a member of the built-in Administrators group.(New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
:::zone pivot="windows-server-2025"
Starting with Windows Server 2025, OpenSSH is now installed by default. You can also enable or disable the sshd
service in Server Manager.
To enable SSHD using Server Manager:
-
In Server Manager, on the navigation pane to the left, select Local Server.
-
In the Properties window, locate Remote SSH Access.
-
Select Disabled to enable the OpenSSH service.
Note
If you need to allow or restrict specific users or groups from using OpenSSH for remote access, add them to the OpenSSH Users user group.
To enable SSHD using PowerShell:
-
Open PowerShell as an administrator and run the following cmdlet to start the SSHD service:
# Start the sshd service Start-Service sshd
-
You can also run the following optional but recommended cmdlet to automatically start SSHD to make sure it stays enabled:
Set-Service -Name sshd -StartupType 'Automatic'
-
Finally, run the following command to verify that the SSHD setup process automatically configured the firewall rule:
if (!(Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue | Select-Object Name, Enabled)) { Write-Output "Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it..." New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 } else { Write-Output "Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists." }
:::zone-end
::: zone pivot="windows-server-2022,windows-server-2019"
To install the OpenSSH components on Windows 10 devices:
-
Open Settings, select System, then select Optional Features.
-
Scan the list to see if the OpenSSH is already installed. If not, at the top of the page, select Add a feature, then:
-
Find OpenSSH Client, then select Install
-
Find OpenSSH Server, then select Install
-
-
Open the Services desktop app. (Select Start, type services.msc in the search box, and then select the Service app or press ENTER.)
-
In the details pane, double-click OpenSSH SSH Server.
-
On the General tab, from the Startup type drop-down menu, select Automatic and then select Ok.
-
To start the service, select Start.
To install the OpenSSH components on Windows 11 devices:
-
Open Settings, select System, then select Optional Features.
-
Scan the list to see if the OpenSSH is already installed. If not, at the top of the page, select View Features, then:
-
Search for OpenSSH Client, select Next, then select Install
-
Search for OpenSSH Server, select Next, then select Install
-
-
Open the Services desktop app. (Select Start, type services.msc in the search box, and then select the Service app or press ENTER.)
-
In the details pane, double-click OpenSSH SSH Server.
-
On the General tab, from the Startup type drop-down menu, select Automatic and then select Ok.
-
To start the service, select Start.
To install the OpenSSH components on Windows Server devices:
-
Open Settings, select System, then select Optional Features (also referred to as Manage optional features).
-
Scan the list to see if the OpenSSH is already installed. If not, at the top of the page, select Add a feature, then:
-
Search for OpenSSH Client, then select Install
-
Search for OpenSSH Server, then select Install
-
-
Open the Services desktop app. (Select Start, type services.msc in the search box, and then select the Service app or press ENTER.)
-
In the details pane, double-click OpenSSH SSH Server.
-
On the General tab, from the Startup type drop-down menu, select Automatic and then select Ok.
-
To start the service, select Start.
Note
Installing OpenSSH Server will create and enable a firewall rule named OpenSSH-Server-In-TCP
. This allows inbound SSH traffic on port 22. If this rule is not enabled and this port is not open, connections will be refused or reset.
To install OpenSSH using PowerShell:
-
Run PowerShell as an Administrator.
-
Run the following cmdlet to make sure that OpenSSH is available:
Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'
The command should return the following output if neither are already installed:
Name : OpenSSH.Client~~~~0.0.1.0 State : NotPresent Name : OpenSSH.Server~~~~0.0.1.0 State : NotPresent
-
After that, run the following cmdlets to install the server or client components as needed:
# Install the OpenSSH Client Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0 # Install the OpenSSH Server Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Both commands should return the following output:
Path : Online : True RestartNeeded : False
-
To start and configure OpenSSH Server for initial use, open an elevated PowerShell prompt (right-click, then select Run as an administrator), then run the following commands to start the
sshd service
:# Start the sshd service Start-Service sshd # OPTIONAL but recommended: Set-Service -Name sshd -StartupType 'Automatic' # Confirm the Firewall rule is configured. It should be created automatically by setup. Run the following to verify if (!(Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue | Select-Object Name, Enabled)) { Write-Output "Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it..." New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 } else { Write-Output "Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists." }
::: zone-end
Once installed, you can connect to OpenSSH Server from a Windows or Windows Server device with the OpenSSH client installed. From a PowerShell prompt, run the following command.
ssh domain\username@servername
Once connected, you get a message similar to the following output.
The authenticity of host 'servername (10.00.00.001)' can't be established.
ECDSA key fingerprint is SHA256:(<a large string>).
Are you sure you want to continue connecting (yes/no)?
Entering yes adds that server to the list of known SSH hosts on your Windows client.
At this point, the service prompts you for your password. As a security precaution, the characters of your password aren't displayed as you enter them.
Once connected, you should see the following Windows command shell prompt:
domain\username@SERVERNAME C:\Users\username>
To uninstall OpenSSH using Windows Settings:
-
Open Settings, select System, then select Optional Features (also referred to as Manage optional features).
-
In the list, select OpenSSH Client or OpenSSH Server.
-
Select Uninstall.
To uninstall the OpenSSH components using PowerShell, use the following commands:
# Uninstall the OpenSSH Client
Remove-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
# Uninstall the OpenSSH Server
Remove-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
If the service was in use when you uninstalled it, you should restart Windows.
Now that you're done installing OpenSSH Server for Windows, here are some articles that can help you learn how to use it:
-
Learn more about using key pairs for authentication in OpenSSH key management
-
Learn more about the OpenSSH Server configuration for Windows