34

I'm experiencing certain issues with the built-in OpenSSH client that, according to the Win32-OpenSSH Github page, seem resolved in newer versions. The newest version is v7.9 while the preinstalled client is in version 7.6p1. 

PS C:\> ssh -V
OpenSSH_for_Windows_7.6p1, LibreSSL 2.6.4

I understand it's possible to install OpenSSH both as an optional feature in the "apps & features" settings page, or using Powershell. That seems futile in my situation as the client clearly already is installed. 

PS C:\>  Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'

Name  : OpenSSH.Client~~~~0.0.1.0
State : Installed

Name  : OpenSSH.Server~~~~0.0.1.0
State : NotPresent

Unfortunately, it doesn't seem possible to update the client this way and the Github page doesn't seem to publish binaries. Does this mean I have to make the binaries myself if I want to use newer versions, and would they even work as a replacement not being signed or anything? Is there maybe a simpler way?

vic
  • 1,160
  • 2
  • 12
  • 19
  • I had the same problem. Since I have the Windows Subsystem for Linux installed, I just switched to using `wsl -e ssh` instead of `ssh`, which executes the (newer) version of ssh inside the Linux subsystem. – Heinzi Nov 03 '21 at 09:57

4 Answers4

16

This page gives the steps to follow using Powershell to install the latest packages.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$url = 'https://github.com/PowerShell/Win32-OpenSSH/releases/latest/'
$request = [System.Net.WebRequest]::Create($url)
$request.AllowAutoRedirect=$false
$response=$request.GetResponse()
$([String]$response.GetResponseHeader("Location")).Replace('tag','download') + '/OpenSSH-Win64.zip'  
$([String]$response.GetResponseHeader("Location")).Replace('tag','download') + '/OpenSSH-Win32.zip'

If you use Chocolatey, then type the following in the command prompt as shown here:

choco upgrade openssh
Reddy Lutonadio
  • 17,120
  • 4
  • 14
  • 35
  • 4
    You will likely want to use the instructions on this [page](https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH) to install the update. However, I would perform test within a virtual machine, to verify what actually happens. Unless there is a vulnerability you are specifically worried about, you might not want to attempt to manually update the install, and instead, remove the built-in version and use the above installation instructions. – Ramhound Jan 19 '19 at 00:54
  • I needed to change $request.AllowAutoRedirect=$false to $request.AllowAutoRedirect=$true – JPvRiel Dec 11 '20 at 11:46
  • 3
    Both don't do much, at least don't give any output and afterwards (even after opening a new shell) `ssh -V` just gives me the same output: `OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5` – jaques-sam Jul 08 '21 at 07:40
14

The answer to overwrite the files works:

Download the latest and update them in C:\Windows\System32.

However, this is easier said than done due to how Windows restricts permissions to modify/write files in System32. Running PowerShell as Administrator was not sufficient to modify files. I had to change ownership and add full control permissions to get it done as follows:

# Download upstream bins
$url = 'https://github.com/PowerShell/Win32-OpenSSH/releases/latest/'
$request = [System.Net.WebRequest]::Create($url)
$request.AllowAutoRedirect=$false
$response=$request.GetResponse()
$source = $([String]$response.GetResponseHeader("Location")).Replace('tag','download') + '/OpenSSH-Win64.zip'
(New-Object System.Net.WebClient).DownloadFile($source, 'OpenSSH-Win64.zip')



# Overwrite windows installed bins
$openSshBins = (Get-ChildItem 'C:\WINDOWS\System32\OpenSSH\').Name
Expand-Archive -Path .\OpenSSH-Win64.zip -DestinationPath .
takeown.exe /a /r /f C:\Windows\System32\OpenSSH\
icacls.exe 'C:\Windows\System32\OpenSSH' /grant 'BUILTIN\Administrators:(OI)(CI)F'
icacls.exe 'C:\Windows\System32\OpenSSH' /grant 'BUILTIN\Administrators:F' /t
Stop-Service ssh-agent
$openSshBins | %{ Copy-Item -Path .\OpenSSH-Win64\$_ -Destination C:\Windows\System32\OpenSSH\ }
Start-Service ssh-agent

Note, to auotmate the download, you need to permit redirects.

JPvRiel
  • 1,531
  • 16
  • 15
  • 1
    download automation is broken again :( – Atiq Rahman Mar 02 '21 at 22:15
  • Thanks, corrected and disabled redirects again. Not sure why, could swear that last time I had to have redirects enabled for it to work for me. – JPvRiel Mar 04 '21 at 18:21
  • I got the following on the last command: `Start-Service : Service 'OpenSSH Authentication Agent (ssh-agent)' cannot be started due to the following error: Cannot start service ssh-agent on computer '.'. At line:1 char:1 + Start-Service ssh-agent + ~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service], ServiceCommandException + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand` – Steven Lu Apr 18 '21 at 07:16
  • @StevenLu That error is probably caused by startup type is disabled for ssh authentication agent. see https://github.com/PowerShell/Win32-OpenSSH/issues/1625 – kakoni Jan 20 '22 at 12:45
  • 1
    "Download upstream bins" part fails. After downloading OpenSSH-Win64.zip from https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v8.9.1.0p1-Beta, use the "# Overwrite windows installed bins" part works. (write that part to a file like any_name.ps1, in pwsh as admin , issue `& any_name.ps1` ) – Good Pen May 09 '22 at 04:15
  • If you are still interesting in maintaining; the newest version also needs to copy libcrypto.dll from the zip to the system32 folder which your script skips https://github.com/PowerShell/Win32-OpenSSH/issues/2052 – Ben Jul 28 '23 at 17:59
9
  1. Remove the default version of OpenSSH:
Remove-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
  1. Install the recent version:
  1. Add it to path:
[Environment]::SetEnvironmentVariable("Path", 
$env:Path + ';' + ${Env:ProgramFiles} + '\OpenSSH', 
[System.EnvironmentVariableTarget]::Machine)
ᄂ ᄀ
  • 3,875
  • 1
  • 19
  • 18
  • 1
    To avoid installing the server (`sshd`), add an installation argument: `winget install Microsoft.OpenSSH.Beta --override ADDLOCAL=Client` --- Note `Microsoft.OpenSSH.Beta` is the full name of the package. – pabouk - Ukraine stay strong Sep 17 '22 at 13:17
  • Just found out, when installing client only, the `ssh-agent` service is also unavailable. – w5l Nov 14 '22 at 06:56
  • The package id is `Microsoft.OpenSSH.Beta` and the moniker is `openssh-beta`. – momvart Jul 10 '23 at 02:49
7

The binaries are now on GitHub. Download the latest and update them in C:\Windows\System32.

somebadhat
  • 1,172
  • 2
  • 9
  • 24
Cez Chi
  • 91
  • 1
  • 3