How to Set Up SFTP Server on Windows

Olorunfemi Akinlua Feb 15, 2024

Python Python Server

Set Up SFTP Server for Older Windows
Set Up SFTP Server for Newer Windows
Use WinSCP to Set Up and Configure SFTP Client

SFTP servers allow us access to their files and content via the SSH File Transfer Protocol, a secure network protocol. Within our OS environments, we can set up SFTP servers to allow us to retrieve and send resources to and from it.

This article will discuss setting up SFTP servers on Windows using the WinSCP software.

Set Up SFTP Server for Older Windows

To setup an SFTP server on Windows, you will need to install OpenSSH, which you can download from the PowerShell GitHub. You can check this installation guide for Linux environments.

You can download the msi or zip file, but we will only use the msi file in this article.

Install the msi file. Afterward, go to Services, and check for the status of OpenSSH server and OpenSSH Authentication Agent.
If the Status and Startup Type are not running and Automatic, right-click on both services and select Properties.
Change the Startup type to Automatic, click Start, and select OK.
Do the same for OpenSSH Authentication Agent; now, both services should be Running and Automatic.

Set Up SFTP Server for Newer Windows

For newer Windows, you can go to Settings > Apps > Optional Features to get OpenSSH.
Select View Features and search for OpenSSH server in the Add an optional feature dialog box.
Select the OpenSSH server checkbox option and click Install.

Afterwards, configure the SSH server using the PowerShell command below to allow incoming connections to the server.

New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH SSH Server' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 -Program "C:\\Windows\\System32\\OpenSSH\\sshd.exe"

After configuration, let’s start the OpenSSH server service. To set up that, you need to search for Services within the search bar.
Find OpenSSH server within the list of Windows services.
Right-click on the service, and select Properties.
Change the Startup type to Automatic, click Start, and select OK.
Do the same for OpenSSH Authentication Agent; now, both services should be Running and Automatic.

Use WinSCP to Set Up and Configure SFTP Client

WinSCP is a GPL-3.0-only software that’s free to use and modify. It allows us to carry out secure file transfers across different protocols, including SSH File Transfer and Amazon S3.

It’s available only on Windows and can be downloaded from their download page.

Upon download, run the installer file, and select the Install Mode preferred.
Accept the License Agreement and select the Typical Installion option.
Select your preferred user interface style, but we will use the Commander in this article.
Afterwards, click Install and launch the WinSCP application.
Upon launch, you should see a screen similar to the one below.
Fill in the hostname; use localhost. Use the default port number 22, and fill in your computer’s name and password. After that, click on the Login button.
The screen dialog below will appear, and you must select Yes.
If successful, you should see the below screen.
If not successful, you might see a dialog like the one below because your OpenSSH service isn’t running, and you need to start the two OpenSSH services stated earlier.

Now, we can set up a public key-based authentication using the `ssh-keygen` command.

ssh-keygen

The output of the command is below.

Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\akinl/.ssh/id_rsa):
Created directory 'C:\Users\akinl/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\akinl/.ssh/id_rsa.
Your public key has been saved in C:\Users\akinl/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Ryrpy5HHTT1NK2OFzT3NjoIwORbzNV7/BfBfPLhHCEk akinl@Olorunfemi-PC
The key's randomart image is:
+---[RSA 3072]----+
|        o .E=.o  |
|         = +.Bo*.|
|        * o oo*+O|
|       o * o +o=*|
|      o S + B.+.+|
|     . + + . =.  |
|      + o .      |
|     . +         |
|      o          |
+----[SHA256]-----+

When the ssh-keygen tool requests a passphrase, you can enter one, but we don’t use one for this article. The ssh-keygen created a hidden directory named .ssh and saved the key pair within the id_rsa.pub file under the .ssh.

The public key full path is C:\Users\akinl/.ssh/id_rsa.pub.

id_rsa

The public key is the id_rsa.pub file, and the private key is the id_rsa.

To link the private and public keys to the WinSCP, we need to create a file named authorized_keys within the .ssh folder. Copy the public key contents, id_rsa.pub, into the authorized_keys file and save the changes; you can use a text editor like Notepad.
There should be at least three files (authorized_keys, id_rsa, and id_rsa.pub) within your .ssh directory.
To keep the authorized_keys file safe and only accessible to the administrators or core users, you have to configure the Access Control List (ACL). Use the below command to configure the access control.
```
icacls.exe "C:\Users\<username>\.ssh\authorized_keys" /inheritance:r /grant "Adminstrators:F" /grant "SYSTEM:F"
```

Change the `<username>` to your username.

icacls.exe "C:\Users\akinl\.ssh\authorized_keys" /inheritance:r /grant "Adminstrators:F" /grant "SYSTEM:F"

The output of the command:

processed file: C:\Users\akinl\.ssh\authorized_keys
Successfully processed 1 file; Failed processing 0 files

Therefore, if you now open the same authorized_keys file, you should see the below dialog.
To fully configure the SFTP server, we need to edit the sshd_config file to set up the public key-based authentication; the sshd_config file is available in the ProgramData directory. Copy the full path below to Windows Explorer and open the sshd_config file
```
C:\ProgramData\ssh
```
The sshd_config file is the last file within the directory.

Modify by uncommenting or changing the lines containing the config information in your `sshd_config` file. Also, open the `sshd_config` file as an `Administrator`.

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
Subsystem sftp internal-sftp

Match User <username>
	X11Forwarding no
	AllowTcpForwarding no
	PermitTTY no
	ForceCommand internal-sftp
	PasswordAuthentication no

In addition, make sure to change the <username> to your username. Furthermore, you can comment on the following configuration information within the file.

Match Group administrators
	   AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

The changes to your ssh_config file should look like the image below:
Now, let’s open WinSCP using the previous username and password login method.

It’s no longer supported because we have changed the configuration file to support only public key authentication. To log in now, we need to use our public key.
Instead of using the Password, click on the Advanced button.
Go to the Authentication tab under SSH.
Under the Authentication parameters area, browse for the private key file and go to the .ssh directory (C:\Users\akinl\.ssh), and change the file options to All Files
Select the id_rsa file, which should prompt the dialog below. Do select OK.

After, the below dialog should show.
Then, click OK.
Now, click Login.

And now, you have access to the SFTP server using public key authentication.

Author: Olorunfemi Akinlua

Olorunfemi is a lover of technology and computers. In addition, I write technology and coding content for developers and hobbyists. When not working, I learn to design, among other things.

How to Set Up SFTP Server on Windows

Set Up SFTP Server for Older Windows

Install the `msi` file. Afterward, go to `Services`, and check for the status of `OpenSSH server` and `OpenSSH Authentication Agent`.

If the `Status` and `Startup Type` are not `running` and `Automatic`, right-click on both services and select `Properties`.

Change the `Startup type` to `Automatic`, click `Start`, and select `OK`.

Do the same for `OpenSSH Authentication Agent`; now, both services should be `Running` and `Automatic`.

Set Up SFTP Server for Newer Windows

For newer Windows, you can go to `Settings > Apps > Optional Features` to get OpenSSH.

Select `View Features` and search for `OpenSSH server` in the `Add an optional feature` dialog box.

Select the `OpenSSH server` checkbox option and click `Install`.

Afterwards, configure the SSH server using the PowerShell command below to allow incoming connections to the server.

After configuration, let’s start the `OpenSSH server` service. To set up that, you need to search for `Services` within the search bar.

Find `OpenSSH server` within the list of Windows services.

Right-click on the service, and select `Properties`.

Change the `Startup type` to `Automatic`, click `Start`, and select `OK`.

Do the same for `OpenSSH Authentication Agent`; now, both services should be `Running` and `Automatic`.

Use WinSCP to Set Up and Configure SFTP Client

Upon download, run the installer file, and select the `Install Mode` preferred.

Accept the License Agreement and select the `Typical Installion` option.

Select your preferred user interface style, but we will use the `Commander` in this article.

Afterwards, click `Install` and launch the `WinSCP` application.

Upon launch, you should see a screen similar to the one below.

The screen dialog below will appear, and you must select `Yes`.

If successful, you should see the below screen.

If not successful, you might see a dialog like the one below because your `OpenSSH` service isn’t running, and you need to start the two `OpenSSH` services stated earlier.

Now, we can set up a public key-based authentication using the `ssh-keygen` command.

To link the private and public keys to the WinSCP, we need to create a file named `authorized_keys` within the `.ssh` folder. Copy the public key contents, `id_rsa.pub`, into the `authorized_keys` file and save the changes; you can use a text editor like Notepad.

There should be at least three files (`authorized_keys`, `id_rsa`, and `id_rsa.pub`) within your `.ssh` directory.

To keep the `authorized_keys` file safe and only accessible to the administrators or core users, you have to configure the `Access Control List (ACL)`. Use the below command to configure the access control.

Change the `<username>` to your username.

Therefore, if you now open the same `authorized_keys` file, you should see the below dialog.

To fully configure the SFTP server, we need to edit the `sshd_config` file to set up the public key-based authentication; the `sshd_config` file is available in the `ProgramData` directory. Copy the full path below to Windows Explorer and open the `sshd_config` file

Modify by uncommenting or changing the lines containing the config information in your `sshd_config` file. Also, open the `sshd_config` file as an `Administrator`.

The changes to your `ssh_config` file should look like the image below:

Instead of using the `Password`, click on the `Advanced` button.

Go to the `Authentication` tab under `SSH`.

Under the `Authentication parameters` area, browse for the private key file and go to the `.ssh` directory (`C:\Users\akinl\.ssh`), and change the file options to `All Files`

Select the `id_rsa` file, which should prompt the dialog below. Do select `OK`.

Then, click `OK`.

Related Article - Python Server

Set Up SFTP Server for Older Windows

Install the msi file. Afterward, go to Services, and check for the status of OpenSSH server and OpenSSH Authentication Agent.

If the Status and Startup Type are not running and Automatic, right-click on both services and select Properties.

Change the Startup type to Automatic, click Start, and select OK.

Do the same for OpenSSH Authentication Agent; now, both services should be Running and Automatic.

Set Up SFTP Server for Newer Windows

For newer Windows, you can go to Settings > Apps > Optional Features to get OpenSSH.

Select View Features and search for OpenSSH server in the Add an optional feature dialog box.

Select the OpenSSH server checkbox option and click Install.

Afterwards, configure the SSH server using the PowerShell command below to allow incoming connections to the server.

After configuration, let’s start the OpenSSH server service. To set up that, you need to search for Services within the search bar.

Find OpenSSH server within the list of Windows services.

Right-click on the service, and select Properties.

Change the Startup type to Automatic, click Start, and select OK.

Do the same for OpenSSH Authentication Agent; now, both services should be Running and Automatic.

Use WinSCP to Set Up and Configure SFTP Client

Upon download, run the installer file, and select the Install Mode preferred.

Accept the License Agreement and select the Typical Installion option.

Select your preferred user interface style, but we will use the Commander in this article.

Afterwards, click Install and launch the WinSCP application.

Upon launch, you should see a screen similar to the one below.

Fill in the hostname; use localhost. Use the default port number 22, and fill in your computer’s name and password. After that, click on the Login button.

The screen dialog below will appear, and you must select Yes.

If successful, you should see the below screen.

If not successful, you might see a dialog like the one below because your OpenSSH service isn’t running, and you need to start the two OpenSSH services stated earlier.

Now, we can set up a public key-based authentication using the ssh-keygen command.

To link the private and public keys to the WinSCP, we need to create a file named authorized_keys within the .ssh folder. Copy the public key contents, id_rsa.pub, into the authorized_keys file and save the changes; you can use a text editor like Notepad.

There should be at least three files (authorized_keys, id_rsa, and id_rsa.pub) within your .ssh directory.

To keep the authorized_keys file safe and only accessible to the administrators or core users, you have to configure the Access Control List (ACL). Use the below command to configure the access control.

Change the <username> to your username.

Therefore, if you now open the same authorized_keys file, you should see the below dialog.

To fully configure the SFTP server, we need to edit the sshd_config file to set up the public key-based authentication; the sshd_config file is available in the ProgramData directory. Copy the full path below to Windows Explorer and open the sshd_config file

Modify by uncommenting or changing the lines containing the config information in your sshd_config file. Also, open the sshd_config file as an Administrator.

The changes to your ssh_config file should look like the image below:

Now, let’s open WinSCP using the previous username and password login method.

Instead of using the Password, click on the Advanced button.

Go to the Authentication tab under SSH.

Under the Authentication parameters area, browse for the private key file and go to the .ssh directory (C:\Users\akinl\.ssh), and change the file options to All Files

Select the id_rsa file, which should prompt the dialog below. Do select OK.

Then, click OK.

Now, click Login.

Related Article - Python Server

Install the `msi` file. Afterward, go to `Services`, and check for the status of `OpenSSH server` and `OpenSSH Authentication Agent`.

If the `Status` and `Startup Type` are not `running` and `Automatic`, right-click on both services and select `Properties`.

Change the `Startup type` to `Automatic`, click `Start`, and select `OK`.

Do the same for `OpenSSH Authentication Agent`; now, both services should be `Running` and `Automatic`.

For newer Windows, you can go to `Settings > Apps > Optional Features` to get OpenSSH.

Select `View Features` and search for `OpenSSH server` in the `Add an optional feature` dialog box.

Select the `OpenSSH server` checkbox option and click `Install`.

After configuration, let’s start the `OpenSSH server` service. To set up that, you need to search for `Services` within the search bar.

Find `OpenSSH server` within the list of Windows services.

Right-click on the service, and select `Properties`.

Change the `Startup type` to `Automatic`, click `Start`, and select `OK`.

Do the same for `OpenSSH Authentication Agent`; now, both services should be `Running` and `Automatic`.

Upon download, run the installer file, and select the `Install Mode` preferred.

Accept the License Agreement and select the `Typical Installion` option.

Select your preferred user interface style, but we will use the `Commander` in this article.

Afterwards, click `Install` and launch the `WinSCP` application.

Fill in the hostname; use `localhost`. Use the default port number `22`, and fill in your computer’s name and password. After that, click on the `Login` button.

The screen dialog below will appear, and you must select `Yes`.

If not successful, you might see a dialog like the one below because your `OpenSSH` service isn’t running, and you need to start the two `OpenSSH` services stated earlier.

Now, we can set up a public key-based authentication using the `ssh-keygen` command.

To link the private and public keys to the WinSCP, we need to create a file named `authorized_keys` within the `.ssh` folder. Copy the public key contents, `id_rsa.pub`, into the `authorized_keys` file and save the changes; you can use a text editor like Notepad.

There should be at least three files (`authorized_keys`, `id_rsa`, and `id_rsa.pub`) within your `.ssh` directory.

To keep the `authorized_keys` file safe and only accessible to the administrators or core users, you have to configure the `Access Control List (ACL)`. Use the below command to configure the access control.

Change the `<username>` to your username.

Therefore, if you now open the same `authorized_keys` file, you should see the below dialog.

To fully configure the SFTP server, we need to edit the `sshd_config` file to set up the public key-based authentication; the `sshd_config` file is available in the `ProgramData` directory. Copy the full path below to Windows Explorer and open the `sshd_config` file

Modify by uncommenting or changing the lines containing the config information in your `sshd_config` file. Also, open the `sshd_config` file as an `Administrator`.

The changes to your `ssh_config` file should look like the image below:

Instead of using the `Password`, click on the `Advanced` button.

Go to the `Authentication` tab under `SSH`.

Under the `Authentication parameters` area, browse for the private key file and go to the `.ssh` directory (`C:\Users\akinl\.ssh`), and change the file options to `All Files`

Select the `id_rsa` file, which should prompt the dialog below. Do select `OK`.

Then, click `OK`.

Now, click `Login`.