-
-
Notifications
You must be signed in to change notification settings - Fork 179
Windows 11
Windows 11 uses its own OpenSSH implementation based on OpenSSH v8 by default. To ensure optimal security and compatibility, it is recommended to update to the beta implementation of OpenSSH for Windows.
-
Open a command prompt or PowerShell window.
-
Run the following command to install the beta version of OpenSSH:
winget install -e --id Microsoft.OpenSSH.Beta -
Verify that your SSH version is greater than 8.X.X by running:
ssh -V
In Windows, the OpenSSH Client (ssh) reads configuration data from a configuration file in the following order:
- By launching
ssh.exewith the-Fparameter, specifying a path to a configuration file and an entry name from that file. - A user's configuration file at
%userprofile%\.ssh\config. - The system-wide configuration file at
%programdata%\ssh\ssh_config.
Apply the following configuration either system-wide or user-wide by placing it in the respective file path:
KexAlgorithms curve25519-sha256,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512
Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,[email protected],aes128-ctr
MACs [email protected],[email protected],[email protected]
HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
CASignatureAlgorithms [email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
HostbasedAcceptedAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
PubkeyAcceptedAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
To harden the Windows OpenSSH Server implementation:
-
Open
%programdata%\ssh\sshd_config. -
Uncomment the following lines:
HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key -
Add the following configuration to the same file:
KexAlgorithms curve25519-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr MACs [email protected],[email protected],[email protected] HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],rsa-sha2-512,rsa-sha2-256 CASignatureAlgorithms [email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256 HostbasedAcceptedAlgorithms [email protected],[email protected],[email protected],rsa-sha2-512,[email protected],rsa-sha2-256 PubkeyAcceptedAlgorithms [email protected],[email protected],[email protected],rsa-sha2-512,[email protected],rsa-sha2-256
Add hmac-sha2-256 to the MACs configuration. This MAC is necessary to connect to the default SSH configuration of OpenWRT, Debian, DietPi, and other similar systems.