How do I add secure shell login to a Windows System with WinSSHD?

WinSSHD allows users to remotely log into a console or, with the right tool, run a remote application or administer a machine.

One tool that I have always found missing from Windows installations is an SSH daemon that allows users to remotely log in to a console or, with the right tool, run a remote application or administer a machine. Some tools for this job either are too complicated or simply don't work. There is a solution, WinSSHD, that is as robust and reliable as it is easy to install.

WinSSHD works with all NT-series Windows operating systems, including:

  • Vista
  • XP
  • 2000
  • NT4

Although not listed as being supported, I have successfully installed and used WinSSHD on Windows 7 as well.

This blog post is also available in PDF format in a free TechRepublic download.


WinSSHD includes the following features:

  • Secure remote console access
  • vt100, xterm, bvterm support
  • Remote desktop and WinVNC support
  • Secure file transfer with SFT and SCP
  • Secure TCP tunneling
  • 30-day demo available
  • Simple to install
  • User-friendly management console

Getting and installing

Installing WinSSHD is as simple as any Windows application installation. There are two screens, however, that will need attention. Before you get to that point, you will first need to download the installer from the Bitvise Web site and double-click the saved file to begin the installation process.

As I mentioned, there are two "steps" in the installation process that will not be familiar. The first step (Figure A) will require you to agree to the license terms as well as determine what you want to install.

Figure A

Each WinSSHD installation is considered a "site."

You will also have to select what you are doing with this installation. The options are:

  • Replace existing WinSSHD site: This option will be available only if you already have a WinSSHD installation.
  • Install new WinSSHD site: If this is your first installation, this is what you want to select.
  • Install new default site: If you are going to have only one WinSSHD installation, select this option.
  • Install new named site: If you know you are going to have multiple instances of WinSSHD, select this option.
  • Run WinSSHD Control Panel when done: If you want to start working with WinSSHD immediately, check this option.
The next step in the installation (Figure B) requires you to choose one of the types of installations. The possibilities are
  • Standard Edition: This is the 30-day demo you downloaded. With this installation you will have full functionality, but it will expire unless you purchase a license.
  • Personal Edition: Free, but with restrictions (see Figure B).

Figure B

If you need access to only one machine with one group and 10 accounts, the Personal edition is perfect.

The remainder of the installation is simple. Once you have completed the installation, the WinSSHD Control Panel will open and you can start working with WinSSHD.

Using WinSSHD

From the WinSSHD Control Panel you can manage all aspects of the application. The first tab in this control panel that you should visit is the Server tab (Figure C). From here you can activate your copy of WinSSHD, start/stop the server, manage your Host Keys, and configure WinSSHD.

Figure C

This tab will inform you how many days you have left on your evaluation.
Out of the box, WinSSHD works perfectly for a single-session SSH connection. If you decide the default settings won't work for you or if you know you have a network/setup that demands specific configurations, such as needing to open the Windows Firewall to your local network or configuring your proxy settings, click on the Settings link near the bottom. From within the Settings window (Figure D), there are a number of options you can configure.

Figure D

Although the default settings should work, WinSSHD allows you to get fairly granular with your configurations.

Any options you may need/want to configure within the settings will be determined by your particular network topography as well as your user needs.

When you have WinSSHD set up, you will want to make sure it works. The first test you will want to run is from localhost. So open an instance of your SSH client (such as PuTTy) on the machine with WinSSHD installed and attempt to log in. That should work without a problem.

Now move over to another machine on your network and attempt the same login. If this fails most likely you will need to adjust some of the security parameters within WinSSHD. The first place to look is in the Server section of the Settings window. In that section you will want to click on the Firewall section and then make sure the Open Ports to Local Subnet option is selected from the dropdown.

Once you are able to log in from another machine on your network, you will want to do a bit of securing.

Securing WinSSHD

Once you have WinSSHD set up and working, it's time to secure your WinSSHD installation. Really there are only three items to secure:

  • What services are made available
  • What users can gain access
  • When to use strong authentication

Let's examine services first. There are three services to either enable or disable:

  • File transfer
  • Console
  • Routing TCP connections
You want to shut off the features you know you will not use. To do this, you have to edit the only existing group in the installation (you can add new groups for further control if needed). From within the Settings window, go to the Access Control section and click on the Windows Groups entry (Figure E).

Figure E

This is also the same window where you can add groups.
Select the Everyone group and click the Edit button. From this window, you will need to scroll down to the section where you can see Permit Terminal Shell (Figure F).

Figure F

Remember, this is the default group, so you might want to keep strong control over this group.

This section is where you will want to disable the services you do not need. Once you have deselected those features, click the OK button to save the settings and dismiss the window.

Now, let's say you want to limit access to only certain users on the machine. You will first need to disable login access to the Everyone group you were just working with. Once you do that, you can configure a user account for logging in. To do this, go back to the settings window and then click on the Windows Accounts section under Access Control. Here you want to add an account, so click the Add button. In this window, you will want to configure the options you need and, most importantly, add the actual user name associated with the account you want to enable (Figure G).

Figure G

I have labeled the section USERNAME_HERE where you need to add the actual user name.

Follow those same steps for all users you want to be able to log in to this machine.

The final piece of advice is to make sure all users are using strong passwords. Because WinSSHD is opening a Windows machine for remote access, you will want to ensure that the users all are using strong passwords so those accounts are harder to crack. Make sure your user passwords are at least 15 characters long and have a combination of alpha and numeric characters. If your users are using simple passwords, the likelihood of this machine being cracked becomes much greater.

Final thoughts

I can highly recommend WinSSHD to anyone needing SSH access to a Windows machine. And not only would I recommend this application to single users, but to small and large businesses as well. WinSSHD is very simple to use and allows you to configure your SSHD server to very specifically meet your needs.

Stay on top of the latest XP tips and tricks with TechRepublic's Windows XP newsletter, delivered every Thursday. Automatically sign up today!