Fortunately, I found the project Win32-OpenSSH. I realized that I want to share my experience with it. I believe it will help somebody and save a lot of nerves.
幸运的是,我找到了Win32-OpenSSH项目。 我意识到我想分享自己的经验。 我相信这会帮助某人并节省很多神经。
![](https://habrastorage.org/webt/ni/87/b-/ni87b-jl8n4kb_my9tek8-tsgqo.jpeg)
Installation ways:
安装方式:
Via Chocolatey package
通过Chocolatey 套餐
Via Ansible, let us say the role jborean93.win_openssh
通过Ansible,让我们说一下角色jborean93.win_openssh
I will explain the manual way because other ones are obvious.
我将解释手动方法,因为其他方法很明显。
I must note, this project is on beta stage and it isn't recommended to use it in production.
我必须注意,该项目处于测试阶段,不建议在生产中使用它。
Well, let's download latest release. Currently it is 7.9.0.0p1-beta. It also has 32 and 64 bit versions.
好吧,让我们下载最新版本。 当前是7.9.0.0p1-beta 。 它还具有32位和64位版本。
Then unpack it to C:\Program Files\OpenSSH.
然后将其解压缩到C:\ Program Files \ OpenSSH 。
Important: It is necessary to grant write access to SYSTEM and Administers group only.
要点:仅必须授予对SYSTEM和Administers组的写访问权限。
Futher, install services via shell script install-sshd.ps1 which is located in the OpenSSH directory
此外,通过位于OpenSSH目录中的shell脚本install-sshd.ps1安装服务。
powershell.exe -ExecutionPolicy Bypass -File install-sshd.ps1
Let's allow incoming connections on 22 port:
让我们允许22端口的传入连接:
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
Note: applet New-NetFirewallRule is for Windows Server 2012 and above only. For older or desktop OS, you can use the following command:
注意:小程序New-NetFirewallRule仅适用于Windows Server 2012及更高版本。 对于较旧的或台式机操作系统,可以使用以下命令:
netsh advfirewall firewall add rule name=sshd dir=in action=allow protocol=TCP localport=22
Start the service:
启动服务:
net start sshd
This will automatically generate host keys under %programdata%\ssh if they don't already exist.
如果主机密钥不存在,它将自动在%programdata%\ ssh下生成主机密钥。
You can set up the service auto-start by command:
您可以通过以下命令设置服务自动启动:
Set-Service sshd -StartupType Automatic
Also, you can change default shell (it is cmd by default after install):
另外,您可以更改默认外壳程序(安装后默认为cmd ):
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force
Note: you must define absolut path.
注意:您必须定义绝对路径。
What's next?
下一步是什么?
We can configure sshd_config, which is located in C:\ProgramData\ssh.
我们可以配置sshd_config ,它位于C:\ ProgramData \ ssh中 。
E.g.:
例如:
PasswordAuthentication no
PubkeyAuthentication yes
Then we create .ssh directory inside the user directory (C:\Users\<user_directory>) and authorized_keys file inside it. We can paste public keys into this file.
然后,我们在用户目录( C:\ Users \ <user_directory> )中创建.ssh目录,并在其中创建authorized_keys文件。 我们可以将公钥粘贴到该文件中。
Important: the only user in which directory it is, must have write permissions for this file.
重要提示:该目录所在的唯一用户必须对此文件具有写权限。
By the way, if you can't fix it, you can disable permissions check via config:
顺便说一句,如果您无法修复它,则可以通过config禁用权限检查:
StrictModes no
Also, directory C:\Program Files\OpenSSH contains 2 scripts (FixHostFilePermissions.ps1, FixUserFilePermissions.ps1), which should but not obliged fix permissions, including authorized_keys permissions, but they don't.
此外,目录C:\ Program Files \ OpenSSH包含2个脚本( FixHostFilePermissions.ps1 , FixUserFilePermissions.ps1 ),这些脚本应该( 但不是 必需 )提供修复权限,包括authorized_keys权限,但不是。
Don't forget to restart sshd service to apply changes.
不要忘记重新启动sshd服务以应用更改。
ru-mbp-666:infrastructure$ ssh Administrator@192.168.1.10 -i ~/.ssh/id_rsa
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\Administrator> Get-Host
Name : ConsoleHost
Version : 5.1.14393.2791
InstanceId : 653210bd-6f58-445e-80a0-66f66666f6f6
UI : System.Management.Automation.Internal.Host.InternalHostUserInterface
CurrentCulture : en-US
CurrentUICulture : en-US
PrivateData : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy
DebuggerEnabled : True
IsRunspacePushed : False
Runspace : System.Management.Automation.Runspaces.LocalRunspace
PS C:\Users\Administrator>
Personal pros/cons.
个人利弊。
Pros:
优点:
Standart way to connect to any server (Windows/Linux)
标准方式连接到任何服务器(Windows / Linux)
When you have a few Windows host, it's inconvenient: So, here we go via ssh, but here via RDP, and generally speaking, it is the best-practice with bastions, firstly ssh-tunnel, then RDP via the tunnel. Oh kill me baby one more time.
当您有几个Windows主机时,这很不方便:因此,这里我们通过ssh进行操作,但是这里是通过RDP进行操作,通常来说,这是使用堡垒的最佳实践,首先是ssh-tunnel,然后是通过隧道的RDP。 哦,再杀死我一次。
Easy to configure
易于配置
I think it is obvious.
我认为这很明显。
Connection speed to remote host
与远程主机的连接速度
Without GUI we save up host resources, and size of transmitted data
没有GUI,我们可以节省主机资源和传输数据的大小
Cons:
缺点:
It can't replace RDP in some cases.
在某些情况下,它不能替代RDP。
Not the all things you can do via PowerShell. I mean the cases when GUI is required.
并非您可以通过PowerShell进行的所有操作。 我的意思是需要GUI的情况。
Links:
链接:
Project on Github Github上的项目 Ansible docs Ansible文档