Author Archives: thowden

View Windows OpenSSH Active Settings

I was trying to view Windows OpenSSH Active Settings, while working on the configuration of OpenSSH on Windows.

I found references to using the -T parameter to see what configuration settings were active, but it was giving an error.

PS C:\windows\system32> C:\windows\System32\OpenSSH\sshd.exe -T
'Match Group' in configuration but 'user' not in connection test specification.

Which did not make any sense, but I did some searching and found a suggestion of using another parameter with it

PS C:\windows\system32> C:\windows\System32\OpenSSH\sshd.exe -T -C user=thowden

Which gave me the result I wanted with all or at least a lot of parameter settings displayed based on either the sshd_config settings or any defaults not already set.

Of interest was that this function of -T not working is also addressed by the same issue that messes with the access control permissions. See Windows OpenSSH Allow Deny Settings for related info.

This setting is there by default with OpenSSH on Windows. It is the cause of this grief. Comment the lines out:

#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Restart OpenSSH and this command

PS C:\windows\system32> C:\windows\System32\OpenSSH\sshd.exe -T

Will now work as expected without needing to add the -C etc…

An update, only minutes later. It appears that the ‘Match’ setting is the issue, and not specifically the Match Group Administrators. Adding a different Match instruction to sshd_config triggered the same error:

PS C:\windows\system32> C:\windows\System32\OpenSSH\sshd.exe -T
'Match User' in configuration but 'user' not in connection test specification.

The Win32-OpenSSH at GitHub is the source of many questions and some answers with sorting out an installation of OpenSSH on Windows.

Note that the version installed for Windows Server 2019 is version 7.7p1 while Windows 10 users will get a later version. Much later at version 8.x. For the server users, you will need to wait for Windows Server 2022 to get an updated version.

Windows OpenSSH Allow Deny Settings

Trying to configure restrictions on SFTP accesss and Windows OpenSSH Allow Deny Settings are not working.

You would be forgiven for tearing out your hair trying to get permissions working.

The following is the information provided by Microsoft and is consistent with OpenSSH documentation for Linux and Windows deployments.

Which brings me to my issue. If the following is as simple as it looks, why is it giving me so much trouble ?

Controlling which users and groups can connect to the server is done using the AllowGroups, AllowUsers, DenyGroups, and DenyUsers directives. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. All account names must be specified in lower case. See PATTERNS in ssh_config for more information on patterns for wildcards.

When configuring user/group based rules with a domain user or group, use the following format: user?domain*. Windows allows multiple of formats for specifying domain principals, but many conflict with standard Linux patterns. For that reason, * is added to cover FQDNs. Also, this approach uses “?”, instead of @, to avoid conflicts with the username@host format.

Work group users/groups and internet-connected accounts are always resolved to their local account name (no domain part, similar to standard Unix names). Domain users and groups are strictly resolved to NameSamCompatible format – domain_short_name\user_name. All user/group based configuration rules need to adhere to this format.

I configured OpenSSH and have access for an Administrator account and a standard user account.

However, no combination of AllowUsers, DenyUsers, AllowGroups, DenyGroups would provide a sensible outcome.

It seems that the opposite would apply with my standard user always getting access and my administrator being denied.

So with many thanks to ParisNakitaKejser for his Youtube video which addresses the very simple settings for Deny and Allow both Users and Groups without the suggested ‘Patterns’ and gives the ultimate solution.

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

This setting is there by default with OpenSSH on Windows. It is the cause of this grief. Comment the lines out:

#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Restart OpenSSH and all the Allow / Deny permissions will work correctly!

Change the Port for OpenSSH on Windows 2019

Hopefully a quick How-To Change the Port for OpenSSH on Windows 2019.

Ok, so we have OpenSSH installed on Windows Server 2019, but it is using the default SSH Port 22. Which is ok but if you are opening this up to the internet then maybe not so much as the kiddie-scripts will hammer this port with brute-force attacks. A better option is to change to a non-default high port number. Yes, arguments will continue over doing this or not, good, better, best practice, etc., but lets just focus on the technical aspect and save the flame-wars for another millenia.

First up, we need to modify the sshd server setting which is done by editing the sshd_config file. Which depending on where you look may appear to be found in c:\windows\system32\openssh\ but that is not the file you are looking for. You need to look for and edit c:\%programdata%\ssh\sshd_config (thanks to Ebin Issac for that clue). The file also needs Admin permissions to save the changes, so if you are using Notepad.exe to do the edit, open Notepad as Administrator and then open the file. Right-click the file and Open with Notepad will not allow you to save the changes.

Edit the file to change the port:

#Port 22    <-- in this line remove the # and change 22 to your desired port number

Now save the file and stop / start the sshd service.

Next use netstat to check if the new port is listening

netstat -na | find your-port-number

Now, before you leap into the command, if you are using PowerShell (PoSh) then the find command will probably give you a “FIND: Parameter format not correct” as the ‘your-port-number’ is a string and will need to be enclosed in quotes, but not just any quotes. For whatever bizarre reason, we need to escape the quote marks for PoSh.

netstat -na | find """your-port-number"""    <---  yes, triple quotation marks to escape the escaped!

or you can also using the back-tick ` mark like this

netstat -na | find `"your-port-number`"   <--- the back-ticks escape the quote mark, so this is a bit shorter

So you should have a response something like this:

PS C:\windows\system32> netstat -na | find `"12345`"
  TCP              LISTENING
  TCP    [::]:12345             [::]:0                 LISTENING

Noting that the port number used of 12345 is not recommended, the real port number has been changed.

Then modify Windows firewall entry (assumes you configured the firewall rule using Microsoft instruction set) with PowerShell using your port number (not 12345)

Set-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -LocalPort 12345

and your hardware firewall if needed.

Reference for the PoSh Find command was

Reference for the firewall changes via PoSh

Configure OpenSSH SFTP on Windows 2019

Now that I have OpenSSH installed, the next step(s) is(are) to Configure OpenSSH SFTP on Windows 2019.

In my case, I had errors during the install, but I now have it installed and I am following the default configuration commands from Microsoft’s documentation.

First up I confirmed the OpenSSH Client and Server are installed:

PS C:\windows\system32> Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'

Name  : OpenSSH.Client~~~~
State : Installed

Name  : OpenSSH.Server~~~~
State : Installed

and then I start / install the server as a service:

PS C:\windows\system32> Start-Service sshd
PS C:\windows\system32> Set-Service -Name sshd -StartupType 'Automatic'
PS C:\windows\system32> Set-Service -Name sshd -StartupType 'Automatic'
PS C:\windows\system32> if (!(Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue | Select-Object Name, Enabled)) {
>>     Write-Output "Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it..."
>>     New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
>> } else {
>>     Write-Output "Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists."
>> }
Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists.
PS C:\windows\system32>

Ok, so that is the first couple of steps, done via copy/paste from the MS instructions. Although I do want to come back to the use of Port 22 as the default. I’ll also need to adjust the ports on the hardware firewall to allow for external SFTP access, but that can come later.

A quick test using PowerShell on my local Windows 10 machine shows that a connection to the server will complete as described, so far success!

Changing the ports took a bit more than I hoped so I documented Changing the SSH Port as well.