5

As known OpenSSH Server on Windows 10 (sshd.exe) run as a service by default. But there are cases that require to run OpenSHH Server in an interactive Windows session, not in session 0 by default. For example, let's assume you connect to Windows from some Linux/Android and you don't want to use Desktop connections like VNC and others. And then it's impossible to run the command such rundll32.exe user32.dll,LockWorkStation via SSH successfully as LockWorkStation function requires Desktop session i.e. session 1, session 2, etc. And

Sometime ago I found a post stated that it's possible to run SHH Server on Windows interactively but no specific instructions were given then:

You can run the SSH server in an interactive Windows session, instead as a service. It has its limitations though.

Now I'm looking for those one.

I tried to run sshd.exe directly through cmd with configuration file and log like:

c:\Windows\System32\OpenSSH\sshd.exe -f c:\Windows\System32\OpenSSH\sshd_config_default -E log.txt

But launched this way server doesn't support any incoming connection. The log file contains very little information:

Accepted password for The_Immortal from ::1 port 28532 ssh2
CreateProcessAsUserW failed error:1314
fork of unprivileged child failed

Unfortunately there is no proper help built in sshd.exe. It only shows general list of arguments

usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]
       [-E log_file] [-f config_file] [-g login_grace_time]
       [-h host_key_file] [-o option] [-p port] [-u len]

And I'm frustrated what's necessary from this to finally run sshd.exe interactively?

Update: I've just found a big workaround similar to my question but it concerns some customized (upgraded) OpenSSH Server. Anyway with sshd -d I have the same error as above.

Giacomo1968
  • 58,727
The_Immortal
  • 51

2 Answers2

1

Preamble

What helped me solve this issue is learning that running sshd in "interactive mode" is equivalent to running sshd as a regular user (not root). It's not something I've had to ever do on Linux, but once defined this way it's easier to find help online.

There are three issues with running sshd as an unprivileged user:

  1. Can't access ports below 1024.
  2. Can't read ssh host keys (located in /etc/ssh/ssh_host_{ecdsa,ed25519,rsa,dsa}_key{,.pub}
  3. Can't write PID file to ssh_host_ecdsa_key

source

Solution

  1. Host keys

Open cmd prompt in %userprofile%\.ssh

ssh-keygen -q -N "" -t dsa -f ./ssh_host_dsa_key
ssh-keygen -q -N "" -t rsa -b 4096 -f ./ssh_host_rsa_key
ssh-keygen -q -N "" -t ecdsa -f ./ssh_host_ecdsa_key
ssh-keygen -q -N "" -t ed25519 -f ./ssh_host_ed25519_key
  1. Sshd_config

Copy %programdata%\ssh\sshd_config to %userprofile%\.ssh

Port <BETWEEN-1024-AND-65535>
HostKey C:\Users\<USER>\.ssh\ssh_host_rsa_key
HostKey C:\Users\<USER>\.ssh\ssh_host_dsa_key
HostKey C:\Users\<USER>\.ssh\ssh_host_ecdsa_key
HostKey C:\Users\<USER>\.ssh\ssh_host_ed25519_key
PidFile C:\Users\<USER>\.ssh\sshd.pid
  1. Open new port in firewall

netsh advfirewall firewall add rule name="Open Port <BETWEEN-1024-AND-65535>" dir=in action=allow protocol=TCP localport=<BETWEEN-1024-AND-65535>

  1. Startup batch script

Create sshd-interactive-mode.bat in the Startup* folder:

start "" C:\Users\<USER>\bin\SilentCMD\SilentCMD.exe "C:\Program Files\OpenSSH\sshd.exe" -f C:\Users\<USER>\.ssh\sshd_config

  • To determine the location of sshd.exe on your system, use where sshd.exe.

  • SilentCMD spawns it as a background task. Download it and save to %userprofile%\bin\SilentCMD, or install via choco install silentcmd. To determine the location of the command, use where silentcmd.exe.

  • start "" prevents cmd prompt from lingering on the desktop after sshd exits

Notes

  • I chose to keep everything in user's .ssh directory, but you may choose a separate directory.
  • Startup folder: C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Tor Arne Vestbø
  • 533
Daniel Krajnik
  • 213
-4

You want to run it in interactive mode, so that way you can interact with the local desktop. (Console session)

sshd -d

Note by default this will only allow current user to log in, and only with a private key.

If you want anything else you're going to have to manually grant your user extra privileges.

Use query session to verify that you are logged in to the session you want.

Otherwise windows by design goes to a lot of trouble to isolate services from user interaction.

Jolly
  • 39