Updating OpenSSH client and server on Windows
Daniel Nashed – 20 November 2021 10:00:20
I ran into this when working on a project integrating Domino and Veeam.
The restore operation needs to issue a mount command from the Domino server OS to the Veeam server invoking a PowerShell script.
In error situations the PowerShell commands could not write their error messages to STDERR -- no matter how much I tried to redirect the output via 2>&1 or similar methods.
STDERR output worked well on my Win2022 machine, but failed on Win2019.
The limitation is fixed in newer OpenSSH versions.
It turned out that Microsoft is not updating the OpenSSH server installed with Windows to later versions automatically.
You have to download and install/update it manually to get a current version of SSH and the OpenSSH server.
By the way, a never version will also allow to use more modern key types like ED25519.
And it is really advisable to use current OpenSSH and OpenSSL versions in general -- also for other security fixes and new features improving your security.
Here are the versions installed by default in Windows (with a current patch level).
And I have a link for your, to update those versions with a PowerShell based installer shipped with it.
The installer would also install the OpenSSH Service automatically if not yet installed.
Both the SSH client and server are included in one package -- in contrast Windows splits it in client and server -- the SSH client is installed by default.
Windows 2019
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5 (05.04.2018)
Windows 10 / Windows11 / Windows 2022
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2 (18.12.2019)
Current Version
OpenSSH_for_Windows_8.6p1, LibreSSL 3.3.3 (26.05.2021)
You can see that beside Windows 2019 all other Windows versions have a never OpenSSH and SSL version.
And there is a more up to date version provided by Microsoft in their PowerShell/Win32-OpenSSH project.
The download page has all the information and details:
https://github.com/PowerShell/Win32-OpenSSH/releases
LibSSL
By the way Microsoft's OpenSSH implementation is not based on OpenSSL.
They are using a project, which has been forked a while ago --> https://www.libressl.org/.
Donwload of a more current version
The download comes with an install Powershell script creates which can create the OpenSSH server service.
But it only works if no OpenSSH is installed.
The version shipping with more current Windows version is perfectly OK to use and on a level most other Linux distributions are using.
You can see below that CentOS 7 ships even an older version than Windows 2019 with a quite old OpenSSL version.
On Linux switching to a later OpenSSL version isn't that simple. The distributions update their OpenSSL major releases only with major releases of their OS.
So CentOS Stream 9 and RHEL 9 are the first Linux distributions I have made the switch to OpenSSL 3.0.
And even Linux versions like CentOS 7 are still supported and maintained, you cannot expect the latest packages for important security packages like OpenSSL and OpenSSH.
Those older versions are still security patched, but they don't provide all features you might want like using more modern key types etc.
-- Daniel
Linux version list OpenSSH
CentOS 7
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
CentOS Stream 8
OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021
SUSE Leap 15.2
OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019
SUSE Leap 15.3
OpenSSH_8.4p1, OpenSSL 1.1.1d 10 Sep 2019
CentOS Stream 9
OpenSSH_8.7p1, OpenSSL 3.0.0 7 sep 2021
References:
Official Micosoft documentation
https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview
Official Microsoft project
https://github.com/PowerShell/openssh-portable
Project documentation
https://github.com/PowerShell/Win32-OpenSSH
- Comments [0]