
Windows Server 2019 Includes OpenSSH - taspeotis
https://blogs.windows.com/buildingapps/2018/12/11/windows-server-2019-includes-openssh/
======
mscasts
That is really something, before as a dev coming from linux when I first was
about to login on a Windows Server I didn't understand how to do it since it
were no SSH.

Administrating the server via a GUI always felt backwards somehow. Why waste
CPU cycles on rendering a UI when the CLI is so great (on linux)?

~~~
ocdtrekkie
Microsoft has come a really long way recently towards moving to CLI-based
management. Starting with Server 2016, the default installation method of
Windows Server no longer includes most of the GUI (called the Desktop
Experience), leaving you with a command prompt window in the middle of the
screen instead. An even thinner version of Windows Server, Nano Server, is
also available, and includes even less GUI, being much more like a Linux
terminal UI, though it is a bit less intuitive to get started with as you
can't even install it, you have to image it to deploy.

Most Windows admins still prefer a lot of GUI management (I've gotten some
groans in response to my statement new servers would tend not to have it), but
remote desktop to the server is no longer the preferred way to do that: Remote
Server Administration Tools effectively installs all of the server GUI on your
desktop PC.

Due to the number of legacy applications Windows Server folks tend to support,
it's unlikely server GUIs are going away entirely anytime soon, but for a lot
of basic server functions supported directly by Microsoft, it's doable. And in
addition to not wasting processor and memory pushing pixels, Windows Servers
without the GUI are susceptible to less attacks, require less changes during
Windows updates, and reboot faster, all on account of just having "less"
onboard.

~~~
slededit
They started on this in the late 2000s when I was an intern there. But there
was a lot to untangle. It’s the biggest refactoring job you can imagine. A
decade long effort.

Back then they didn’t really understand the point of ssh though. They had a
vision of remote management via .net RPC and powershell.

~~~
donavanm
I dont know if that means they didnt understand it. It reads like they were
trying to solve the underlying problems with a different approach.

SSH is an awesome tool & capability as a relatively high level network
channel. The defacto “shell” approach leads to a lot of problems when used as
a management device. It encourages adhoc, unstructured, and opaque changes.
Managing your hosts via Secure Shell simply leads to bespoke, unrepeatable,
outcomes and crushing debt.

Moving to a well structered, repeatable, management paradigm is the only way
to survive large or long term deployments. I see “systems configuration” and
“orchestration” as the most common ways to achieve that. Personally Ive been
trying to move linux/bsd host management off of SSH for 10 years now. I will
be very very happy when SSH shell instantiations approach zero per day.

~~~
slededit
They already had group policy for structured administration. What Windows was
missing specifically was a non-GUI way for that unstructured "get in there and
fix the problem" work flow. Structured workflows may well be better for you,
but quick and dirty has a lot of appeal.

Sometimes you just have to give people the candy they want - even if its not
good for them.

~~~
mycall
> "get in there and fix the problem" work flow

Isn't this an anti-pattern considering the cloud tenants of treating machines
as cattle not pets?

~~~
slededit
Windows had this problem much earlier with every employee getting a PC on
their desk. They solved it with Group Policy and domains. That still works
well.

SSH and Remote Desktop solve a different problem. It may not be the one you
have - but some of us just need to log into the machine because we have needs
that don’t fit into some predefined workflow. Or we have so few boxes it’s not
worth it.

Consider SSHing into a large build machine for compiling as an example.

------
ericseppanen
It's interesting that their ssh-agent runs as a service under an Administrator
account. I'd guess this is an attempt to better protect the private key
against theft during a local compromise (i.e. unlocked computer left running
on your desk).

I haven't seen this done on Linux. Has this trick been implemented on other
systems?

~~~
ericseppanen
Useful reading:

[https://blog.netspi.com/stealing-unencrypted-ssh-agent-
keys-...](https://blog.netspi.com/stealing-unencrypted-ssh-agent-keys-from-
memory/)

[https://blog.ropnop.com/extracting-ssh-private-keys-from-
win...](https://blog.ropnop.com/extracting-ssh-private-keys-from-
windows-10-ssh-agent/)

------
ratsbane
That's really nice that they've finally decided to add something that a lot of
people needed in 2005.

~~~
baroffoos
They also got notepad to not blow everything up when opening a file with
normal line endings. It still fucks everything up when creating new files
though.

~~~
guardian5x
I guess, with "normal" line endings, you mean <LF> instead of <CR><LF>.

~~~
aerique
He means the defacto standard, yes.

~~~
boomlinde
Not the defacto standard, but plain POSIX. Carriage return + line feed to
enter a new line starting at the left margin makes perfect sense mechanically,
though, and a lot of systems with ASCII/ASCII-like encodings use some
variation of this sequence (e.g. <cr><lf> or <lf><cr>) for "newlines". Of
course, in the interest of compatibility I'd prefer if it was one way or
another, but I don't think it's fair to say that POSIX is the defacto
standard. Lines in network protocols, for example, typically use <cr><lf> as
well.

------
nojvek
OpenSSH with powershell is such a great combo. I was very skeptical about
powershell, but after writing many scripts I’m a convert. Powershell does so
many things nicer than bash. It feels like a real programming language but
still not loosing its scripting roots.

For running tests for a GUI application which requires us to spin thousands of
Machines in parallel, manage job queues, interact with Windows UI automation,
do some html result dumping, shell buffer streaming, and a whole bunch of
crazy things, powershell interfaces with things really nicely.

I absolutely love that powershell pipes streams of objects rather than just
streams of bytes. So much more expressive.

~~~
nailer
Yep. I've been using bash since the 90s, and really got into Powershell a
couple of years ago (I now run it on macOS too).

The amount of people who try and explain bash basics to me when I say I use
Powershell is staggering. I'm _quite good_ at regexs thanks, I just like my
scripts picking keys 'select' and 'where' rather than scraping with grep / awk
etc. The amount of (poor) pwsh clones on Linux is a good testament to the
solidness of this approach.

~~~
mixmastamyk
Scripts over say, 10 lines or so shouldn't be written in bash. That's when
moving up to Python or Ruby makes sense.

------
adzm
Even right now, you can install sshd and/or use the client by adding them as a
feature, or by installing manually.

[https://github.com/PowerShell/Win32-OpenSSH](https://github.com/PowerShell/Win32-OpenSSH)

and

[https://github.com/PowerShell/openssh-
portable](https://github.com/PowerShell/openssh-portable)

------
sys_64738
Microsoft is becoming the defacto leader in open source.

~~~
nwah1
This is almost undeniable. Seems like everyone and their mother are using
vscode, typescript is huge, .NET Core is FOSS, PowerShell is now open source,
etc etc.

The Language Server Protocol has revolutionized IDEs in general.

And now that they own GitHub (and their projects like Atom), it seems like the
entire FOSS developer workflow is likely to be from MS-derived projects. Which
I'm sure they are hoping will translate into more cloud service revenue and
online software subscriptions.

If you are starting a new company, BizSpark is a really attractive offering.
Could run a whole business on it, and yet none of your devs need to be running
windows on their machines.

~~~
conanthe
They can browse your private projects though so nobody in the right mind would
use them to run cutting edge business.

~~~
IAmLiterallyAB
Github Enterprise is self hosted which eliminates that issue

~~~
techntoke
GitLab can be self-hosted for free and provides a complete DevOps platform.

~~~
dsumenkovic
Thanks for writing about GitLab.

If you are wondering what's the Auto DevOps - GitLab Auto DevOps eliminates
the complexities of getting going with automated software delivery by
automatically setting up the pipeline and necessary integrations. You can find
out more info at the landing page [1] and the documentation [2].

[1] [https://about.gitlab.com/product/auto-
devops/](https://about.gitlab.com/product/auto-devops/)

[2]
[https://docs.gitlab.com/ee/topics/autodevops/](https://docs.gitlab.com/ee/topics/autodevops/)

------
emit_time
As someone who just started working as a developer and is using windows for
the first time in 4.5 years, I can't believe how much I miss ssh and command
line tools for everything...

ssh keys would solve so much trouble with scripting and credentials...

Also sudo...

~~~
com2kid
From a developer perspective, Windows does SSH keys just fine. You can't SSH
into Windows boxes (yet apparently!) but you can SSH out of them a-ok.

Window Key, type "optional features" and install the OpenSSH client.

~~~
emit_time
Yeah... that's the thing.

We're a windows shop 100%. So it's non trivial controlling other machines from
a command line.

I miss it so much.

------
sashavingardt2
Party like it's 1999!

~~~
hk__2
I know it’s a joke, but OpenSSH is not that old: its initial release was in
December, 1999.

~~~
flukus
Looks like it was forked from some predecessors (
[https://en.wikipedia.org/wiki/Secure_Shell#OSSH](https://en.wikipedia.org/wiki/Secure_Shell#OSSH))
but doesn't go into the history much more than that. I remember telnet, where
there any encrypted predecessors before the ssh family?

~~~
jamieson-becker
OpenSSH was forked from the original SSH (version 1) code by Tatu Ylönen after
it went closed source in the mid-1990's IIRC.

[https://www.openssh.com/history.html](https://www.openssh.com/history.html)

------
andrewmackrodt
If it's similar to SSH in Windows 10 (developer feature) it behaves quite
strangely with user account privileges. I tried to `vagrant up` a project
configured to use VirtualBox but it was not successful and caused a whole load
of file system permission errors in thr project directory mixed between SYSTEM
and Andrew (my user account). Additionally, VirtualBox had trouble deleting
the VM until a reboot.

This is the Vagrantfile:
[https://github.com/andrewmackrodt/boot2lxd/blob/develop/Vagr...](https://github.com/andrewmackrodt/boot2lxd/blob/develop/Vagrantfile.dist#L32)
\- it creates and attaches an extra virtualdisk in the project directory which
was owned by SYSTEM IIRC.

TL;DR the VM which should have worked did not work, my FS had weird
permissions and a reboot was required to clean up VirtualBox.

------
dfabulich
It's available out of the box in Windows 10 April 2018 Update, as well. Just
pop open a Command Prompt and type "ssh."

~~~
ocdtrekkie
Actually, note that Windows 10 has the OpenSSH _client_ , "ssh", but to my
knowledge, does not include the ability to be an OpenSSH _server_.

EDIT: 1803 build appparently _can_ get OpenSSH Server running, but it's "a bit
of work": [https://www.bleepingcomputer.com/news/microsoft/how-to-
insta...](https://www.bleepingcomputer.com/news/microsoft/how-to-install-the-
built-in-windows-10-openssh-server/)

~~~
mgamache
I am running this on AWS. It was a 30 minute exercise and it's only available
on the 'core' AMI. This means there is no GUI even if you wanted one. I do
like the ability to run regular CMD _or_ PowerShell. I am experimenting with
using SSH to automate deployments to Windows Server.

~~~
alexeldeib
TIL there's an AWS Windows AMI that comes without a GUI. Another user in the
thread was talking about the "default install" of Windows not containing a
GUI; wonder if this is what they meant.

~~~
vetinari
If you install Windows 2016 RTM without changing a single option, you will end
up without GUI. You have to choose "desktop experience" during install to get
the traditional desktop installed.

------
tachion
The only thing that’s now left for them to do is to donate to the OpenSSH
project :)

~~~
_rs
Actually Microsoft has donated every year since 2015 to the OpenBSD
Foundation, with 2018 listed as $25-50k
([https://www.openbsdfoundation.org/contributors.html](https://www.openbsdfoundation.org/contributors.html)).

------
scurvy
Back when I was a sysadmin at Microsoft, we installed F-Secure's SSH server on
every server we built (Messenger/Hotmail). The Windows team thought we were
nuts. Well, what do you expect if you ask a bunch of Solaris admins to run
Windows?

There were no real alternatives. I remember when they got all excited about
showing off remote Powershell to us circa 2004, and we collectively rolled our
eyes.

~~~
znpy
Could you write more stories about that job you had?

I always wondered what messenger/hotmail was ran on, and such stories would be
really really interesting imho.

~~~
scurvy
Hotmail was FreeBSD on the front end until it switched to Windows IIS in an
ISAPI filter. The back end was Sun E4500 with T3 purple storage. Then they
switched to HP with some terrible RAID crap.

Messenger was borne from the Net Meeting team in an informal weekend hackathon
(before that was a thing). Backend stored the buddy lists and was 3 Hotmail
ustores (Sun E4500 with EMC clariion storage). Front ends started out as Sun
420R then switched to Windows bit by bit (DP, SB, and then CS and PS). The
Messenger HTTP gateway always ran in IIS.

~~~
scurvy
Hotmail and Messenger used a lot of rdist in the early days. Until one of the
managers rdisted /dev/null to /etc/passwd. Just one of many lolz in the day.

~~~
znpy
Glorious stories. You should write your memories about that somewhere in a
blog or something.

Thank you for sharing that!

------
qaq
So windows at some point will be a bunch of services running on top of Linux
:0

------
morpheuskafka
I really like the idea, but if you're going to administer production Windows
servers, it seems like you may as well learn PowerShell which already has a
nice remoting framework.

~~~
ulzeraj
> nice remoting framework Hell no. I’ve tried to use that thing on Windows
> 2012 and it was awful compared to what OpenSSH brings to the table.

------
tylerapplebaum
It would be great if openssh integrated into Windows properly. I can't ssh in
as a user with any real permissions.

[https://github.com/PowerShell/Win32-OpenSSH/issues/139](https://github.com/PowerShell/Win32-OpenSSH/issues/139)

------
jamieson-becker
This is pretty awesome news.. for the last few months, we've been working on
porting the Userify shim (but not currently the server) to Windows.

This will work exactly as it does on Linux (and the shim will continue to be
open source): local admin (or user) accounts will be created and keys
deployed, and the user will be able to choose PowerShell as their shell of
choice.

(FWIW, Userify is both a cloud/SaaS and on-premise/self-hosted SSH key
management solution designed for modern clouds like AWS and Azure that creates
local accounts, deploys keys, and then keeps everything in sync using just
outbound HTTPS connections.)

------
xedarius
Yes! More than two users connected to a server at any one time.

------
switch007
Does anyone know — sorry if I forget the correct terms — whether you can SSH
with pub key auth and perform operations that require elevated permissions,
such as disk resizing?

I have some vague memory of limitations in earlier versions, with distinct
differences between password auth and key auth.

~~~
mams
If logging in as one of the adminstrators, you will be in an elevated session
- so yes, you can do things like disk resizing.

The difference between password auth and key auth is that using password auth
you can access network shares that need authentication from within the remote
session. With key auth, you wont be able to.

------
lukeh
Does it support SSPI (GSS) authentication?

~~~
harmath
just saw this pull req [https://github.com/PowerShell/openssh-
portable/pull/360](https://github.com/PowerShell/openssh-portable/pull/360)

~~~
mams
its in the making....

------
taf2
So now I’m just waiting to hear Microsoft is switching its kernel to Linux.
Especially after the switch to chromium.

~~~
lotyrin
From what I understand NT already abstracts Win 32/64 APIs roughly the same
way it abstracts the POSIX ones -- if they switched to Linux kernel + an
abstraction layer for Win 64 (Official Microsoft Wine, basically) that's one
less kernel and one less abstraction to maintain (WSL replaced by the kernel's
native interface). I would happily pay for and operate such a product --
especially if I could install such a "Windows" as a subsystem upon some
otherwise unmodified Linux distribution.

~~~
mey
Primary issue with this would be driver support. Also there is value in the NT
kernal itself in my opinion.

~~~
acct1771
Because?

What advantages does it offer?

~~~
nxc18
Read Windows Internals. It's a very different design from Linux. Worth
learning about another approach to operating systems if you're at all
interested.

WNT evolved (spiritually) from VMS and has a lot of unique things in its
structure.

Note also that Windows already kind of is a perfectly serviceable Linux kernel
through WSL. That's one of the unique things about NT - it was designed for
binary compatibility for programs written for several distinct systems.

~~~
rkeene2
This compatibility layer approach is quite common. Solaris Linux Branded Zones
and FreeBSD Linux Emulation Layer (now defunct?) also did the same thing.

------
conanthe
I would be more interested about spying. Does it spy? Call home? How safe is
corporate data on that system? Can I audit the source code?

~~~
morpheuskafka
[https://github.com/PowerShell/openssh-
portable](https://github.com/PowerShell/openssh-portable)

~~~
conanthe
I was referring to this Windows in general.

------
riffic
This reminds me of that old quotation: "Those who don't understand Unix are
condemned to reinvent it, poorly."

~~~
oblio
Well, if you're going to trot out quotes from the 80s (more precisely, 1987,
Henry Spencer), you should be aware that Microsoft made and sold one of the
first commercial Unixes: Xenix. And they made it in 1980, long before your
quote.

[https://en.wikipedia.org/wiki/Xenix](https://en.wikipedia.org/wiki/Xenix) ->

"In the mid-to-late 1980s, Xenix was the most common Unix variant, measured
according to the number of machines on which it was installed.[1][2] Microsoft
chairman Bill Gates said in 1996 that for a long time that company had the
highest-volume AT&T Unix license"

Microsoft definitely understood Unix and figured out there was no market for
it for close to 2 decades.

~~~
Fnoord
Apple successfully leveraged UNIX to develop macOS (officially UNIX) from
which they developed iOS. Google successfully managed to leverage the Linux
kernel (Unix-like) and Java to develop Android. Windows Phone, on the other
hand, flopped.

~~~
oblio
My original comment said: "there was no market for Unix for close to 2
decades". That was hyperbole, but:

1\. 1980 to 1998 for Google, 18 years -> that's awfully close to 2 decades.

2.1980 to 2001 for Apple, 21 years -> that's more than 2 decades.

So your counter examples confirm what I said.

3\. Windows Phone and family failed because of marketing blunders, not because
of tech. MS-DOS and Windows succeeded because of marketing prowess, not
because of tech.

4\. The mainstream market just wasn't ready for Unix for a long time. The
biggest Unix success was Sun, for a long time, and Microsoft absolutely
dwarfed Sun for most of their existence. Further proof that my statement was
right.

~~~
Fnoord
> Regarding Windows Phone: for technical reasons? Not really...

Not alone, it was also the network effect, and Microsoft's _terrible_
reputation they gained in the end of '90s and '00s.

> 1980 to 2000

Yes, I noticed, but that isn't a representative range. If anything, what's
relevant is their recent history:

1) Less proprietary software, more FOSS.

2) Data gathering is more important.

3) As the old cash cows dwindle (Windows and Office) new ones are attempted.

~~~
oblio
I'm not sure I understand your comment, are those supposed to be criticisms of
Microsoft?

~~~
Fnoord
Observations, both compliments and criticisms alike. Doesn't have to be one
extreme or the other.

------
eshizhan
Microsoft changed more and more!

------
nwrk
Oh no, now we need to train all winIT how to use command line instead of
mouse.

Always, laughed while configuring/managing MS products.

Great news anyway. Congrats on launch (2018)

~~~
h1d
Now we need to train UNIX admins how to do it without bash.

SSH alone doesn't seem any good without all the UNIX tools.

~~~
nwrk
Agree. Sorry for flame fueled post. Still, old but vivid MS memories. The key
point (for me) ie. 8 years ago was really hard to _efficiently_ and error-
prone to do most of the task on MS platform. Hope the UNIX tools will ported
soon too.

------
npmaile
Now all they have to do is switch their kernel to linux, their gui to kde and
get their office suite to LibreOffice, and Windows will be the perfect
computer.

~~~
emilfihlman
Windows ux is better out of the box than on any Linux so far, it's really
polished.

The office suite is also much better than alternatives.

So just switching the kernel to Linux would be enough and super winrar.

~~~
curt15
Does Linux have the equivalent of WinNT's i/o completion ports to prevent
heavy I/O from freezing the user interface?

~~~
pkaye
What about asynchronous I/O calls? Or using separate threads for I/O vs UI?

~~~
gruez
>What about asynchronous I/O calls?

random google result:
[https://news.ycombinator.com/item?id=11866076](https://news.ycombinator.com/item?id=11866076)

>Or using separate threads for I/O vs UI?

not the target use for completion ports, which is handling thousands of
outstanding IO requests with a few threads.

~~~
grumpydba
You mean an IO scheduler, eventually with a plugable architecture ?

[https://lwn.net/Articles/720675/](https://lwn.net/Articles/720675/)

