Install the OpenSSH Beta on Windows 10

With the recently released Windows 10 Fall Creators Update (version 1709), an integrated OpenSSH client is available for use inside Windows with both the Command Prompt and PowerShell. It is tagged as Beta, but you may want to try it out. If so, here is one method of getting it installed.

Using the "Search Windows" tool (magnifiying glass icon next to the start menu in lower left corner), enter "manage optional features".

Manage Optional Features

Click on "Add a feature".

Scroll down to "OpenSSH Client (Beta)" and click "Install".

OpenSSH Client Beta

Once it completes you will see it has been added to the list.

Updated Optional Features List

Clicking on it for additional details reveals that a restart is required.

OpenSSH Client Beta prompt to restart

Trying to run ssh without a restart results in this typical error.

PS C:\> ssh
sshd : The term 'ssh' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ sshd
+ ~~~~
    + CategoryInfo          : ObjectNotFound: (ssh:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Once you've rebooted the output is more encouraging

PS C:\> ssh
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
       [-D [bind_address:]port] [-E log_file] [-e escape_char]
       [-F configfile] [-I pkcs11] [-i identity_file]
       [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]
       [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address]
       [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]
       [user@]hostname [command]

Now we can test out connecting to a server running SSH. The first system I tried happened to be running a very old SSH server and didn't have a supported key exchange method.

PS C:\> ssh username@ipv4.add.re.ss
Unable to negotiate with ipv4.add.re.ss port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Connecting to a patched CentOS 7 server worked much better.

PS C:\> ssh username@172.16.1.10
The authenticity of host '172.16.1.10 (172.16.1.10)' can't be established.
ED25519 key fingerprint is SHA256:REMOVED.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.1.10' (ED25519) to the list of known hosts.
username@172.16.1.10's password:
Last login: Tue Oct 31 00:23:33 2017 from 10.71.202.6
[username@centos ~]$ uname -a
Linux centos 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

I ran into a few issues testing with existing RSA public keys. (Powershell wouldn't connect and returned errors about the key being invalid.) I haven't sorted that out just yet. I was successful using a ED25519 key pair generated using ssh-keygen on Windows 10 like this:

PS C:\> ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (C:\Users\demo/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\demo/.ssh/id_ed25519.
Your public key has been saved in C:\Users\demo/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:REMOVED_FINGERPRINT username@host
The key's randomart image is:
+--[ED25519 256]--+
|+ +oo   +.       |
 ...
|++.              |
+----[SHA256]-----+

Then copying the public key:

PS C:\> cat .ssh\id_ed25519.pub
ssh-ed25519 PUBLIC_KEY_TEXT username@host

And placing it in the servers authorized_keys file (in the relevant user's home directory) allowed successful authentication without a password.

PS C:\> ssh demo@172.16.1.10
Last login: Mon Dec  4 20:37:41 2017 from 10.71.202.6

The public key can also be added to your list of keys in the ProfitBricks DCD for use when provisioning new servers. Connecting to a newly provisioned CentOS 7 server that was configured to use the public key in the DCD worked great.

PS C:\> ssh root@ipv4.add.re.ss
The authenticity of host 'ipv4.add.re.ss' can't be established.
ED25519 key fingerprint is SHA256:REMOVED.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ipv4.add.re.ss' (ED25519) to the list of known hosts.

Remember that you can use ssh -v when connecting to get additional debug info that may help troubleshoot a connection issue.

I'm not sure if this will replace PuTTY in my workflow anytime soon, but I am excited to have OpenSSH available directly in PowerShell!