SSH remotely into Bash on Ubuntu on Windows



This answer worked for me to be able to ssh into the Linux subsystem from localhost, but it wasn't sufficient to let me login remotely.

I have:

  1. Run the Bash Start Menu item as administrator;
  2. Made all the /etc/ssh/sshd_config modifications recommended in the linked answer above;
  3. Changed from port 22 to port 2222 to try to avoid any security issues with using system ports;
  4. Verified that doing ssh trey@localhost -p 2222 works as expected.

However, that doesn't allow me to login from other hosts on my LAN. If I stop the service (sudo service ssh stop) and run in debug mode (sudo /usr/sbin/sshd -d), I get the following output:

sudo: unable to resolve host SYCORAX
debug1: sshd version OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type ECDSA
debug1: private host key: #2 type 3 ECDSA
debug1: private host key: #3 type 4 ED25519
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
Set /proc/self/oom_adj from 0 to -17
debug1: Bind to port 2222 on
Server listening on port 2222.
debug1: Bind to port 2222 on ::.
Bind to port 2222 on :: failed: Address already in use.

It holds there and does not change if I try to ssh from another host using the Ethernet's IP address (which is pingable). If I try to ssh from the localhost, though, it continues:

debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: inetd sockets after dupping: 3, 3
Connection from port 60453 on port 2222
debug1: Client protocol version 2.0; client software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 pat OpenSSH_6.6.1* compat 0x04000000
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-ctr none
debug1: kex: server->client aes128-ctr none
debug1: expecting SSH2_MSG_KEX_ECDH_INIT
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user trey service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "trey"
debug1: PAM: setting PAM_RHOST to "localhost"
debug1: PAM: setting PAM_TTY to "ssh"
Failed none for trey from port 60453 ssh2
debug1: userauth-request for user trey service ssh-connection method password
debug1: attempt 1 failures 0
debug1: PAM: password authentication accepted for trey
Accepted password for trey from port 60453 ssh2
debug1: do_pam_account: called
debug1: PAM: establishing credentials
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_global_request: rtype want_reply 0
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_pty_req: session 0 alloc /dev/pts/0
debug1: SELinux support disabled
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug1: server_input_channel_req: channel 0 request shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
Starting session: shell on pts/0 for trey from port 60453
debug1: Setting controlling tty using TIOCSCTTY.

And I get logged in successfully from the local SSH client, which prints the following debug messages:

trey@localhost's password:
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 3.4.0+ x86_64)

 * Documentation:

Last login: Sat Aug 27 14:51:29 2016 from localhost
debug1: PAM: reinitializing credentials
debug1: permanently_set_uid: 1000/1000
debug1: Unable to open session: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory
  SSH_CLIENT= 60453 2222
  SSH_CONNECTION= 60453 2222

Once I logout from that local ssh, I get the following from the sshd process before exiting:

debug1: Received SIGCHLD.
debug1: session_by_pid: pid 677
debug1: session_exit_message: session 0 channel 0 pid 677
debug1: session_exit_message: release channel 0
debug1: session_pty_cleanup: session 0 release /dev/pts/0
syslogin_perform_logout: logout() returned an error
debug1: session_by_channel: session 0 channel 0
debug1: session_close_by_channel: channel 0 child 0
debug1: session_close: session 0 pid 0
debug1: channel 0: free: server-session, nchannels 1
Received disconnect from 11: disconnected by user
debug1: do_cleanup
debug1: PAM: cleanup
debug1: PAM: closing session
debug1: PAM: deleting credentials
debug1: audit_event: unhandled event 12

Interestingly, I have no trouble whatsoever ssh'ing (either locally or remotely) into a Hyper-V virtual running Ubuntu 16 on the same host with the sshd running on port 22. (Of course, the Hyper-V VM guest is at a different IP address than the Windows host.)

Telnet to port 2222 is unsuccessful as well.

I suspect the inability of sshd to bind to the IPv6 port is key to understanding what's going on, but the tools I know of (both from the Windows and the Linux sides) don't show anything bound to port 2222 in TCP v4 or v6.


Posted 2016-08-27T19:29:57.133

Reputation: 260



You probably have to poke a hole in your Windows Firewall. I had this problem and verified by turning off WF briefly and confirmed I could access from external machine.

I then added a rule to allow the port I set up, for you that would be 2222.

I re-enabled WF and everything was fine then.


Posted 2016-08-27T19:29:57.133

Reputation: 76

Could you please be more specific about the WF setting? – Qinsi – 2019-03-19T09:51:43.657

Are you asking about specifically about how to add a rule to Windows Firewall? If so, then access WF through the control panel, click on Advanced settings, and then select Inbound or Outbound rules. Typically, you are going to want to add an inbound rule and, for ssh specifically, you'd want to add a rule to open (allow) the port for TCP, adding one for UDP isn't necessary.

From there, there are a number of variables up to you to determine what to choose for your situation, the wizard will prompt you with options. – shadowzen – 2019-03-21T08:12:19.010

That's very helpful, thanks – Qinsi – 2019-03-21T09:27:45.913


debug1: Bind to port 2222 on
Server listening on port 2222.
debug1: Bind to port 2222 on ::.
Bind to port 2222 on :: failed: Address already in use.

You do the bind to the port 2222 twice somehow in your sshd_config. How does the file look like?

Not sure if there is some other problem hidden among the lines, if so, please clarify.


Posted 2016-08-27T19:29:57.133

Reputation: 7 981

I don't follow.... I'm not running the sshd -d server with a -p 2222, I'm running the ssh client that way. (While conceivably the local ssh could read the /etc/ssh/sshd_config file looking for the port number, the remote ssh obviously can't.). One bind is to the IPv4 port, the other is to the IPv6 port. That's normal behavior, though the inability to bind the the IPv6 port is not. – Trey – 2016-08-27T19:44:52.557

And to answer your question directly: $ grep -i port /etc/ssh/sshd_config <NL> # What ports, IPs and protocols we listen for <NL> Port 2222 <NL> – Trey – 2016-08-27T19:46:02.753

sorry, that was a bug in the post, already fixed. There might be the Port and ListenAddress. But I am not sure how well is it supported by Windows now. Does it work for you if you set up IPv4 only (AddressFamily inet)? – Jakuje – 2016-08-27T19:48:23.620


From your elevated PowerShell Console on Win 10, Issue the following command:

New-NetFirewallRule -DisplayName "Allow Inbound Port 2222" -Direction Inbound -LocalPort 2222 -Protocol TCP -Action Allow

With the above PS command, you will open Inbound port 2222 on Windows Firewall. That will enable your other LAN hosts to login to your WSL Instance on your current Win 10 host.


The Bahree

Posted 2016-08-27T19:29:57.133

Reputation: 161