Windows - OpenSSH Server
Note that absolutely none of this is authoritative or directly based on relevant documentation. It is mostly what I found and figured out and guessed and (in some cases) made up. Some of it may be wrong or dangerous or lead to disaster or confusion. I am not taking responsibility here for anything, not even spelling or the weather. Read and follow at your own peril! Bring an umbrella. Don’t let anyone see you with the umbrella in front of a computer screen!
First, if you don’t know what ssh is, go and read this book: SSH Mastery. It’s the seminal book on ssh as far as I can tell.
Second, if you do what ssh is, go and the read the book anyway, if you haven’t yet.
Return here for Windows-specific uses of ssh.
You are back? Good. Let’s begin.
You will likely find the sshd service already installed on modern versions of Windows Server. To enable it and start it and start it automatically at boot, do this:
PS C:\> Get-Service sshd
Status Name DisplayName
------ ---- -----------
Stopped sshd OpenSSH SSH Server
PS C:\> Set-Service sshd -StartupType Automatic
PS C:\> sc.exe qc sshd
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: sshd
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\OpenSSH\sshd.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : OpenSSH SSH Server
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
PS C:\> Start-Service sshd
PS C:\> Get-Service sshd
Status Name DisplayName
------ ---- -----------
Running sshd OpenSSH SSH Server
PS C:\>The sshd service runs as LocalSystem and, as an actual system service, is supposed to run as LocalSystem.
The sshd service is configured in C:\ProgramData\ssh (where Windows emulates the Unix-style /etc directory):
PS C:\> cd .\ProgramData\ssh\
PS C:\ProgramData\ssh> dir
Directory: C:\ProgramData\ssh
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/12/2026 3:52 PM logs
-a---- 4/12/2026 3:52 PM 6 sshd.pid
-a---- 3/31/2024 6:08 PM 2343 sshd_config
-a---- 4/12/2026 3:52 PM 513 ssh_host_ecdsa_key
-a---- 4/12/2026 3:52 PM 180 ssh_host_ecdsa_key.pub
-a---- 4/12/2026 3:52 PM 411 ssh_host_ed25519_key
-a---- 4/12/2026 3:52 PM 100 ssh_host_ed25519_key.pub
-a---- 4/12/2026 3:52 PM 2602 ssh_host_rsa_key
-a---- 4/12/2026 3:52 PM 572 ssh_host_rsa_key.pub
PS C:\ProgramData\ssh>In the file sshd_config you will find everything you need, with two Windows-specific elements.
AllowGroups administrators "openssh users"
Match Group administrators
AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keysThere is a group OpenSSH Users to which you must add all users that should be allowed to access the computer via ssh. The Administrators group is also allowed.
There is also one common authorised keys file for all members of the Administrators group here in C:\ProgramData\ssh\administrators_authorized_keys which is used for any ssh logon with a user that is in the Administrators group. Personally, I like commenting this out. It is perhaps best practice though better to keep track of administrators who can log in without a password.
Now, let’s have a look at an ssh session.
Microsoft Windows [Version 10.0.26100.32522]
(c) Microsoft Corporation. All rights reserved.
benoit@CHAMPIGNAC C:\Users\benoit>whoami/groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\OpenSSH Users Alias S-1-5-32-585 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
benoit@CHAMPIGNAC C:\Users\benoit>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Users\benoit> Get-Process -Id $PID
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
640 31 55936 73720 0.33 3628 0 powershell
PS C:\Users\benoit>Note the following odditites:
- The standard shell for an ssh session is cmd. I recommend not even trying to change it to PowerShell.
- The logon type (as seen in the membership of the associated well-known group NT AUTHORITY\NETWORK is network and not interactive)
- The process runs in session 0, the services session
Compared to PowerShell remoting ssh is more powerful. It allows for the actual use of the computer and running interactive programs, albeit obviously not GUI programs (there being no obvious GUI to use).
In fact, since I like tables, here is a table:
| “Session type” | Well-known group membership | Required privilege | Possible programs |
| Console | INTERACTIVE | SeInteractiveLogonRight (likely granted by Users group) | Any (filters, interactive and GUI) |
| Remote Desktop | INTERACTIVE and REMOTE INTERACTIVE LOGON | SeRemoteInteractiveLogonRight (from Remote Desktop Users group) | Essentially any |
| Secondary Logon (via runas.exe) | INTERACTIVE | SeInteractiveLogonRight (for some reason) | Same as Console or Remote Desktop |
| PowerShell remoting | NETWORK | Remote Managements Users membership (for microsoft.powershell configuration) | filters only |
| ssh | NETWORK | OpenSSH Users (per configuration file) | filters and interactive programs |
“Filters” are programs that take input from their command line and standard input and provide output to standard output. They cannot otherwise stop and ask the user for input. Examples are cmd.exe with the “/c” parameter, all PowerShell cmdlets, and programs like compilers.
“Interactive” programs are programs that interact with the user (ask him questions, react to key presses etc.). Examples are edit.exe, diskpart.exe, vim.exe, amd cmd.exe with no parameter or the “/k” parameter. Some of those programs can receive mouse input (edit.exe).
GUI programs are programs that use their own custom windows (i.e. do not just display everything in a terminal window). Examples are notepad.exe and explorer.exe. These do not work in ssh (or rather they start and disappear into nothingness somewhere in session 0.)
So you might say that the session types form a hiearchy.
- From a console logon you can do everything you can do in RDP, ssh, and PowerShell remoting; and you can also ssh and PowerShell remote into the local machine (although with PowerShell and local users this can be difficult).
- From an RDP logon you can do everything you can do in ssh and PowerShell remoting as well.
- In an ssh session you can do everything you can do in a PowerShell remoting session too.
- In a PowerShell remoting session you are limited to filters, i.e. PowerShell cmdlets and very simple non-interactive external programs.
Next: TBD