Provide guidance public guidance on "SSH Server Broker" and "SSH Server Proxy" in Win10

[DarwinJS]

I discovered this while packaging 0.0.0.9 on Windows 10 Anniversary Update.

Is there anything that a Win32-OpenSSH install should do to account for this?

Should it:

1. Just ignore this and install anyway?
2. Do something to integrate with built-in SSH services?
3. Refuse to install, but have an override switch to disable built-in SSH so that those doing the install can decide which way they want it. I am especially interested in the release cycles of both initiatives - if Win32-OpenSSH will be released more frequently than the built-it, I would think many people would want to use it instead - even if these code bases are on a "to be merged" course.

[jdunn0]

I noticed those services too but it wasn't right after the Anniversary Update. It was after I enabled "Developer Mode" in the Settings App to let me install the Bash on Windows feature that the SSH Server was installed. I googled it and found the page at https://noise.paulos.cz/post/windows10-14352-ssh-server/ which seems to indicate that the builtin SSH Server is something used for development tools somehow and is not designed or intended for use by normal users.

[DarwinJS]

@jdunn0 - you have a better root cause than I - the entire reason I grabbed the Anniversary update was to enable bash - so I guess this is part of the "Windows Subsystem for Linux" for feature then?

[jdunn0]

From what I can tell, the "Microsoft SSH Server" is just something installed when developer mode is turned and is not related to the "Windows Subsystem for Linux" feature but I don't know for sure. I would need to do some testing to see when the service appears and such. Besides the pages I linked above, I couldn't find much on what this "Microsoft SSH Server" is. There are however, many pages talking about the "Windows Subsystem for Linux" so I would imagine that if they were related, it would be more well known.

[joeyaiello]

Sorry for the confusion, everyone. The "Microsoft SSH Server" is installed when you enable developer mode but is unrelated to the Windows Subsystem for Linux. As @jdunn0 said, it's used for the very specific scenario of deploying and testing UWP apps. You can read more about the server and scenario here: https://msdn.microsoft.com/en-us/windows/uwp/get-started/enable-your-device-for-development#ssh

@DarwinJS: the OpenSSH releases from this repo install fine side-by-side with the "Microsoft SSH Server". If you want to run both of them at the same time, you do have to run the OpenSSH sshd on a port other than 22. You can do this by changing the Port 22' line in yoursshd_config`. Quoting from the official OpenSSH docs:

Port: Specifies the port number that sshd(8) listens on. The default is 22. Multiple options of this type are permitted. See also ListenAddress.

Personally, I just disable both the "SSH Server Broker" and "SSH Server Proxy" services as soon as I enable developer mode, and everything OpenSSH runs perfectly fine.

I do want to be very clear: for what you'd consider "traditional" SSH scenarios (basically everything except UWP scenarios), we are going with OpenSSH. Right now, the "Microsoft SSH Server" doesn't support interactive scenarios, tunneling, SFTP/SCP, etc., and there are currently no plans to extend the "Microsoft SSH Server" to support anything except UWP deployment. We're also working with the team that owns the "Microsoft SSH Server" to understand how we can avoid forcing everyone with developer mode enabled to use a non-standard SSH port. As soon as we have something to share there, we'll let you guys know.

[DarwinJS]

I can then also detect developer mode SSH and error out and telling the user that they need to either [a] specify the switch for an alternate SSH port or [b] specify the switch to disable developer mode SSH.

FYI - in the chocolatey package I can provide a switch to [a] provide an alternate port, [b] disable developer mode SSH if it exists.

Unfortunately it seems like this could be a relatively common conflict since those interested in SSH are probably also interested in bash.

[joeyaiello]

Yeah, I think we'd probably prefer for that functionality not to exist in OpenSSH itself, so a runtime switch on the Chocolatey install sounds like a totally reasonable approach to me.

Unfortunately it seems like this could be a relatively common conflict since those interested in SSH are probably also interested in bash.

Yeah, you're absolutely right. That's why we really are looking to solve this in a way that doesn't restrict OpenSSH or force users to look around for a solution (like you had to).

[DarwinJS]

@joeyaiello - can you tell me the best way to disable the feature. My first thought is to be the least destructive possible - just shutdown the two services and mark them disabled. Then if the individual discovers they actually need it more than Win32 OpenSSH, they have a relatively easy path to reenable.

What I don't have a feel for is whether simply disabling the services will be sufficient disablement to prevent conflicts with Win32 OpenSSH.

Are you able to ask the authors of the Developer Mode SSH?

[manojampalam]

@DarwinJS AFAIK, stopping the services and setting them to manual mode should be sufficient. Port should be the only conflict between the two. They can work independently if they run on different ports. (they dont share binaries and configuration)

[DarwinJS]

Cool - I proceed with that assumption. If the Developer Mode SSH is found AND IF the package has not been asked to another port for SSH - it will error out. It will also note that they have the Developer Mode SSH and they can either disable the two services and try again or use the new /SSHServerPort parameter to specify that Win32-OpenSSH Server run on another port.

I also dramatically improved conflict checking for whatever port is used for /SSHServerPort (and the default is 22 if not specified).

[clarity99]

manual mode is not enough, on my machine the service get somehow started even when set to manual

[DarwinJS]

@clarity99 - if you use the chocolatey package you can change the port that OpenSSH uses.

[clarity99]

@DarwinJS I know of this, but it's not a good solution, as then I have to specify a different port for each command, unnecessary and annoying. In any case, just wanted to point out that one needs to actually disable the services, not just set them to manual, as they will be started in that case.

[FKasa]

"Microsoft SSH Server" doesn't support interactive scenarios, tunneling, SFTP/SCP, etc., and there are currently no plans to extend the "Microsoft SSH Server" to support anything except UWP deployment.

It would had been very helpful if I had read that instead of:

Part of Microsoft SSH Server for Windows

on the service description. I was troubleshooting tunneling from both WSL and Git Bash for a few hours. I could get an interactive shell and successfully created some text files remotely so I just thought maybe I had the tunneling commands wrong.

[ylluminate]

The Microsoft SSH Server definitely needs to be running on another port instead of default 22 at first. That's pretty insane to be frank as it gives entirely wrong impressions. It may also want to be renamed Microsoft UWP Conduit Server Broker and Microsoft UWP Conduit Server Proxy. ESPECIALLY since these are just entirely irrelevant for anyone actually interested in SSH. Big mistake on Microsoft's part in keeping SSH in the name.

[ylluminate]

So for those of us who are refugees of this misnomer battle field, can you please instruct us as to the "proper" way to install OpenSSH SSHD on Windows 10 that will be preserved going forward with the upcoming integration?

Would very much like to use OpenSSH properly now and to avoid issues coming up soon.

[joeyaiello]

@ylluminate preaching to the choir, my friend. 😄

Expect a blog in the next week or two as our bits here make their way into Windows Insiders builds as an optional Feature on Demand. I'll be detailing exactly what you should do to avoid running into issues with the "Microsoft SSH Server".

[DarwinJS]

@joeyaiello - I am hoping the article cover how to disable or reconfigure the port of the Microsoft SSH Server? (Versus putting OpenSSH on a different port?)

Also - will it give code rather than GUI walkthroughs for making the changes?

Thanks.

[joeyaiello]

@DarwinJS I should caveat I've written nothing yet. I'm just holding off until the aforementioned FOD is in a stable state. But I'll try to have some helper scripts within the post.

The solution will likely be to disable that server altogether with the warning that it will break UWP app deploy/debug scenarios. Unfortunately, that server cannot be reconfigured to use another port (but I'd rather that our OpenSSH users stay with port 22).

[ylluminate]

@DarwinJS disabling it is just a matter of going into services.msc and disabling two aforementioned services... I do wish there was a way to change the port, but it seems that MS has baked this punk in as far as testing requirements and I've not yet found a config file for this.

[joeyaiello]

I will say that even if you could change the port, the scenario that it supports would not be able to consume the new port...

[joeyaiello]

Renaming the issue to make sure I eventually address this. 😄

[maertendMSFT]

This is no longer applicable