SSH в Windows

Введение

Про использование SSH в Linux вы можете прочитать в статье «ssh in Linux»

Проверить версию

В PowerShell вы можете использовать следующую команду

ssh -V

Установка OpenSSH через Windows Settings

OpenSSH сервер и клиент могут быть установлены через Windows Settings в Windows Server 2019 и Windows 10.

Чтобы выполнить установку обоих компонентов OpenSSH:

Settings → Apps → Apps & Features → Optional Features.

Scan the list to see if the OpenSSH is already installed. If not, at the top of the page, select Add a feature, then: Find OpenSSH Client, then click Install Find OpenSSH Server, then click Install

После завершения установки вернитесь в

Apps → Apps & Features and Optional Features

И вы увидите OpenSSH в списке.

Установка OpenSSH через PowerShell

To install OpenSSH using PowerShell, run PowerShell as an Administrator.

To make sure that OpenSSH is available, run the following cmdlet:

Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'

This should return the following output if neither are already installed:

Name : OpenSSH.Client~~~~0.0.1.0 State : NotPresent Name : OpenSSH.Server~~~~0.0.1.0 State : NotPresent

Then, install the server or client components as needed:

# Install the OpenSSH Client
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

# Install the OpenSSH Server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Both of these should return the following output:

Path : Online : True RestartNeeded : False

Start and configure OpenSSH Server

To start and configure OpenSSH Server for initial use, open PowerShell as an administrator, then run the following commands to start the sshd service:

# Start the sshd service Start-Service sshd # OPTIONAL but recommended: Set-Service -Name sshd -StartupType 'Automatic' # Confirm the Firewall rule is configured. It should be created automatically by setup. Run the following to verify if (!(Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue | Select-Object Name, Enabled)) { Write-Output "Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it..." New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 } else { Write-Output "Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists." }

Connect to OpenSSH Server

Once installed, you can connect to OpenSSH Server from a Windows 10 or Windows Server 2019 device with the OpenSSH client installed using PowerShell as follows. Be sure to run PowerShell as an administrator:

ssh username@servername

Once connected, you get a message similar to the following:

The authenticity of host 'servername (10.00.00.001)' can't be established. ECDSA key fingerprint is SHA256:(<a large string>). Are you sure you want to continue connecting (yes/no)?

Selecting yes adds that server to the list of known SSH hosts on your Windows client.

You are prompted for the password at this point. As a security precaution, your password will not be displayed as you type.

Once connected, you will see the Windows command shell prompt:

domain\username@SERVERNAME C:\Users\username>

OpenSSH configuration files

OpenSSH has configuration files for both server and client settings. OpenSSH is open-source and is added to Windows Server and Windows Client operating systems, starting with Windows Server 2019 and Windows 10 (build 1809). As a result, documentation for OpenSSH configuration files is not repeated here. Client configuration files and can be found on the ssh_config manual page and for OpenSSH Server configuration files can be found on the sshd_config manual page. Further Windows-specific OpenSSH Server configuration is detailed in OpenSSH Server configuration for Windows.

In Windows, the OpenSSH Client (ssh) reads configuration data from a configuration file in the following order:

1. By launching ssh.exe with the -F parameter, specifying a path to a configuration file and an entry name from that file.
2. A user's configuration file at %userprofile%\.ssh\config.
3. The system-wide configuration file at %programdata%\ssh\ssh_config.

Open SSH Server (sshd) reads configuration data from %programdata%\ssh\sshd_config by default, or a different configuration file may be specified by launching sshd.exe with the -f parameter. If the file is absent, sshd generates one with the default configuration when the service is started.

Uninstall OpenSSH using Windows Settings

To uninstall OpenSSH using Windows Settings:

Open Settings, then go to Apps → Apps & Features.
Go to Optional Features.
In the list, select OpenSSH Client or OpenSSH Server.
Select Uninstall.

Uninstall OpenSSH using PowerShell

To uninstall the OpenSSH components using PowerShell, use the following commands:

# Uninstall the OpenSSH Client Remove-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0 # Uninstall the OpenSSH Server Remove-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

You may need to restart Windows afterwards if the service was in use at the time it was uninstalled.

Check certificate with certutil

Certutil -verify -urlfetch cert_filename

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!

При попытке подключения к, казалось бы, известному хосту можно получить ошибку

ssh user@host

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ The ED25519 host key for host has changed, and the key for the corresponding IP address 12.123.123.123 is unknown. This could either mean that DNS SPOOFING is happening or the IP address for the host and its host key have changed at the same time. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ED25519 key sent by the remote host is SHA256:pEhSoIzdqkEiaBE/pBc4ttgVJtohNCZDcoqNSuNDa94. Please contact your system administrator. Add correct host key in C:\\Users\\Andrei/.ssh/known_hosts to get rid of this message. Offending ED25519 key in C:\\Users\\Andrei/.ssh/known_hosts:8 ED25519 host key for host has changed and you have requested strict checking. Host key verification failed.

Из строки

Offending ED25519 key in C:\\Users\\Andrei/.ssh/known_hosts:8

Можно понять, что проблема вызвана третьей строкой файла /home/user/.ssh/known_hosts

Если вы уверены в надёжности хоста к которому подключаетесь, то можете просто удалить эту строку и подключиться снова

Например из Git Bash

sed -i 8d /c/Users/Andrei/.ssh/known_hosts

sed -i 8d /c/Users/$USERNAME/.ssh/known_hosts