Skip to content
Julius Bairaktaris edited this page Jun 11, 2024 · 3 revisions

Configuring OpenSSH in Windows 11

Windows 11 uses its own OpenSSH implementation based on OpenSSH v8 by default. To ensure optimal security and compatibility, it is recommended to update to the beta implementation of OpenSSH for Windows.

Updating OpenSSH

  1. Open a command prompt or PowerShell window.

  2. Run the following command to install the beta version of OpenSSH:

    winget install -e --id Microsoft.OpenSSH.Beta
    
  3. Verify that your SSH version is greater than 8.X.X by running:

    ssh -V
    

Configuring OpenSSH Client

In Windows, the OpenSSH Client (ssh) reads configuration data from a configuration file in the following order:

  1. By launching ssh.exe with the -F parameter, specifying a path to a configuration file and an entry name from that file.
  2. A user's configuration file at %userprofile%\.ssh\config.
  3. The system-wide configuration file at %programdata%\ssh\ssh_config.

Apply the following configuration either system-wide or user-wide by placing it in the respective file path:

KexAlgorithms curve25519-sha256,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512
Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,[email protected],aes128-ctr
MACs [email protected],[email protected],[email protected]
HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
CASignatureAlgorithms [email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
HostbasedAcceptedAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
PubkeyAcceptedAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256

Hardening the Windows OpenSSH Server

To harden the Windows OpenSSH Server implementation:

  1. Open %programdata%\ssh\sshd_config.

  2. Uncomment the following lines:

    HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key
    HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key
    
  3. Add the following configuration to the same file:

KexAlgorithms curve25519-sha256,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512
Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,[email protected],aes128-ctr
MACs [email protected],[email protected],[email protected]
HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
CASignatureAlgorithms [email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
HostbasedAcceptedAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
PubkeyAcceptedAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256

Optional

Add hmac-sha2-256 to the MACs configuration. This MAC is necessary to connect to the default SSH configuration of OpenWRT, Debian, DietPi, and other similar systems.