In this article, we will go over how to install OpenSSH on Windows 2016 and 2019
We will assume you have internet access on your Windows 2016 and/or Windows 2019 server where you’re doing the install. Windows 2019 requires the latest cumulative update in order to run the command to install OpenSSH.
Windows 2016/2019 (Script)
*Disclaimer: Please carefully review and use this script at your own risk
Windows 2016 (Manual)
Step 1: Download and Install OpenSSH
- Connect to your server and download the latest release of OpenSSH.
- Extract the downloaded file to C:\Program Files\OpenSSH-Win64 or another location of your choosing
- To configure the OpenSSH server for initial use on Windows, launch PowerShell as an administrator, then run the following commands:
Modify the Path system environment variable by running the command:
setx PATH "$env:path;C:\Program Files\OpenSSH-Win64" -m
- Output (Successful)
SUCCESS: Specified value was saved.
Next, change to the OpenSSH directory:
cd "C:\Program Files\OpenSSH-Win64"
Then run the install script:
- Output (Successful)
sshd and ssh-agent services successfully installed
Next, enable automatic startup and start
Set-Service sshd -StartupType Automatic Set-Service ssh-agent -StartupType Automatic Start-Service sshd Start-Service ssh-agent
Step 2: Allow Access in Windows Firewall
- Start by opening Control Panel > Windows Firewall
- Select Advanced settings on the left-hand side, then select Inbound Rules > New Rule…
- Under Rule Type, select Custom > Next
- Under Program, select All programs > Next.
- Under Protocols and Ports, enter your desired SSH port. (Default port is 22)
- Under Scope, let the rule apply to Any IP address for remote and local IP addresses, then Next
- Under Action, select Allow the connection > Next
- Under Profile, leave Domain, Private, and Public checked > Next
- Lastly, name the rule and select Finish
Now you can access your Windows server using SSH!
Windows 2019 (Manual)
Step 1: Installing OpenSSH with PowerShell
Note: All of the instructions/commands below were pulled directly from the Microsoft Install Doc for OpenSSH on Windows 2019 (Link in the Additional Information Section below)
To install OpenSSH using PowerShell, first launch PowerShell as an Administrator
To make sure that the OpenSSH features are available for install, run the following command
Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'
Name : OpenSSH.Client~~~~0.0.1.0 State : NotPresent Name : OpenSSH.Server~~~~0.0.1.0 State : NotPresent
Install the server and/or client features:
Install the OpenSSH Client
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
Install the OpenSSH Server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
- Output (Successful)
Path : Online : True RestartNeeded : False
- Output (Failure)
Add-WindowsCapability failed. Error code = 0x800f0954
If you receive the failure above, please try and download the latest Windows Updates and run the install again
Step 2: Initial Configuration of SSH Server
To configure the OpenSSH server for initial use on Windows, launch PowerShell as an administrator, then run the following commands:
Start the SSHD service:
Set the Startup Type for SSHD to Automatic (Optional)
Set-Service -Name sshd -StartupType 'Automatic'
Confirm the Firewall Rule was created
Get-NetFirewallRule -Name *ssh*
There should be a firewall rule named “OpenSSH-Server-In-TCP”, which should be enabled
If the Firewall Rules does NOT exist, create one
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
Step 3: Initial use of SSH
Once you have installed the OpenSSH Server on Windows, you can quickly test it using PowerShell from any Windows device with the SSH Client installed.
In PowerShell type the following command:
The first connection to any server will result in a message similar to the following:
The authenticity of host 'servername (10.00.00.001)' can't be established. ECDSA key fingerprint is SHA256:(<a large string>). Are you sure you want to continue connecting (yes/no)?
The answer must be either “yes” or “no”. Answering Yes will add that server to the local system’s list of known ssh hosts.
You will be prompted for the password at this point. As a security precaution, your password will not be displayed as you type.
Once you connect you will see a command shell prompt similar to the following: