SSH server on Windows 10 out of nowhere?

13

I was playing around with nmap and discovered my fully up to date windows 10 (1607 pro - not insider) box had port 22 open (ssh). I $ssh <ip> to it and find that yes, there's an ssh server running on my machine. I've learned not to be surprised by anything when it comes to windows. I tried my password (both my local account pw and my windows "unix password" which was required when installing the new "Windows subsystem for Linux" and both failed.

I went on to the windows 10 machine and ran c:\>bash and made sure ssh server was not set to start at any runlevel and then restarted (I have no idea how the linux in windows feature works other than it seems to work). After restarting I still showed port 22 open. I looked in windows firewall and found entries for the "ssh server proxy service"; I looked in services.msc and found "ssh server broker" and "ssh server proxy"; I looked on google and found absolutely nothing about ssh on windows other than promises of it happening at some point and people asking when?

What's going on? Why do I have an ssh server running I knew nothing about? How do I configure it? How do I kill it? Will killing it actually kill it? Or is it like the other options in Windows 10 which seem to occasionally switch back to what (presumably) Microsoft thinks I should have chosen (or wishes I had).

Ian

Posted 2016-09-01T23:36:55.377

Reputation: 131

netstat -anp should tell you which process is listening on port 22. – heavyd – 2016-09-02T00:10:00.473

Use services.msc or another method to find out what executable is used. You should be able to do that for any service. Once you know the command line, you could use TASKKILL. – TOOGAM – 2016-09-02T04:15:59.787

I guess you could disable the 2 SSH services in services.msc. I would actually prefer it to be a real SSH server which I can use, instead of this weird useless service... – mivk – 2017-02-24T18:25:50.110

+1 Especially for "I've learned not to be surprised by anything when it comes to windows". – Kamil Maciorowski – 2017-09-28T07:20:48.313

There is no way to answer "Why" questions - who know what evil goes on in the minds of programmers? ;-) – SDsolar – 2017-09-30T17:35:24.317

Answers

6

Yes, Windows 10 has an SSH server since version 14352.

That article states you can't do much with it:

  1. it has obviously a very special purpose and it’s clearly not intended for an ordinary user
  2. the configuration options are very limited and most of them is inaccessible (you need to modify ownership and permissions on the registry keys). Obviously, you can have a list of possible login options, so you don’t have to allow password login.

No mention about killing it, though.

Reddit thread

Jan Doggen

Posted 2016-09-01T23:36:55.377

Reputation: 3 591

4Great, a method to log in to my system which is turned on, usable, and I'm not allowed to use it. I wonder who is. – Ian – 2016-09-02T19:55:58.793

1

Apparently, this is used to deploy UWP apps to the local system for development purposes. I would assume the SSHBroker and SSHProxy services can simply be disabled if you turn on developer mode and want them off.

– Dave Andersen – 2017-05-24T18:33:53.747

2

Yes, (Sep 2017) - it has it and after Creator's Update it is only enabled when the computer is put into Developer Mode.

Note that this is NOT the same as Microsoft Win32-OpenSSH for Powershell.

Here's a decent article on how to control it:

How-to enable, login to, or disable Microsoft SSH Server in Windows 10

Excerpt:

Windows 10 comes with a built-in secure shell (SSH) server for remote login and command line access to your files and programs.

A word of caution: To use the Microsoft SSH Server for Windows, which is the full formal name of the service, your Windows device must be put in Developer mode. Changing your device’s security level from regular user to developer mode will have implications for how Windows enforces security policies. Be sure to read up on and understand how this change will affect your device before proceeding.

You can use any standard SSH client to log into your device. The login name and password are authenticated using regular Windows credentials.

This server is not meant to withstand brute-force login attacks (no rate limiting, for instance), so long, strong passwords are important. Not suggested that it be used out in the wild all by itself.

This runs as a pair of services, SSH Server Proxy and SSH Server Broker which can be controlled from the normal Services control screen. To stop them entirely you can set them to Disabled

SDsolar

Posted 2016-09-01T23:36:55.377

Reputation: 1 206

Asked: 2016-09-01T23:36:55.377

Viewed: 5 983 times

Active: 2017-10-27T19:37:52.320