-
-
Notifications
You must be signed in to change notification settings - Fork 179
Windows 11
Windows 11 uses its own OpenSSH implementation based on OpenSSH v8 by default. To ensure optimal security and compatibility, it is recommended to update to the beta implementation of OpenSSH for Windows.
-
Open a command prompt or PowerShell window.
-
Run the following command to install the beta version of OpenSSH:
winget install -e --id Microsoft.OpenSSH.Beta
-
Verify that your SSH version is greater than 8.X.X by running:
ssh -V
In Windows, the OpenSSH Client (ssh
) reads configuration data from a configuration file in the following order:
- By launching
ssh.exe
with the-F
parameter, specifying a path to a configuration file and an entry name from that file. - A user's configuration file at
%userprofile%\.ssh\config
. - The system-wide configuration file at
%programdata%\ssh\ssh_config
.
Apply the following configuration either system-wide or user-wide by placing it in the respective file path:
KexAlgorithms curve25519-sha256,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512
Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,[email protected],aes128-ctr
MACs [email protected],[email protected],[email protected]
HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
CASignatureAlgorithms [email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
HostbasedAcceptedAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
PubkeyAcceptedAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
To harden the Windows OpenSSH Server implementation:
-
Open
%programdata%\ssh\sshd_config
. -
Uncomment the following lines:
HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key
-
Add the following configuration to the same file:
KexAlgorithms curve25519-sha256,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512
Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,[email protected],aes128-ctr
MACs [email protected],[email protected],[email protected]
HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
CASignatureAlgorithms [email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
HostbasedAcceptedAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
PubkeyAcceptedAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
Add hmac-sha2-256
to the MACs
configuration. This MAC is necessary to connect to the default SSH configuration of OpenWRT, Debian, DietPi, and other similar systems.