Setting up public-key SSH on Windows is much more tricky than on Linux (see here).
Install OpenSSH for Windows
In the following instructions, the example machine hostname (SSH server) is
frak16, with username
oqa in the domain
Sometimes, another machine (client) is used to connect to this
frak16 machine to test connection settings.
(1) Install OpenSSH for Windows to the SSH server, e.g.,
frak16, at the following location
Use OpenSSH installer from here.
Do NOT use OpenSSH for Windows from Sourceforge, which is outdated, even though many top links from Google search “OpenSSH windows” point to it.
Select “Configure as Domain User” when installing.
(2) In the
PATH environment variable, make sure that
$(SSH_DIR)\bin folder comes before MKS and Cygwin’s bins folder, if applicable.
We need to use OpenSSH version of
(3) Edit the file
SSH_DIR (defined above).
Make sure that the home directory for your username is present and in Cygwin notation, e.g., “/cygdrive/c/space/oqa” for user
Make sure there is only one
oqa user, like
U-OBJY\oqa (domain user) for
oqa users such as local users if needed.
$(SSH_DIR)\etc\banner.txt to include welcome message that you prefer, to make it less verbose and more informative. I would change it to include the current host name to indicate which host is currently connected.
(5a) (Optional but recommended) Run SSH server is debug mode to verify that settings are correct. Run the following command for a test run:
(5b) Use ssh from another host (as client) to test connection. You will have to enter username and password to connect to
frak16 from this client.
1 2 3 4
If the client is Windows and using OpenSSH, make sure the client’s
etc/ssh_config file in its OpenSSH installation folder is as follows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
(6) After making sure the SSH is installed and working properly on
frak16, run the following in a Command prompt with Admin power to start SSH as a service:
Now, you can connect to this Windows machine
frak16 using password authentication.
Set up public-key SSH
(1) If the client is already set up, it should have its public key file. Copy content of that file to
$(HOME_DIR)\.ssh\authorized_keys file on the SSH server (e.g.,
If you don’t have the public key file for the client, run
ssh-keygen -t rsa on the client machine.
The client machine’s public key file has the name like “id_rsa.pub”.
(2) On the SSH server (e.g.,
$(SSH_DIR)\etc\sshd_config to enable PubkeyAuthentication. The following lines must be enabled:
(3) Recursively from
chown to set ownership to
chmod to set all folders and files in
$(HOME_DIR)\.ssh to read-only.
1 2 3 4
(4) Run SSH server in debug mode again to verify that public-key SSH settings are correct. Run this command “ssh oqa@frak16 ‘ipconfig’” from the client machine and verify that no password is required.
(5) Start SSH server permanently by running, in an elevated Command Prompt. As of 2015 Feb, I tried running SSH as a Windows service but it does not work reliably.
Some of the most frequently encountered problems are discussed in this section.
You might encounter this problem when configuring public-key authentication. If you try to run the server in debug mode, you might see the following messages:
1 2 3 4 5 6 7
In this case, it’s an ownership problem on the SSH server.
You can try another location for
.ssh folder on the SSH server to see if it resolves the problem.
In most cases, you can manually fix the above problem by using the following commands:
1 2 3 4
chmod from OpenSSH must be used, instead of
chmod from MKS or Cygwin.
In addition, if there is a Local User
oqa, remove that user so that
chown will assign ownership to Domain User
Outdated SSH installer
1 2 3 4 5
If you see errors like this, you probably used OpenSSH installer from Sourceforge. That installer is outdated and buggy. Use the latest installer from here instead.
Cannot bind any address
You might find the following error message when connecting to an SSH server running in debug mode.
1 2 3 4 5 6 7 8 9
If you installed Cygwin and/or MKS on your Windows SSH server, their SSH services (sshd for Cygwin and secshd for MKS) are probably using the port 22. Verify that by using the following command in Windows:
1 2 3 4 5 6 7 8 9 10 11 12
You can turn off SSH services from Cygwin and MKS by going to Computer > Manage > Go to Services > Stop the relevant service (Windows 7).
If you installed
putty on Windows, note that you CANNOT simply use
pscp (that is included with
putty installation) to transfer file to another Windows machine with OpenSSH.
You have to convert the OpenSSH’s generated private key to a Putty private key, as detailed here.
An alternative is to use
scp that is included with the OpenSSH installation. Note that this might not work (you still have to enter your password):
Since OpenSSH for Windows is extracted from Cygwin, trying Cygwin-style command turns out to be a good idea. This command allows password-less file transfer:
Note that files transferred over
scp may not be readable (mode 000), regardless of file mode on the sending host.
Therefore, remember to
chmod a+r on the receiving host after file transfer, especially in an automation script, or you’ll get errors related to file access/file not found.
Other troubleshooting tips
- You may miss adding/setting some environment variables, e.g.,
PATH. After editing environment variables, you may need to restart your SSHD on a new Command Prompt windows to have those new environment variables in effect.
- Remember to disable firewall on Windows machines.
- Latest OpenSSH installer
- Use Putty with an SSH private key generated by OpenSSH
- And old tutorial: uses an old OpenSSH installer from Sourceforge. Most of the steps are not needed in the new installers.