4

As known OpenSSH Server on Windows 10 (sshd.exe) run as a service by default. But there are cases that require to run OpenSHH Server in an interactive Windows session, not in session 0 by default. For example, let's assume you connect to Windows from some Linux/Android and you don't want to use Desktop connections like VNC and others. And then it's impossible to run the command such rundll32.exe user32.dll,LockWorkStation via SSH successfully as LockWorkStation function requires Desktop session i.e. session 1, session 2, etc. And

Sometime ago I found a post stated that it's possible to run SHH Server on Windows interactively but no specific instructions were given then:

You can run the SSH server in an interactive Windows session, instead as a service. It has its limitations though.

Now I'm looking for those one.

I tried to run sshd.exe directly through cmd with configuration file and log like

c:\Windows\System32\OpenSSH\sshd.exe -f c:\Windows\System32\OpenSSH\sshd_config_default -E log.txt

but launched this way server doesn't support any incoming connection. The log file contains very little information:

Accepted password for The_Immortal from ::1 port 28532 ssh2
CreateProcessAsUserW failed error:1314
fork of unprivileged child failed

Unfortunately there is no proper help built in sshd.exe. It only shows general list of arguments

usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]
            [-E log_file] [-f config_file] [-g login_grace_time]
            [-h host_key_file] [-o option] [-p port] [-u len]

And I'm frustrating what's necessary from this to finally run sshd.exe interactively?

UPD: I've just found a big workaround similar to my question but it concerns some customized (upgraded) OpenSSH Server. Anyway with sshd -d I have the same error as above.

Improve this question
7
  • You are sure this comment about Interactive mode was for OpenSSH Server on Windows, using the Windows Feature, because the version of OpenSSH installed by that feature does not have every feature that regular old OpenSSH Server has. There are many features it does not have. Can you provide a link to the statement, without context, it's not possible to determine if your understanding of the comment was correct. Edit your question instead of submitting a comment.
    – Ramhound
    Commented Mar 13, 2020 at 21:35
  • Your link does not work. It's not even a URL to a website.
    – Ramhound
    Commented Mar 13, 2020 at 21:42
  • @Ramhound fixed. Well, actually you are right. The author didnt't mean OpenSSH Server exactly. But I decided there is a way to lauch it interactivelly.
    – The_Immortal
    Commented Mar 13, 2020 at 21:44
  • The Windows OpenSSH Server optional feature, as I said, is not a feature-complete port. Did you look into psexec?
    – Ramhound
    Commented Mar 13, 2020 at 22:50
  • @Ramhound SSH is my choice as I'm looking for cross-platform solution as I need to send command from Android as well. Till now there is no PsExec port under Android. Could you please explain what you mean by "regular old feature-complete OpenSSH Server"? Where can it be found?
    – The_Immortal
    Commented Mar 13, 2020 at 22:53

2 Answers 2

Reset to default
1

Preamble

What helped me solve this issue is learning that running sshd in "interactive mode" is equivalent to running sshd as a regular user (not root). It's not something I've had to ever do on Linux, but once defined this way it's easier to find help online.

There are three issues with running sshd as an unprivileged user:

  1. Can't access ports below 1024.
  2. Can't read ssh host keys (located in /etc/ssh/ssh_host_{ecdsa,ed25519,rsa,dsa}_key{,.pub}
  3. Can't write PID file to ssh_host_ecdsa_key

source

Solution

  1. Host keys

Open cmd prompt in %userprofile%\.ssh

ssh-keygen -q -N "" -t dsa -f ./ssh_host_dsa_key
ssh-keygen -q -N "" -t rsa -b 4096 -f ./ssh_host_rsa_key
ssh-keygen -q -N "" -t ecdsa -f ./ssh_host_ecdsa_key
ssh-keygen -q -N "" -t ed25519 -f ./ssh_host_ed25519_key
  1. Sshd_config

Copy %programdata%\ssh\sshd_config to %userprofile%\ssh

Port <BETWEEN-1024-AND-65535>
HostKey C:\Users\<USER>\.ssh\ssh_host_rsa_key
HostKey C:\Users\<USER>\.ssh\ssh_host_dsa_key
HostKey C:\Users\<USER>\.ssh\ssh_host_ecdsa_key
HostKey C:\Users\<USER>\.ssh\ssh_host_ed25519_key
PidFile C:\Users\<USER>\.ssh\sshd.pid
  1. Open new port in firewall

netsh advfirewall firewall add rule name="Open Port <BETWEEN-1024-AND-65535>" dir=in action=allow protocol=TCP localport=<BETWEEN-1024-AND-65535>

  1. Startup batch script

Create sshd-interactive-mode.bat in the Startup* folder:

start "" C:\Users\user\bin\SilentCMD\SilentCMD.exe "C:\Program Files\OpenSSH\sshd.exe" -f C:\Users\user\.ssh\sshd_config

SilentCMD spawns it as a background task. Download it and save to =%userprofile%\bin\SilentCMD= start "" prevents cmd prompt from lingering on the desktop after sshd exits

Notes

  • I chose to keep everything in user's .ssh directory, but you may choose a separate directory.
  • Startup folder: C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Improve this answer
2
  • Why are you giving twice the same answer?
    – Toto
    Commented Nov 16, 2023 at 13:33
  • I've removed the previous one - it originally suggested adding user permissions to the system host keys, which was a wrong approach. I needed to understand the problem better.
    – Daniel Krajnik
    Commented Nov 16, 2023 at 13:40
-3

You want to run it in interactive mode, so that way you can interact with the local desktop. (Console session)

sshd -d

Note by default this will only allow current user to log in, and only with a private key.

If you want anything else you're going to have to manually grant your user extra privileges.

Use query session to verify that you are logged in to the session you want.

Otherwise windows by design goes to a lot of trouble to isolate services from user interaction.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .