SOSysAdmin - How to set up an SFTP server with OpenSSH on Windows Server

How to set up an SFTP server with OpenSSH on Windows Server

crisis_alert Scope

Set up an SFTP server on Windows Server with OpenSSH.

check_circle Prerequisites

A Windows Server machine (this guide applies to Windows NT as well)
A local user with no admin rights

construction How-to
Open a PowerShell and verify if OpenSSH server is already installed by running the following command:


Get-WindowsCapability -Online -Name OpenSSH.*

As we can see from the output, the server feature OpenSSH.Server~~~~0.0.1.0 is not installed:


Name         : OpenSSH.Client~~~~0.0.1.0
State        : Installed
DisplayName  : OpenSSH Client
Description  : OpenSSH-based secure shell (SSH) client, for secure key management and access to remote machines.
DownloadSize : 1403257
InstallSize  : 5450571

Name         : OpenSSH.Server~~~~0.0.1.0
State        : NotPresent
DisplayName  : OpenSSH Server
Description  : OpenSSH-based secure shell (SSH) server, for secure key management and access from remote machines.
DownloadSize : 1405120
InstallSize  : 5439396

Install the feature by running the following command:


Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

After the installation, a new service named OpenSSH SSH Server (sshd) will be installed. By default the startup type is set to Manual, you might consider changing it to Automatic according to your needs.
Start the service using the services.msc snap-in or by running the PowerShell command Start-Service -Name sshd.

After starting the service for the first time, navigate to the folder C:\ProgramData\ssh; here you will find the keypairs and the sshd config file.

Open the sshd_config file with Notepad or another text editor (make sure to make a backup copy before editing it). This file contains all the settings used by sshd, like Port, Authentication Methods, etc.

We will now give the permission to access the server via SFTP to the user named sftpuser. In our case, sftpuser is a non-admin and non-domain user (local).
Head to the bottom of the configuration file and add the following lines:


Match User sftpuser
	AllowTcpForwarding no
	PermitTTY no
	ForceCommand sftp-server
	ChrootDirectory C:\sftp\home\sftpuser
        PubkeyAuthentication no
	PasswordAuthentication yes

Match User *
	PubkeyAuthentication no
	PasswordAuthentication no

Here's a brief description of the settings we are implementing:

The first line, Match User sftpuser, specifies that the configuration that follows will be applied to sftpuser only.

DOMAIN\sftpuser

The Force Command sftp-server is binding the user to use sftp-server.exe, so opening another kind of connection like SSH will fail.

By default the sftp home directory will correspond to the user's home directory; we can force another path by providing it with ChrootDirectory.

With PubkeyAuthentication no we are denying access using keypairs (out of scope for this article). Instead, we will allow password login with PasswordAuthentication yes.

Lastly, with the Match User * section we are denying the access to every other user apart from sftp user.

I advise changing the default port used by the service (22/TCP). To do so, uncomment the line starting with #Port 22 and specify the desired port:


Port 21111
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

In this example we are using 21111/TCP. If your server has Windows Firewall enabled, remember to allow inbound connections on the port.

Save the file (without any extension) and restart the service using the snap-in or with the PowerShell command Restart-Service -Name sshd

We can now test the configuration. Open up a command prompt on the server and run the command sftp -P 21111 [email protected], where -P 21111 is the port you specified on the sshd_config file.
If you want to test the connection from another machine, edit the ip address 127.0.0.1 accordingly (remember to allow the inbound connection on the firewall).

If everything is working correctly, you will be prompted for sftpuser's password. After providing the password, you will be able to perform file operations:


PS C:\Users\Administrator> sftp -P 21111 [email protected]
[email protected]'s password:
Connected to 127.0.0.1.
sftp> ls
myfile.txt

Remember that your home directory is the one you specified in the sshd_config file, so by our configuration the SFTP root "/" is bounded to "C:\sftp\home\sftpuser".
Trying to navigate back with cd .. will result in error realpath /..: Permission denied.

school Further considerations

If possible, prefer PubkeyAuthentication over PasswordAuthentication.
Remember to open the port on the Firewall to permit incoming connections.
You can read more about Window's OpenSSH implementation on Microsoft's Get started with OpenSSH for Windows page.

Article ID: SYS-WIN-0010