Update (): There are now better ways to install and manage the Windows SSH Server. Refer to the official documentation instead. This article is now only interesting for historical reasons.
Windows 10 comes with a built-in secure shell (SSH) server for remote login and command-line access to your files and programs.
A word of caution: To use the Microsoft SSH Server for Windows, which is the full formal name of the service, your Windows device must be put in Developer mode. Changing your device’s security level from regular user to developer mode will have implications for how Windows enforces security policies
Be sure to read up on and understand how this change will affect your device before proceeding.
Enabling the SSH Server service
- Open the Windows Settings app and go to Update and Security: For developers.
- Switch to Developer mode and wait for it to finish downloading any packages.
- If you’re asked to reboot after the previous step, do so now.
- Turn on the Device discovery option.
- Turn off the Device discovery option again, unless you want this feature (which adds mDNS support to Windows and allows for remote debugging.)
This will enable the SSH Server Broker (SshBroker.dll
) and SSH Server Proxy (SshProxy.dll
) background services which will handle incoming connections to TCP port 22.
The Windows Firewall on your device is automatically configured to allow the service to listen for incoming connections from both private and public networks. Read on to learn how to restrict access from trusted networks and block connections from the public internet.
Logging in to the SSH Server
You can use any standard SSH client to log in to your device.
You log in using your Windows Account name and either your Microsoft Account password or your local Windows Account password. Please note that your Windows Account name isn’t the same as your Microsoft Account or domain email address.
You can connect to your device’s IPv4 or IPv6 address, or use the device’s given NetBIOS name. You can find your device’s given name as well as your Windows Account name by executing the “whoami” command in PowerShell or Command Prompt. The first part of the command output is your NetBIOS name followed by a forward slash, and then your Windows Account name.
Note that you’re logged in to the Command Prompt by default and not the Bash shell for Windows. You can type in one of bash or powershell after logging to switch to either the Bash shell or PowerShell.
Protecting the SSH Server
There are currently no brute-force login protection mechanisms built into the SSH Server, and Group Policies for rate-limiting login attempts are bypassed for the SSH Server service. This means a remote attacker can make as many guesses of your login credentials as they can possibly push through the network.
Linux and MacOS utilities for thwarting brute-force login attempts like SSHGuard and Fail2Ban aren’t available on Windows. Although they both run in the Windows Subsystem for Linux, they don’t have access to nor parsers for the Windows Event Log nor backends for the Windows Firewall.
Without any brute-force login mechanism protections, you’re left with depending on a strong account password that you change regularly.
You can limit the risk of a brute force attack by disabling login from remote networks. This will limit the service to only accept logins from what is identified in Windows as a local and private network source.
To disable remote network logins, follow the following instructions:
- Open the Start menu and search for “allow firewall”. Open Allow an app through the Windows Firewall.
- Authenticate yourself to modify the firewall rules by clicking the Change settings button.
- Locate “Ssh Server” in the list and disable the checkbox in the Public column.
- Click the OK button to apply the changes.
This does depend on having the correct trust levels configured for the networks your computer connects to. Explore the Network section of the Windows Settings app to see the currently configured level of trust in the various networks your device is connected to.
Disabling the SSH Server service
There’s no on or off switch for the SSH server itself. As you might have guessed from the above section on how to enable the service, it was clearly a bit of an afterthought. To properly disable the service, follow these steps:
- Open the Windows Settings app and go to Update and Security: For developers.
- Turn off the Device discovery option if it was previously enabled.
- Switch to Windows Store apps mode.
- Switch back to Developer mode, if desired.
Microsoft SSH Server for Windows isn’t the same as Microsoft Win32-OpenSSH for PowerShell! Microsoft’s SSH Server isn’t a full SSH server implementation and is meant to be used for cross-device communication for development purposes.
The Microsoft SSH Server doesn’t support all SSH authentication methods and features like compression and multiplexing. However, it has more than enough features for most light use cases.
Developer mode and the SSH Server is available for all editions of Windows 10 including Home and Professional starting with Windows 10 Anniversary Edition (released in .)