Setting up SFTP/SSH on Windows

I’ve been wrestling with OpenSSH for Windows to set up an SFTP server. I’m still ironing out some of the fine detail, but the basic steps are below.

This article covers the initial setup:

  • Install the software
  • If the FTP user doesn’t already exist in Windows, create it.
  • Open a command prompt in the c:\program files\openssh directory (assuming that’s where it’s installed)
  • Set up the group file: mkgroup -l >> etc\group
  • Set up the passwd file: mkpasswd -l -u username >> etc\passwd
    The -l means local user. If it’s a domain user, use -d. Type just mkpasswd for help.
  • Create the home directory for your user. If following the IIS standard, that would be c:\inetpub\ftproot\username — but it can be anywhere
  • Edit the passwd file to put the home directory in. Load it in Notepad or another text editor. As with all the files to do with OpenSSH, passwd is in Unix format, so you may do better to use an editor that knows Unix end-of-line characters. Anyhow, change the second last field to match the home directory. Cygdrive notation needs to be used, eg for the above /cygdrive/c/inetpub/ftproot/username
  • For domain users, you’ll have to make sure the Domain Users group is added to the groups file. This can be done by doing a mkgroup > textfile.txt and then extracting the line for Domain Users from the file and adding it manually to the etc\groups file.
    Also double-check that the group ID (the third field in the groups file, which is delimited by colons) matches the ID your user(s) in the passwd file (the fourth field).
  • Start the OpenSSH service (note that when adding additional users, you do not need to restart the service


Once this is done, simple username/password connections can be made using an SFTP client. One is included with OpenSSH, and Putty’s psftp also works, though I couldn’t get it to work for passwordless/key file connections, below. You can also use graphical clients such as FileZilla.

If you want to check out logging, the server logs connections (attempted and successful) to the Event Viewer. By default it doesn’t seem to log anything else, although there are various logging values in the config files.

Keyfile logon

The harder bit is setting up for passwordless (key file) logon for use in scripts etc. On your client you need to set up a key (which necessitates installing the SSH client software, or some other tool that can generate keys):

ssh-keygen -t dsa

It’ll put it in your home directory by default in an .ssh subdirectory. From there, the public key (id_dsa.pub) needs to be copied onto the server, into your user ID’s ftp home in a .ssh directory with the name authorized_keys2. (If there is more than one key valid, concatenate them into that file.) Note that you can’t create a .ssh directory from Windows Explorer, as it doesn’t like the name. You’ll have to do this from the command line.

Make sure Everyone has read access to the .ssh directory, so the SFTP server can see the public key.

You may have to tell the server to trust the file; edit the sshd_config file to include: StrictModes no
(If you don’t do this, it may keep asking for your password every time you try to connect)

Theoretically, once all that’s done, you can just:

sftp hostname

or if you want to connect as a user different to the one your client machine is logged on as:

sftp user@hostname

In practice you’ll need to make sure your private key isn’t on a shared drive — it seems to hate that; claims it’s insecure, and no amount of removing permissions appeared to help when I was trying to get it to work. Fair enough in principle, but I couldn’t figure out how to make it work other than to move it to a local drive.

The first time you connect you’ll get a prompt asking about caching the host’s key.

As far as I can tell, psftp (mentioned above) isn’t compatible with the SSH-2 keys generated by ssh-keygen.

Links to helpful articles

Logging

The logging options are set in the sshd_config file. The default “LogLevel” setting is INFO — see this page for some more details. The logging itself can be found in the Windows Event Viewer, Application Log.

Revisions

:
2007-03-07 corrected point about logging on as a different user.
2007-03-08 added notes about Strictmodes and logging, revised different user logon point. Removed bit about requiring an initial interactive logon.
2007-07-02 added note about logging.
2008-05-08 added link to software download.
2008-07-06 added note about mkpasswd -d vs -l
2008-07-08 added note about groups file including Domain Users group
2013-06-18 added note that OpenSSH service does not need to be restarted when adding another user, and link to another helpful article