Article Directory
overview
The project needs to install a Windows Server 2022. Since I can't debug it in person, I turned on the OpenSSH service support for the reference of friends in need.
overall architecture process
The tutorial is only applicable to Windows10 1809+, Windows11 and Windows Server 2019+, please upgrade the system to the latest version.
The overall idea is to add OpenSSH server->set self-start->change configuration and port
technical details
The versions listed above are all directly supported. For other versions, please upgrade to those versions before proceeding to the next step.
1. Install the OpenSSH server
这一步需要网咯
Open Settings -> Apps -> Optional Features
2. Set self-start
Win+R and enter services.msc, pull down to find OpenSSH SSH Server
, double-click to enter, change manual to automatic, no need to choose delay.
一定要应用,这样才能保存
3. Start the service
这一步需要管理员权限
Open a powershell with administrator privileges and enter the following command
net start sshd
No error is a success.
Close and use stop.
4. Resource Monitor
Open the resource monitor, find the listening port, select ascending order and find 22,
then you can use it normally.
Change setting
Many configurations are valid on WIndows, some are valid on Linux, and invalid on Windows.
The default configuration is saved in C:\Windows\System32\OpenSSH\sshd_config_default
This configuration cannot be written, you just need to save it as sshd_config and overwrite it to the specified location.
The specific location is here C:\ProgramData\ssh\sshd_config, this folder is a hidden file, you need to set it to see it.
请看默认配置:
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
# For this to work you will also need host keys in %programData%/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# GSSAPI options
#GSSAPIAuthentication no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp sftp-server.exe
# Example of overriding settings on a per-user basis
#Match User anoncvs
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Match Group administrators
AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
Let me talk about a few configurations that can be changed:
Port: It is the binding port, if you don’t change it, it will be 22
ListenAddress: You can specify the local loopback or other network card address or full address
PubkeyAuthentication: Support public key login PasswordAuthentication
: Support password login, default support
不支持的配置:
AcceptEnv
AllowStreamLocalForwarding
AuthorizedKeysCommand
AuthorizedKeysCommandUser
AuthorizedPrincipalsCommand
AuthorizedPrincipalsCommandUser
压缩
ExposeAuthInfo
GSSAPIAuthentication
GSSAPICleanupCredentials
GSSAPIStrictAcceptorCheck
HostbasedAcceptedKeyTypes
HostbasedAuthentication
HostbasedUsesNameFromPacketOnly
IgnoreRhosts
IgnoreUserKnownHosts
KbdInteractiveAuthentication
KerberosAuthentication
KerberosGetAFSToken
KerberosOrLocalPasswd
KerberosTicketCleanup
PermitTunnel
PermitUserEnvironment
PermitUserRC
PidFile
PrintLastLog
RDomain
StreamLocalBindMask
StreamLocalBindUnlink
StrictModes
X11DisplayOffset
X11Forwarding
X11UseLocalhost
XAuthLocation
firewall
You can turn off the firewall test first, and then turn on the firewall after finishing. If you have opened the firewall to configure rules, otherwise it may cause inaccessibility.
summary
Generally speaking, unless it is particularly necessary, try not to use this function, and prefer to log in with the private key. The main priority is safety.