Openssh Agent

You must configure OpenSSH Authentication Agent service to automatically start (or you can start it manually everytime when opening your powershell for the first time: Start-Service ssh-agent). After that, you need to ssh-add C: path to your ssh key idrsa only once. After that, everytime the ssh-agent is started, the key will be there. Remote Development using SSH. The Visual Studio Code Remote - SSH extension allows you to open a remote folder on any remote machine, virtual machine, or container with a running SSH server and take full advantage of VS Code's feature set. Once connected to a server, you can interact with files and folders anywhere on the remote filesystem. No source code needs to be on your local machine to. Fixes and enhancements to ssh-agent (#1263, PowerShell/openssh-portable#363) Fixes to enable auto-updating knownhosts via ssh and ssh-keygen ( #1323 ) Fixes to other issues listed here. The OpenSSH Authentication Agent service is running as LocalSystem in its own process of ssh-agent.exe.


The integration of SSH has been a popular request among Windows users and SSH presents a renewed vision for remoting. Microsoft’s goal is to tightly integrate the open source Secure Shell (SSH) protocol with Windows and PowerShell. As a result, admins now have two-way remote management with PowerShell and SSH, from Linux to Windows and vice versa. We will also see that system administrators will be able to manage Linux servers, routers, switches, and other devices that allow for SSH. Realizing this vision is important as it allows traditional Windows and Linux admins to manage any operating system with a common skill set plus allowing for cross-platform code and scripts. What’s more, we see that configuration automation through Azure DSC can be leveraged for both Windows and Linux operating systems. Depending on the task, we can run the exact same PowerShell Core code on all platforms. Presently, there are caveats, limitations and the technology is continuing to evolve so keeping up to date is necessary. What this means for managing Office 365 in the future is also a question this author would like to know. Though, OpenSSH has arrived to the Windows OS after many years in development, and it’s still a work in progress as Microsoft’s PowerShell team is contributing to the development efforts of the open source OpenSSH community. This article will provide a step by step procedure for installing & configuring the new OpenSSH Server and client and also provide an explanation of the PowerShell remoting architecture as context. The article will cover remoting scenarios and steps however a walk-through for configuring Linux will not be part of this article.


  1. Microsoft is transitioning to “PowerShell Core” and cross-OS compatibility, while moving away from “Windows PowerShell”. Microsoft recently explained its “Windows PowerShell” roadmap plans, which will focus on “PowerShell Core”, going forward.
  2. There are now two editions of PowerShell called “Windows PowerShell” & “PowerShell Core”. However, there are no plans to introduce new functionality to “Windows PowerShell”.
  3. PowerShell remoting normally uses WinRM for connection negotiation and data transport, which is not supported in .NET Core so SSH was chosen for remoting since it allows true multi-platform remoting.
  4. Admins will be required to learn new remoting commands, use-cases and will need to update scripts.
  5. OpenSSH has to be installed and configured manually on both the server and client.
  6. Based on the various articles, there are a couple different ways to get SSH installed and configured on Windows OS.
  7. The install and configuration process can be a bit involved and has proven to be difficult for some administrators.
  8. Updated New-PSSession, Enter-PSSession and Invoke-Command cmdlets now have a new parameter set to facilitate the new remoting connections. Evolving cmdlets means admins must understand the differences and update their scripts at some point.

PowerShell Remoting Architecture

OpenSSH is a freely available collection of client/server utilities that enable secure remote login, remote file transfer, and public/private key pair management. As part of the OpenBSD project, the Secure Shell (SSH) protocol family of tools were developed and has been used for many years across the BSD, Linux, macOS, and Unix ecosystems. Back in 2015, the Microsoft PowerShell team announced support and commitment to the OpenSSH community and code base. This commitment resulted in direction and architectural changes for PowerShell.

Microsoft’s solution for PowerShell remoting was Windows Remote Management (WinRM) which handles remote connection negotiation and data transport by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol). WinRM is an implementation of the Web Services for Management (WS-Man) specification, which takes advantage of firewall-friendly HTTP (TCP port 5985) or HTTPS (TCP port 5986) protocols to establish the communications channel.

Although Windows PowerShell users are used to WinRM as their remoting protocol with PowerShell, both customers and internal Microsoft product teams wanted to enable Windows to use SSH. The ability to use SSH provides a common user experience for Linux users to connect to Windows systems remotely and vice versa. SSH will likely become the remoting protocol of choice for Windows users and as part of the future direction of all Microsoft applications.

Given Microsoft’s new cross platform vision, the WinRM service is now considered limited by being Windows-specific. WinRM is not yet available as part of multi-platform PowerShell Core therefore, SSH was chosen for the remoting implementation since it is now available for both Linux and Windows platforms and allows multi-platform PowerShell remoting. Of note, the PowerShell team has configured the Linux PowerShell engine to do WS-Man remoting. Linux supports WS-Man remoting through PowerShell Remoting Protocol (MS-PSRP) and with the Open Management Infrastructure (OMI) provider. Installation of both OMI and the OMI provider on Linux is required for PowerShell remoting. Currently, PowerShell Core supports PowerShell Remoting (PSRP) over WSMan with Basic authentication on macOS and Linux, and with NTLM-based authentication on Linux. (Kerberos-based authentication is not supported.)

PuTTY on Windows is the most common SSH client utility, as it allows a Windows user to SSH into a Linux system. There are other third-party SSH server solutions for Windows, however an integrated Microsoft solution will allow for further application integration, extended functionality and support.

Installing OpenSSH

Installing OpenSSH package Option 1) Manually from Github

  1. Download the latest build of OpenSSH from a web browser.
  2. Otherwise, download the latest build in an elevated PowerShell console, run the following:
    • Invoke-WebRequest -OutFile
  3. Extract contents of the latest build to C:Program FilesOpenSSH
  4. Otherwise, you can extract the zip file in an elevated Powershell console, run the following:
    • Expand-Archive 'C:Program Files'
    • Verify the sub-directory name, as the command will create “OpenSSH-Win64”
  5. Launch PowerShell as an Administrator and go to the directory where the files have been extracted to:
    • cd 'c:Program FilesOpenSSH'
  6. In an elevated PowerShell console, run the following
    • powershell.exe -ExecutionPolicy Bypass -File install-sshd.ps1
  7. Open the firewall for sshd.exe to allow inbound SSH connections
    • New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
  8. If you are running these commands on Windows 10, run the command
    • netsh advfirewall firewall add rule name=sshd dir=in action=allow protocol=TCP localport=sshd
  9. Start the windows service sshd (this will automatically generate host keys under %programdata%ssh if they don’t already exist)
  10. Run the command: Start-Service sshd
  11. Migrate sshd configuration:
    • To use existing customized sshd_config, you need to copy it from binary location to %programdata%sshsshd_config (Note that %programdata% is a hidden directory).
    • To use existing host keys, you need to copy them from binary location to %programdata%ssh
    • Prior versions required SSHD resources (sshd_config, host keys and authorized_keys) to have READ access to “NT ServiceSSHD”. This is no longer a requirement and the corresponding ACL entry should be removed. Run Powershell.exe -ExecutionPolicy Bypass -Command '. .FixHostFilePermissions.ps1 -Confirm:$false'(Note the first “.” is a call operator.) to fix up these permissions.
  12. Change the services sshd and ssh-agent to auto-start
    • Set-Service sshd -StartupType Automatic
    • Set-Service ssh-agent -StartupType Automatic
  13. Verify the change in the GUI and check for the services sshd & ssh-agent with: services.msc
  14. Configure the default ssh shell by running regedit.exe
  15. On the server, configure the default ssh shell in the windows registry by navigating to the key: ComputerHKEY_LOCAL_MACHINESOFTWAREOpenSSH
  16. Create a key called “DefaultShell” of type “REG_SZ”
  17. Enter the string value as “C:windowssystem32WindowsPowerShellv1.0powershell.exe”
  18. If PowerShell core is installed, then the string value will be “c:Program FilesPowerShell6.0.1pwsh.exe” (assuming version 6.0.1 however verify your installed version.)

Installing OpenSSH package Option 2) using PowerShell

Name : OpenSSH.Client~~~~
State : NotPresent
Name : OpenSSH.Server~~~~
State : NotPresent

Add-WindowsCapability -Online -Name OpenSSH.Client~~~~
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~

Path :
Online : True
RestartNeeded : False

Installing the OpenSSH package Option 3) using Chocolatey

  1. There are multiple ways to install OpenSSH on Windows. Chocolatey automates a few of the tasks.
  2. Open PowerShell command prompt (or cmd.exe) as Administrator
  3. If Chocolatey is not installed, follow the steps documented on the site
  4. Run the command: choco install openssh -params ‘”/SSHServerFeature /KeyBasedAuthenticationFeature”‘ –y

Installing OpenSSH package Option 4) using DISM.exe

Capability Identity : OpenSSH.Client~~~~
Capability Identity : OpenSSH.Server~~~~

dism /Online /Add-Capability /CapabilityName:OpenSSH.Client~~~~
dism /Online /Add-Capability /CapabilityName:OpenSSH.Server~~~~

Installing OpenSSH package Option 5) using Windows Developer Mode

Windows Develop Mode is not Microsoft’s OpenSSH implementation. Do not install SSH this way. SSH services are enabled when you enable Device Discovery on your device. This is used when your device is a remote deployment target for UWP applications. The names of the services are ‘SSH Server Broker’ and ‘SSH Server Proxy’. The existing SSH server used in Windows Developer Mode is not yet protocol compliant.

Installing OpenSSH package Option 6) using Enable-SSHRemoting PowerShell Core Cmdlet

This feature is a roadmap item as part of the PowerShell Core documentation published on github here. Once this feature is beta or fully released, it will be explained in more detail in this article.

Windows Client Configuration Steps


Client Authentication Option 1) Password-based authentication

  1. Test the ssh command line by opening PowerShell command prompt (or cmd.exe) as Administrator.
  2. Run the command but replace your “user-account” and “remotehost”: ssh [email protected]

Client Authentication Option 2) Key-based authentication

Authenticating via SSH is more secure with a key than a password, therefore, these steps are required. To set up a key, you have to generate it from your client and provide a passphrase. The defaults “id_rsa” are used as the file and RSA as the type.

Generating public/private ed25519 key pair.
Enter file in which to save the key (C:Usersuser1.sshid_ed25519):

Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:Usersuser1.sshid_ed25519.
Your public key has been saved in
The key fingerprint is:
SHA256:OIzc1yE7joL2Bzy8/gS0j8eGK7bYaH1FmF3sDuMeSj8 [email protected]
The key's randomart image is:
+--[ED25519 256]--+
. + + .
o B * = .
o= B S .
.=B O o
+ =+% o
+.o+=o. Capture one dropbox software. .

ssh --% [email protected] powershell -c $ConfirmPreference = 'None'; Repair-AuthorizedKeyPermission 'C:Usersuser1sshauthorized_keys'

Windows Server Configuration Steps of OpenSSH Server (sshd)

  1. RDP into the Windows Sever as an administrator
  2. Launch PowerShell command prompt (or cmd.exe) as Administrator
  3. Verify that PowerShell Core has been installed with the command: $PSVersionTable
  4. Check that PSEdition says “Core”, with the PSVersion at least 6.0.0.
  5. Update the Windows Server Enviroment Variables Path:
    • ($env:path).split(“;”)
    • $oldpath = (Get-ItemProperty -Path ‘Registry::HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession ManagerEnvironment’ -Name PATH).path
    • $newpath = “$oldpath;C:Program FilesOpenSSH”
    • Set-ItemProperty -Path ‘Registry::HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession ManagerEnvironment’ -Name PATH -Value $newPath
  6. Install the OpenSSHUtils as administrator by running: Install-Module -Force OpenSSHUtils
  7. Ensure the ssh-agent service is started by running: Get-Service ssh-agent
  8. Check that the status says “Running” otherwise
  9. Run the command: Start-Service ssh-agent
  10. Navigate to the OpenSSH folder: “C:Program FilesOpenSSH”
  11. Run the command: ssh-keygen.exe -A
  12. The public/private key pair will generate.
  13. Press Enter to accept the default file name and path of “id_rsa”. Otherwise you can specify a different name and path here.
  14. Enter a passphrase twice.
  15. The identification and public key files will be created called “id_rsa” and “” with the following output: “C:Program FilesOpenSSHssh-keygen.exe: generating new host keys: ED25519”
  16. Load the key files into the ssh-agent with the command: ssh-add ssh_host_ed25519_key
  17. Run the command: Repair-SshdHostKeyPermission -FilePath “C:Program FilesOpenSSHssh_host_ed25519_key”
  18. Chose “A” as the response.
  19. Run the command: Start-Service sshd
  20. Verify the service is in the Running state with the command: Get-Service sshd
  21. Add the firewall rule that allows traffic on port 22 with the command: New-NetFirewallRule -Name sshd -DisplayName ‘OpenSSH Server (sshd)’ -Service sshd -Enabled True -Direction Inbound -Protocol TCP -Action Allow -Profile Domain
  22. Go the the OpenSSH directory on the server.
  23. Open the file “sshd_config” with notepad.exe and add the following to the section “# override default of no subsystems”
    Subsystem powershell C:Program FilesPowerShell6.0.0.16pwsh.exe.exe -sshs -NoLogo -NoProfile
  24. Enable password authentication with the text: PasswordAuthentication yes
  25. Enable key authentication with the text: PubkeyAuthentication yes
  26. Close and save the sshd_config file.
  27. Run the command: Restart-Service sshd

PowerShell remoting

PowerShell remoting cmdlets will only allow connection with the command Enter-PSSession, Invoke-Command, etc. It will not work using ssh.exe to connect from the client.


  • OpenSSH
  • Chocolatey OpenSSH
  • Powershell OpenSSH
  • PSTools
  • Powershell make a permanent change to the path environment variable
  • Use Powershell to modify your enviromental path
  • Powershell Set Service
  • How do I open ports with Powershell
  • Getting Started with PowerShell Core on Windows, Mac, and Linux
  • Microsoft Transitioning Windows PowerShell 6.0 into PowerShell Core
  • PowerShell 6.0 Roadmap: CoreCLR, Backwards Compatibility, and More!
  • PowerShell Core 6.0: Generally Available (GA) and Supported! –
  • PowerShell Remoting Over SSH
  • Using the OpenSSH Beta in Windows 10 Fall Creators Update and Windows Server 1709
  • Why Remoting vs. SSH Isn’t Even a Thing
  • Porting to .NET Core – Libraries (See remoting section)
  • Part 2 – Install .NET Core and PowerShell on Linux Using DSC
  • Looking Forward: Microsoft Support for Secure Shell (SSH)
Share on FacebookShare on TwitterShare on WhatsAppShare on LinkedInShare on TumblrShare on RedditShare by Mail0replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Developer(s)The OpenBSD Project
Written inC
Operating systemUnix, Unix-like, Microsoft Windows
LicenseBSD, ISC, public domain

Secure Shell (SSH) is a protocol allowing secure remote login to a computer on a network using public-key cryptography. SSH client programs (such as ssh from OpenSSH) typically run for the duration of a remote login session and are configured to look for the user's private key in a file in the user's home directory (e.g., .ssh/id_rsa). For added security (for instance, against an attacker that can read any file on the local filesystem), it is common to store the private key in an encrypted form, where the encryption key is computed from a passphrase that the user has memorized. Because typing the passphrase can be tedious, many users would prefer to enter it just once per local login session. The most secure place to store the unencrypted key is in program memory, and in Unix-like operating systems, memory is normally associated with a process. A normal SSH client process cannot be used to store the unencrypted key because SSH client processes only last the duration of a remote login session. Therefore, users run a program called ssh-agent that runs beyond the duration of a local login session, stores unencrypted keys in memory, and communicates with SSH clients using a Unix domain socket.

Security issues[edit]

ssh-agent creates a socket and then checks the connections from ssh. Everyone who is able to connect to this socket also has access to the ssh-agent. The permissions are set as in a usual Linux or Unix system. When the agent starts, it creates a new directory in /tmp with restrictive permissions. The socket is located in this directory.

There is a procedure that may prevent malware from using the ssh-agent socket. If the ssh-add -c option is set when the keys are imported into the ssh-agent, then the agent requests a confirmation from the user using the program specified by the SSH_ASKPASSenvironment variable, whenever ssh tries to connect.

On the local system, it is important that the root user is trustworthy, because the root user can, amongst other things, just read the key file directly. On the remote system, if the ssh-agent connection is forwarded, it is also important that the root user on the other end is trustworthy, because it can access the agent socket on the remote (though not the key, which stays local).


There are many different programs that perform the same functionality as the OpenSSH ssh-agent, some with very different user interfaces. PuTTY, for example, uses a graphical user interface in its bundled Pageant ssh-agent.

Openssh Agent Forwarding

There are tools designed to provide key-agent functionality for both symmetric and asymmetric keys; these usually provide ssh-agent functionality as one of their application interfaces. Examples include GNOME Keyring and KWallet.

Some monolithic SSH clients include the ability to remember SSH passphrases across sessions. Examples include: SecureCRT.

Apple macOS[edit]

On the macOS operating system, ssh-agent has been integrated since Leopard, version 10.5 in 2007. Third-party open-source implementations of ssh-agent were available previously.[1]

Microsoft Windows[edit]

Openssh Client Windows 10

OpenSSH-based client and server programs have been included in Windows 10 since version 1803. The SSH client and key agent are enabled and available by default and the SSH server is an optional Feature-on-Demand.[2][3]

Openssh Agent List Keys


  1. ^Dribin, Dave (21 August 2007). 'SSHKeychain Warning'. Dave Dribin's Blog.
  2. ^
  3. ^

External links[edit]

Wikibooks has a book on the topic of: Guide to Windows Commands
  • ssh-agent man page from OpenSSH release (part of the OpenBSD project).
Retrieved from ''