Listed here are Windows specific details that supplement or override the original sshd configuration manual documented in OpenBSD manual. If you don't see a configuration entry here, the original man page reference holds true.
In Windows, sshd reads configuration data from %programdata%\ssh\sshd_config (or the file specified with -f on the command line). If this file is absent, sshd will generate one with the default configuration on a service start.
To override the default shell (cmd.exe) used for command invocations, follow steps here
AllowGroups, AllowUsers, DenyGroups, DenyUsers
The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
See PATTERNS in ssh_config for more information on patterns.
User and group names are case insensitive in Windows (unlike in Unix). You should always use lower case while specifying these irrespective of their original case.
Note the following for domain accounts:
Prior to v7.7.0.0, there was no well defined way to specify domain principals (users and groups). To account for a domain principal in various forms, it is recommended to use the following format while configuring user/group based rules - user?domain*
- note the ?
instead of @
to avoid conflict with username@host
format and *
added to cover FQDNs.
From v7.7.0.0 on wards, work group users/groups and internet-connected accounts are strictly resolved to their local account name (no domain part, similar to standard Unix names). Domain users and groups are strictly resolved to NameSamCompatible format - domain_short_name\user_name. All user/group based configuration rules need to adhere to this format.
- Ex. for domain users and groups
DenyUsers contoso\admin@192.168.2.23
: blocks contoso\admin from 192.168.2.23DenyUsers contoso\*
: blocks all users from contoso domainAllowGroups contoso\sshusers
: only allow users from contoso\sshusers groupAllowGroups "contoso\ssh users"
: only allow users from "contoso\ssh users" group
- Ex. for local users and groups
AllowUsers localuser@192.168.2.23
AllowGroups sshusers
Note that user and group names are in lower case
AuthenticationMethods
Available authentication methods are "password" and "publickey".
AuthorizedKeysFile
The default is “.ssh/authorized_keys .ssh/authorized_keys2”. If the path is not absolute, it is taken relative to user's home directory (or profile image path). Ex. c:\users\user.
From v7.7.2.2 on wards, following is the default location of AuthorizedKeysFile for all users in Administrators group
%programdata%/ssh/administrators_authorized_keys
Compression
Support added in v8.1.0.0
ChrootDirectory
Support added in v7.7.0.0
This directive is only supported with sftp sessions. A remote session into cmd.exe wouldn't honor this. To setup a sftp-only chroot server, set ForceCommand to internal-sftp
. You may also set up scp with chroot, by implementing a custom shell that would only allow scp and sftp.
ForceCommand
Enforced only on non-PTY sessions. To block PTY access, use PermitTTY="no" directive. For certificate based ForceCommand, use no-pty option.
GSSAPIAuthentication
Support for Kerberos authentication via GSSAPI is added in v7.9.0.0.
HostKey
The defaults are %programdata%/ssh/ssh_host_ecdsa_key, %programdata%/ssh/ssh_host_ed25519_key and %programdata%/ssh/ssh_host_rsa_key. If the defaults are not present, sshd will automatically generate these on a service start.
Match
Note that pattern rules in this section. User and group names should be in lower case.
PermitRootLogin
Not applicable in Windows. To prevent administrator login, use Administrators with DenyGroups directive.
SyslogFacility
If you need file based logging, use LOCAL0. Logs will be generated under %programdata%\ssh\logs.
Any other value, including the default value AUTH directs logging to ETW. For more info see Logging Facilities in Windows.
Not supported
AcceptEnv
AllowStreamLocalForwarding
AuthorizedKeysCommand
AuthorizedKeysCommandUser
AuthorizedPrincipalsCommand
AuthorizedPrincipalsCommandUser
ExposeAuthInfo
GSSAPICleanupCredentials
GSSAPIStrictAcceptorCheck
HostbasedAcceptedKeyTypes
HostbasedAuthentication
HostbasedUsesNameFromPacketOnly
IgnoreRhosts
IgnoreUserKnownHosts
KbdInteractiveAuthentication
KerberosAuthentication
KerberosGetAFSToken
KerberosOrLocalPasswd
KerberosTicketCleanup
PermitTunnel
PermitUserEnvironment
PermitUserRC
PidFile
PrintLastLog
PrintMotd
RDomain
StreamLocalBindMask
StreamLocalBindUnlink
StrictModes
X11DisplayOffset
X11Forwarding
X11UseLocalhost
XAuthLocation
Manuals
Installation
- MSI Install Instructions
- Script Install Instructions
- Alternative installation using the universal installer
- Retrieving download links for the latest packages
Usage
- SSH Usage Examples
- SFTP Usage Examples
- Using Certificate Authentication
- Fix SSH file permissions
- Info on SSH remote sessions on Windows
- TTY PTY support
- Troubleshooting