Leveraging OpenSSH to Move Files in Windows Server 2019

Having worked with Unix and Linux servers for a long time, one feature that I came to appreciate is the Secure Shell (SSH) daemon.  The SSH server daemon allows users to securely connect to Linux and Unix servers using an SSH client.  Those of you who work with Linux and Unix servers are quite familiar with open-source SSH tools such as Putty and WinSCP.  Personally, I find WinSCP quite helpful as it allows me to transfer files back and forth from my Windows desktop machine to any of the Unix/Linux hosts that I manage.  It works just as well even when the servers are hosted in the cloud.  The only port that needs to be opened on the server is Port 22, which is the default port assigned by the Internet Assigned Numbers Authority (IANA). Unlike Telnet, which does not encrypt client-server traffic, SSH traffic is fully encrypted, thereby making it the de-facto standard for accessing remote servers.

SSH uses asymmetric encryption, which does not require a shared secret key to establish a shared secret key.  It then switches to symmetric encryption to bulk encrypt the TCP traffic between the client and the server using that key.  Another SSH security feature that I find lacking in Windows is the concept of a host key.  When the OpenSSH-server package is installed, the host key is automatically generated and stored in /etc/ssh.   Each host can have multiple keys that are generated using different algorithms.  A single key can be shared across multiple hosts, in any event, each host should have at least one key.  The server host key is used primarily to ensure that the client is really communicating to the right server.  When the client connects to the server for the first time, the public host key is passed on to the client.

While Windows lacked native SSH support for the longest time, as of Fall 2018, Microsoft added native support for OpenSSH Server and OpenSSH Client starting with Windows Server 2019 and Windows 10 Build 1809.  In this blog, I will walk you through the steps of configuring the OpenSSH Server and Client packages on Windows Server 2019 Standard and using WinSCP to copy files to a remote Windows server.

Step 1) The first step is to make sure that the OpenSSH Client and Server features are not already installed.  Use an Administrator Windows PowerShell terminal to verify if OpenSSH is already installed.

Get-WindowsFeature Open*

Step 2) Ensure that the OpenSSH feature is available to install on your server based on the version of Windows you are running. As I mentioned earlier, it is compatible with Windows 2019 and Windows 10 Build 1809 and above. Compatibility is not guaranteed with other versions of Windows, so be wary of your version.

Get-WindowsCapability -Online | ? Name -like ‘OpenSSH*’

Step 3) Next, install the OpenSSH Server using the following command:

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Step 4) After the OpenSSH Server is installed, the next step is to install the OpenSSH Client.  Depending upon the version of Windows and update, it may have already been installed.  If it is already installed, as it was in my case, you can skip this step. If not, please use the following command to install it. The output from step #2 will show if the OpenSSH Client is already installed as part of Windows Cumulative Update 1809.

Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

Step 5) After the OpenSSH Server package is installed, the next step is to configure the service to start automatically.

Start-Service sshd
Set-Service -Name sshd -StartupType ‘Automatic’

Step 6) If the Windows Firewall is enabled, then the firewall rule needs to be configured to allow TCP traffic on Port 22.  Port 22 is the default port for ssh. Verify if the firewall rule is already configured, chances are it is not.

Get-NetFirewallRule -Name *ssh*

Step 7) The firewall rule exception for OpenSSH is automatically added when installing the OpenSSH Server package.  It needs to be verified using the instructions outlined in Step #6 and if the exception does not exist, use the command below to add in using PowerShell.  The Windows Firewall applet can also be used to define the rule as well if you prefer using the GUI.

New-NetFirewallRule -Name sshd -DisplayName ‘OpenSSH Server (sshd)’ -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

Step 8) After completing the installation process and adding the firewall rule, ensure that the OpenSSH daemon is listening for incoming connections.  Execute the following command from a different server or desktop machine.

Test-NetConnection -ComputerName SBCONSOLE11 -Port 22 -InformationLevel Detailed

Step 9) In order to move files from any Windows Server or Windows Desktop machine, you can download the WinSCP utility from here if you prefer a GUI based tool. After installing it, configure a new site using the hostname of the server that the OpenSSH Server was installed on.  Choose the ‘New Site’ option and define a new connection to the server or desktop machine.  Make sure that the File Protocol is set to SFTP and the port is set to 22, which is the default value.

Step 10) Once you click the Login button, you will be prompted for the password. Once the password is entered, the next dialog box will display the server’s ECDSA key fingerprint.  Choose Yes to proceed.  In the next window, the left pane will display the source machine default folder and the right pane will display the default folder for the user on the target server.  Files from the source machine can now be copied by simply dragging them from the left pane into the right pane.

Step 11) If you prefer not to install WinSCP or simply use the command line to transfer files, then the following command will do the trick.

scp <filename>  <username>@<hostname>:<directory_path>
scp sbora18c.sql administrator@SBCONSOLE11 

Step 12) In order to copy an entire directory, use the following command. If the directory does not exist on the target server, it will be created as part of the copy, assuming that the user has permission to do so.  Similarly, files can be copied back and forth from Linux and Unix servers to Windows servers and desktops.

scp -r <local_directory_path>  <username>@<hostname>:<remote_directory_path>
scp -r <local_directory_path>  <username>@<hostname>
scp -r “c:\TEMP\*.sql” administrator@SBCONSOLE11:”c:\TEMP\”

Now that you set up OpenSSH on Windows, consider StealthAUDIT for auditing permissions, configuration, vulnerabilities in your Windows, UNIX, and Linux environment.

To learn more about how Stealthbits can help with auditing  your IT infrastructure, visit our website: https://stealthbits.com/stealthaudit-management-platform-product/