1. Installing OpenSSH Server
Download the OpenSSH server package from the PowerShell/Win32-OpenSSH releases page (the official Microsoft port maintained by the PowerShell team).
Run the following in an admin PowerShell session on the server to allow incoming SSH connections:
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
| Argument | Description |
|---|---|
-Name sshd |
A short internal name for the firewall rule used to identify it programmatically |
-DisplayName 'OpenSSH Server' |
A human-readable label shown in the Windows Firewall UI |
-Enabled True |
Activates the rule immediately upon creation |
-Direction Inbound |
Applies the rule to incoming traffic |
-Protocol TCP |
Restricts the rule to TCP traffic (SSH runs over TCP) |
-Action Allow |
Permits matching traffic through the firewall |
-LocalPort 22 |
Targets port 22, the standard SSH port |
2. Configuring the Default Shell for OpenSSH
By default, OpenSSH on Windows will use cmd.exe. To change this to PowerShell, set the DefaultShell registry key.
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name "DefaultShell" -Value "C:\Program Files\PowerShell\7\pwsh.exe" -PropertyType String -Force
| Parameter | Description |
|---|---|
Path |
The registry key path where the setting will be written (HKLM = HKEY_LOCAL_MACHINE). |
Name |
The name of the registry value to create or update. DefaultShell is the key OpenSSH reads at login. |
Value |
Full path to the shell executable that SSH sessions will launch. The PowerShell path can be found at (Get-Command pwsh).Source. |
PropertyType |
The registry data type String corresponds to REG_SZ. |
Force |
Overwrites the value if it already exists without prompting for confirmation. |
Common locations for the PowerShell path:
C:\Program Files\PowerShell\7\pwsh.exefor latest PowerShellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exelegacy PowerShell
⚠️ Note: If the path contains WindowsApps read below.
Using the MSI-installed Version of PowerShell 7
The WinGet/Microsoft Store version of PowerShell (installed under WindowsApps) is known not to work reliably as the SSH default shell. Install PowerShell 7 from the MSI installer instead. (Get-Command pwsh).Source should now return: C:\Program Files\PowerShell\7\pwsh.exe.
| Argument | Description |
|---|---|
-Path |
Registry key path to write the value into. |
-Name DefaultShell |
The value name OpenSSH reads to determine which shell to launch. |
-Value |
Path to the MSI-installed pwsh.exe. |
-PropertyType String |
Sets the registry data type to REG_SZ. |
3. Generating an SSH Key Pair
On your client machine, generate a key pair:
ssh-keygen
# Save it to the current directory, or directly to:
# C:\Users\<User>\.ssh\
#
# <myKey>.pub = Public key. This will go be copied to the server
# <myKey> = Private key. Keep this safe, never share it
ssh-keygen will prompt you for a save location and an optional passphrase. After running it, C:\Users\<User>\.ssh\ will contain:
myKey.pubis the public key to copy to any server you want to connect tomyKeyis the private key that stays on your client machine
4. Configuring the SSH Client
On your client machine, create or edit C:\Users\<User>\.ssh\config to store connection settings per host:
Host <HostName>
User <LocalUserName>
IdentityFile C:/Users/<User>/.ssh/<myKey>
| Parameter | Description |
|---|---|
Host |
An alias or the actual hostname/IP of the server. This is what you type in ssh <HostName>. |
User |
The username to log in with on the remote machine. |
IdentityFile |
Path to the private key file to use for authentication with this host. |
5. Adding the Public Key to the Server
On the server, the public key (.pub file) must be added to the authorized keys file so the server knows to trust it. This will also allow you to login without typing a password everytime. Add the public key as a new line to the authorized keys if it already exists.
Admin account add the public key to C:\ProgramData\ssh\administrators_authorized_keys.
Non-admin account add the public key to C:\Users\<Username>\.ssh\authorized_keys.
The contents of the <mykey>.pub is in format ssh-ed25519 <hash> <domain\user@computername>.
Note: If the connection still fails after adding the key, restart the SSH service with Restart-Service sshd.
Now you can login from the client to the ssh server without typing a password.