Configuring OpenSSH on Windows


How to:

OpenSSH is a set of applications providing encrypted communication sessions over a computer network using the SSH protocol.

Procedure: How to Install the OpenSSH Server on Windows

  1. Install the typical version of the server, which can be downloaded from the following website:
  2. Run the installer by selecting the default settings.

    Note: No configuration is required during the installation.

    The OpenSSH Server is installed under the following directory by default:

    C:\Program Files\OpenSSH

Procedure: How to Configure an OpenSSH Server on Windows

  1. Open a command prompt and navigate to the directory where OpenSSH Server is installed. For example:
    C:\Program Files\OpenSSH
  2. Use the CD command navigate to the \bin subdirectory.
  3. Use the mkgroup command to create a group permissions file.

    For local groups, use the -l switch. For domain groups, use the -d switch.

    For both domain and local, it is best to run the command twice (remember to use >>, not >). If you use both, make sure to edit the file to remove any duplicate entries.

    mkgroup -l >> ..\etc\group      (local groups)
    mkgroup -d >> ..\etc\group      (domain groups)
  4. Use the mkpasswd command to add authorized users into the passwd file.

    For local users, use the -l switch. For domain users, use the -d switch.

    For both domain and local, it is best to run the command twice (remember to use >>, not >). If you use both, make sure to edit the file to remove any duplicate entries.

    mkpasswd -l [-u <username>] >> ..\etc\passwd      (local users)
    mkpasswd -d [-u <username>] >> ..\etc\passwd      (domain users)
    • To add users from a domain that is not the primary domain of the machine, add the domain name after the user name.
    • Omitting the username switch adds ALL users from the machine or domain, including service accounts and the Guest account.
  5. Enter the following command to start the OpenSSH server:
    net start opensshd
  6. Test the OpenSSH server.

    Using a separate machine as the client is recommended. If you connect, but the connection is immediately dropped, then reboot the machine with the server and try to reconnect.

    Note: The primary rule in using this utility is to only allow trusted users to have login permissions. The cygwin port of OpenSSH uses the full OpenSSH source code and the security of the program is not diluted.

Procedure: How to Setup an SSH Login Without a Password Using a Private Key

  1. Connect to your SSH server (for example, edasol29), using your configured credentials.
  2. Create an .ssh folder, under the default login directory. For example:


    Check permissions on your ~/.ssh folder and make sure to enter the following command if they are wrong:

    chmod 700 .ssh
  3. Generate the keys on the SSH server using the following command:
    ssh-keygen -t dsa


    ssh-keygen -t rsa
  4. Accept the file names provided and enter a passphrase, if necessary.
  5. Create an empty file authorized_keys under the .ssh folder and add public keys. For example:
    mv authorized_keys

    The id_dsa private key generated can be used to login without the password to the OpenSSH server.

  6. Copy the private key (id_dsa) to your local Windows machine. You can use Winscp or SFTP.
  7. Launch puttygen.exe. Under actions, select load and load the id_dsa file.
  8. Enter the passphrase you set when you generated the key on the server. Puttygen will now convert the key to a format (.ppk), which is used for SFTP connections by most tools, such as putty, Winscp, and so on.
  9. Save the file as
  10. Change your putty settings under connection, SSH, auth to use privatekey.ppk.
  11. Try to connect. Enter the passphrase if you have one.

The /home Directory

In the passwd file, you will notice that the home directory of the user is set as /home/username, with username being the name of the account. In the default install, the /home directory is set to the default profile directory for all users. This is usually C:\Documents and Settings on Windows 2000 and XP, and C:\WINNT\Profiles on Windows NT 4.0. The location of /home can be edited to fit your special requirements by editing a registry key.

To change the Windows directory /home corresponds to, you will need to edit a registry entry under HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/home. The value of the key named native is the directory that /home is. If you want all your users to enter in a directory on your machine called F:\Users, change native to read F:\Users. By default, each user will then be placed in the directory F:\Users\username, where username is the name of the user account. To place the user directly under F:\Users, change the home directory password to /home.


The OpenSSH server listens for traffic on TCP port 22 by default. If your firewall setup does not allow connections on this port, it can be changed by editing the etc/sshd_config file.

Note: For additional troubleshooting and OpenSSH advanced configuration, refer to the readme.txt file, under C:\Program files\OpenSSH\docs.