Releases: PowerShell/Win32-OpenSSH
v0.0.4.0
_This is a pre-release (non-production ready)_
This release integrates all the latest changes in OpenSSH-Portable V7.3 into Win32 port. As detailed in Project Status, all development is being done in https://github.com/PowerShell/openssh-portable. For any contributions, please submit pull requests to PowerShell/openssh-portable.
See other improvements here
v0.0.3.0
_This is a pre-release (non-production ready)_
This release adds Unicode support in interactive shell, scp and sftp.
- Interactive TTY ssh session now accurately transmits and renders Unicode characters (cmd.exe code page may need to be changed for the appropriate locale)
- sftp and scp now supports Unicode directories and file names.
See other improvements here
v0.0.2.0
_This is a pre-release (non-production ready)_
This release adds Unicode support improvements in Windows. The problem with Unicode differences between Unix (UTF-8) and Windows (UTF-16) is tackled by:
- Defining a Unicode entry point for each executable. The entry point (wmain) is implemented in a common Windows compat library. This takes in UTF-16 arguments/parameters and converts them to UTF-8 before feeding them to OpenSSH original code.
- Making all POSIX structures calls in our wrapper UTF-8 compliant, overriding Unicode differing clals (like fopen) with UTF-8 compliant ones.
The changes
- Kept the internals of OpenSSH code intact (UTF-8 based) including original "main" routines.
- Got rid of Windows specific UTF-16 based code around configuration and user profile structures.
With these changes, following are supported:
- Addressing Unicode targets
- Generating and consuming Unicode configuration and key files (UTF-8 files on Windows can include BOM)
- Using Unicode directories and file paths and user names
- Unicode console prompts and input
TBD:
- SFTP and SCP are not Unicode ported yet. This is current work in progress.
This release also includes the following fixes:
- removed previous restrictions on scp and sftp around running them from their root directory.
- support on Nano. Nano does not support server side PTY changes. A remote session to Nano can be opened without a TTY/PTY as follows:
- ssh user@nano cmd
- ssh user@nano powershell -File -
- relative sub-system paths. Relative Sub-system executables can now be picked up from installation root. Ex the following in sshd_config would work for sftp:
- SFTP sftp-server.exe //sftp-server.exe will be picked up from sshd.exe installation path
v0.0.1.0
_This is a pre-release (non-production ready)_
This release improves on the terminal experience by including a rewritten ANSI client side parser and an ANSI compliant server side PTY for Windows console applications. Direction keys, Tab (auto completion) and Ctrl+C should now be enabled. This means that many server side console applications will now work seamlessly over remote ssh sessions. Powershell has so far been launched as "Powershell -File -". These std io redirecting arguments are no longer required. You may launch Powershell.exe directly and should see its rich native experience.
When talking to an Unix target from Windows 10, use "Legacy Mode" in console to work around "vi" and "top" issues.
NOTE: The server side changes do not work on Nano yet.
See features/improvements here
v0.0.0.9
5_30_2016
5_15_2016
_This is a pre-release (non-production ready)_
The release adds the following security enhancements:
- sshd now runs in the context of a restricted service account. This account (visible in task manager as "sshd") only has SeAssignPrimaryTokenPrivilege required to spawn off session processes under client context).
- ssh-agent in implemented for Windows as a service running as "SYSTEM". This will execute key related privileged operations on sshd's behalf. It differs from UNIX version of ssh-agent as follows - it provides persistent storage of ssh private keys (both user and host). The keys are locked using user's password (using Data protection APIs). The storage is ACLed system only. As long as system is root-trusted, this ensures that the private keys are protected from malware. This also provides a single-sign on experience for Windows. Additional details
- ssh-agent service can be started by any user but can only be stopped by admin
- keys can be added to ssh-agent using ssh-add. Following flags are supported - lLdD
- see wiki for details on how to register and secure host-keys.
- ssh-agent also implements key-based authentication for Windows - this includes verification of signature, authorizing the public key and generating client token. support for domain accounts is now added.
- ssh-lsa from previous versions needs to be uninstalled and replaced with latest version. See wiki for details on how to do ths.
Known REGRESSIONS in this release:
- Secure loading of user profile is currently being worked on. Logging in using ssh and sftp will take you to %Windir%. If you are blocked on this, work around is to run sshd as Local System instead. This is being tracked as this issue
4_5_2016
_This is a pre-release (non-production ready)_
This release has the following in addition to 3_19_2016
- SIGALRM support added. This enables the following
- SFTP progress bar
- ConnectTimeout for ssh client
- Login grace timeout in sshd
- SIGCHLD support added. This helped in converging Unix and Windows code around child process management
- Misc code refactoring to remove redundant code
- Fixing the artifact around misbehaving "ENTER" on most clients - work around added in server to minimize impact.
Note: "sshd -install" is no longer supported. Service can be installed using the provided PS script. See updated wiki for instructions
3_19_2016
_This is a pre-release (non-production ready)_
_Note: Thanks to folks testing this release - we have identified an issue on 2012 R2 (and possibly Win8) with read() routine of underlying transport. This manifests as a failure while starting sshd. Try using 1.1 versions if you see this issue_
What's in this release:
- Completely rewritten underlying transport that adapts POSIX calls to Win32 overlapped APIs.
- Transport is now truly single threaded with no synchronization overhead. Stream throughput over loopback has improved ~15%.
- Transport has been stress tested with 10 tunnelled TCP (port forwarded) full duplex full throughput streams multiplexed over a single connection/session (ssh and sshd running with AppVerifier enabled). It held well, compared to the previous transport that froze after 5 streams. Hopefully, connection reliability issues reported so far will be resolved with this update.
- PW auth will now result in network logon so admins will end up with sessions capable of performing admin tasks.
- SCP is taken offline as it needs significant changes to get it on board the new transpor and I'm still working on it.
- ssh-add and ssh-agent are taken offline as we are working on the right security model and user experience for Windows.
- there are not changes to ssh-lsa.dll (for key based auth). So you may continue to use the previous version if its already installed.
I haven't yet fixed ssh-lsa installation script issue on Windows 7. Please continue to use the work around for now
reg add HKLM\System\CurrentControlSet\Control\Lsa /v "Authentication Packages" /t REG_MULTI_SZ /d msv1_0\0ssh-lsa.dll -f
There will be some regressions in terminal experience as I refactored related code that was coupled with protocol code. That said, its understood that current terminal experience is very primitive. Focus over the next couple of months will be on enriching this experience along with security enhancements.
2_25_2016
_This is a pre-release (non-production ready)_
64-bit and 32-bit payload from Master on 2/25/2016. Slight modification in how ssh-lsa.dll is installed. See deployment instructions in wiki
NOTE: It has been reported that ssh-lsa installation script is not working on Windows 7. Please use this work around for now
reg add HKLM\System\CurrentControlSet\Control\Lsa /v "Authentication Packages" /t REG_MULTI_SZ /d msv1_0\0ssh-lsa.dll -f