SSH Server on Windows

I recently set up a new Windows build machine on an Intranet and found myself wishing I had remote access to it (via SSH for instance). I did briefly look into PowerShell remoting, but I like using SSH. Microsoft had plans to add an SSH server into Windows, and it turns out the project is progressing more smoothly than I thought. I however ran into some snags along the way and thought I'd record my steps here in case I need to replicate them one day (very likely).

First, in an admin PowerShell session, install Chocolatey and then Win32 OpenSSH:

PS> Get-PackageProvider chocolatey
PS> Install-Package openssh

OpenSSH got installed in C:\Program Files\OpenSSH-Win64" in my case. For good measure I added that to my PATH environment variable. Next,cdinto that directory and set upsshd`. Most of the next steps follow the instructions on the project's wiki

PS> powershell -ExecutionPolicy Bypass -File install-sshd.ps1
PS> .\ssh-keygen.exe -A
PS> .\FixHostFilePermissions.ps1 -Confirm:$false
PS> Start-Service ssh-agent
PS> psexec.exe -i -s cmd.exe
PS> ssh-add ssh_host_dsa_key
PS> ssh-add ssh_host_rsa_key
PS> ssh-add ssh_host_ecdsa_key
PS> ssh-add ssh_host_ed25519_key
PS> New-NetFirewallRule -Protocol TCP -LocalPort 22 -Direction Inbound -Action Allow -DisplayName SSH

The psexec tool can be found here.

Next, we want to disable password authentication.

PS> notepad .\sshd_config

Edit the following lines:

PasswordAuthentication no
PubkeyAuthentication yes
(Optional)
Subsystem	powershell	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

The last line is supposed to enable the PowerShell subsystem for PowerShell remoting.

Now we want to add the client's public key to authorized_keys. Create the %USERPROFILE%\.ssh\authorized_keys file and copy the public key there. Then, we need to set the permissions to that file or sshd will reject it. Permission inheritance for .ssh and containing files should be disabled.

PS> icacls %USERPROFILE%\.ssh\authorized_keys /grant `"NT SERVICE\sshd`":`(R`)
PS> icacls %USERPROFILE%\.ssh\authorized_keys /grant `"USERNAME`":`(F`)

Lastly, start sshd and enable automatic startup.

PS> Start-Service sshd
PS> Set-Service sshd -StartupType Automatic
PS> Set-Service ssh-agent -StartupType Automatic