Infrastructure at your Service

David Barbarin

OpenSSH is now available on Windows 10

A couple of days ago, the Windows 10 april 2018 update was installed on my laptop. And what, you may say? Well, surprisingly this update provides some interesting “hidden” features and one of them concerns OpenSSH that is now available on-demand in Windows 10 (and likely available soon on Windows Server).

blog 134 - 0 - openSSH - Win10

This a obviously a good news because so far, I used either putty or directly a bash environment from my Windows 10 laptop available since the Anniversary Update on 2016 august 2. I know that some of my colleagues use Cygwin as well. An quick example of using the new bash environment from my Win10 Pro laptop:

C:\Users\dab>bash
Performing one-time upgrade of the Windows Subsystem for Linux file system for this distribution...

mikedavem@DBI-LT-DAB:/mnt/c/Users/dab$ cat /proc/version
Linux version 4.4.0-17134-Microsoft (Microsoft@Microsoft.com) (gcc version 5.4.0 (GCC) ) #48-Microsoft Fri Apr 27 18:06:00 PST 2018

mikedavem@DBI-LT-DAB:/mnt/c/Users/dab$ ssh
usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file] [-L address]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] [user@]hostname [command]

 

After applying the corresponding update, OpenSSH client is already installed and available to use.

[dab@DBI-LT-DAB:#]> Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'


Name  : OpenSSH.Client~~~~0.0.1.0
State : Installed

Name  : OpenSSH.Server~~~~0.0.1.0
State : NotPresent

 

If you want to also install the server you just have to go through the Add-WindowsCapability cmdlet as follows:

[dab@DBI-LT-DAB:#]> Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0


Path          :
Online        : True
RestartNeeded : False
[dab@DBI-LT-DAB:#]> Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'


Name  : OpenSSH.Client~~~~0.0.1.0
State : Installed

Name  : OpenSSH.Server~~~~0.0.1.0
State : Installed

 

From now on, I may use directly a ssh command from both my PowerShell or my command line environment as follows:

C:\
[dab@DBI-LT-DAB:#]> ssh
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file]
           [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address]
           [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]
           destination [command]

 

We will also be able to access a Linux server from either Password-based or Key-based authentication. Let’s try with the first one (Password-based authentication) against my Linux docker private registry:

[dab@DBI-LT-DAB:#]> ssh dab@xxx.xxx.xxx.xxx
The authenticity of host 'xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)' can't be established.
ECDSA key fingerprint is SHA256:7HwUjHowFNEJ3ILErsmBmgr8sqxossLV+fFt71YsBtA.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'xxx.xxx.xxx.xxx' (ECDSA) to the list of known hosts.
dab@xxx.xxx.xxx.xxx's password:

 

Not a big suprise here! It works as expected (assuming your SSH server is configured to accept authentication with password)! Let’s try now the second method (Key-based authentication). In fact, I already have an .ssh folder from a previous request to connect to our GitLab environment. For the demo, let’s use the same public/private key pairs.

C:\Users\dab
[dab@DBI-LT-DAB:#]> dir .ssh


    Directory: C:\Users\dab\.ssh


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       09.05.2018     11:25           3243 id_rsa
-a----       09.05.2018     11:25            757 id_rsa.pub
-a----       25.05.2018     10:24            380 known_hosts

 

The next step will consist in copying my public key (id_rsa.pub) to the remote Linux server folder .ssh as authorized_keys file.

C:\Users\dab\.ssh
[dab@DBI-LT-DAB:#]> scp .\id_rsa.pub dab@xxx.xxx.xxx.xxx:/home/dab/.ssh/authorized_keys
id_rsa.pub

 

To avoid retyping the secret phrase for each connection, let’s start the ssh-agent service on my Windows 10 machine.

C:\Users\dab\.ssh
[dab@DBI-LT-DAB:#]> Start-Service -Name ssh-agent
C:\Users\dab\.ssh
[dab@DBI-LT-DAB:#]> Get-Service ssh-agent

Status   Name               DisplayName
------   ----               -----------
Running  ssh-agent          OpenSSH Authentication Agent

 

Then I just have to add the private key to this agent …

C:\Users\dab\.ssh
[dab@DBI-LT-DAB:#]> ssh-add.exe id_rsa
Identity added: id_rsa (id_rsa)

 

… and finally to try a connection to my Linux Server as follows:

C:\Users\dab\.ssh
[dab@DBI-LT-DAB:#]> ssh dab@xxx.xxx.xxx.xxx
Last login: Fri May 25 09:43:16 2018 from gateway

 

It works like a charm! I’m now connecting to my Linux server as dab user. I can get a picture of my docker containers, Note the bash prompt has changed here (server name) even it is pretty similar to my PowerShell prompt. Indeed, I customized my PowerShell profile to be similar to a bash shell in apparence and in some behaviors as well :)

[dab@localhost ~]$ docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
a60f3412b864        registry:2          "/entrypoint.sh /e..."   9 months ago        Up 37 minutes       0.0.0.0:5000->5000/tcp   registry

 

See you!

 

 

 

 

 

Leave a Reply

David Barbarin
David Barbarin

Senior Consultant & Microsoft Technology Leader