Installing SFTP/SSH Server on Windows using OpenSSH

• Download the latest OpenSSH for Windows binaries (package OpenSSH-Win32.zip)
• Extract the package to a convenient location (we will use C:\openssh in this guide)
• As the Administrator, install SSHD and ssh-agent services:
  powershell.exe -ExecutionPolicy Bypass -File install-sshd.ps1
• Generate server keys by running the following commands from the C:\openssh:

  .\ssh-keygen.exe -A
  

• Open a port for the SSH server in Windows Firewall:
  • Either run the following PowerShell command (Windows 8 and 2012 or newer only), as the Administrator:
    New-NetFirewallRule -Protocol TCP -LocalPort 22 -Direction Inbound -Action Allow -DisplayName SSH
  • or go to Control Panel > System and Security > Windows Firewall > Advanced Settings > Inbound Rules and add a new rule for port 22.
• To allow a public key authentication, as an Administrator, from C:\openssh, run:
  powershell.exe -ExecutionPolicy Bypass -File install-sshlsa.ps1
  and restart the machine
• In C:\openssh\sshd_config locate a Subsystem sftp directive and change the path to sftp-server to its Windows location:
  Subsystem sftp C:\openssh\sftp-server.exe
• Start the service and/or configure automatic start:
  • In Powershell type the following command(s):
    Start-Service sshd
Start-Service ssh-agent
    
  • If you want the server to start automatically when the Server boots up type the following command(s):
    Set-Service sshd -StartupType Automatic
Set-Service ssh-agent -StartupType Automatic
    

These instructions are partially based on the official deployment instructions.

Follow a generic guide for Setting up SSH public key authentication in *nix OpenSSH server, with following differences:

• Create the .ssh folder (for the authorized_keys file) in your Windows account profile folder (typically in C:\Users\username\.ssh).
• Do not change permissions for the .ssh and the authorized_keys.

Before the first connection, find out fingerprint of the server’s RSA key by running ssh-keygen.exe -l -f ssh_host_rsa_key -E md5 from the C:\openssh:

C:\openssh>ssh-keygen.exe -l -f ssh_host_rsa_key -E md5
2048 MD5:94:93:fe:cc:c5:7d:d8:2a:33:21:0e:f3:91:11:8a:d9 martin@example (RSA)

Start WinSCP. Login dialog will appear. On the dialog:

• Make sure New site node is selected.
• On New site node, make sure the SFTP protocol is selected.
• Enter your machine/server IP address (or a hostname) into the Host name box.
• Enter your Windows account name to the User name box. It might have to be entered in the format user@domain, if running on a domain.
• For a public key authentication:
  • Press the Advanced button to open Advanced site settings dialog and go to SSH > Authentication page.
  • In Private key file box select your private key file.
  • Submit Advanced site settings dialog with the OK button.
• For a password authentication:
  • Enter your Windows account password to the Password box.
  • If you Windows account does not have a password, you cannot authenticate with the password authentication (i.e. with an empty password), you need to use the public key authentication.
• Save your site settings using the Save button.
• Login using Login button.
• Verify the host key by comparing fingerprint with the one collected before (see above).

• Guide to Installing Secure FTP Server on Windows using IIS;
• Guide to uploading files to SFTP server;
• Guide to automating operations (including upload).