Can we SSH to Windows EC2 instance in AWS? [closed]

Question

I am new to AWS and I have created a new Windows EC2 instance. I see ways to SSH to different instances like Amazon Linux, Ubuntu using PuTTY. But not for Windows instance. Can we not connect to Windows instance using PuTTY? Any help would be appreciated. Thanks.

Answer 1

Late here but the answer is Yes you can SSH into a Windows EC2 instance from Windows/Linux and Mac(haven't tried). The upshot is that you need an SSH server in order to receive ssh requests from clients.

1. Make sure your Windows instance is running

2. RDP into the instance (one-time only)

3. Type powershell in command line to toggle out of cmd

4. Run the following command to determine if you have OpenSSH.Server installed

Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'

5. Install the service

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

6. After a minute or two it installs (be patient)
7. Set service to start service automatically in case you stop instance

Set-Service -Name sshd -StartupType 'Automatic'

8. Run the OpenSSH.Server service, called sshd

Start-Service sshd

9. Exit the instance shell and RDP session
10. Go back to your shell on your computer
11. Run your customary ssh command to get into the EC2 instance. You'll be prompted for a password. There are ways to get around that.

Answer 2

Yes, recent releases of Windows (10 build 1809, Server 2019, and later) offer official support for a native OpenSSH daemon. See https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell for details about OpenSSH on Windows.

When wanting to use SSH to connect to an EC2 instance specifically, I have found that the easiest approach is to build a new AMI with the OpenSSH package preinstalled and the relevant services preconfigured. The full process that is currently working for me:

1. Build a Windows AMI based on Server 2019 or later (e.g. use Windows_Server-2019-English-Full-ECS_Optimized-2022.12.14 as the base AMI). As part of that AMI:

   1. Install OpenSSH and configure the sshd and ssh-agent services as described in the above link:

      $ErrorActionPreference = 'Stop'
      
      Write-Host 'Installing and starting sshd'
      Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
      Set-Service -Name sshd -StartupType Automatic
      Start-Service sshd
      
      Write-Host 'Installing and starting ssh-agent'
      Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
      Set-Service -Name ssh-agent -StartupType Automatic
      Start-Service ssh-agent
      
      Write-Host 'Set PowerShell as the default SSH shell'
      New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value (Get-Command powershell.exe).Path -PropertyType String -Force
      

   2. Configure PowerShell as the default SSH shell:

      New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value (Get-Command powershell.exe).Path -PropertyType String -Force
      

2. Launch an EC2 instance using the new AMI:

   1. Provide a valid, existing SSH keypair.

   2. Select IMDSv2.

   3. Provide the following PowerShell script as the userdata script. This script will ensure the SSH keypair specified when launching will be added to the the Administrator user's authorized keys file. Note that the <powershell> and </powershell> tags are part of the userdata; they are parsed and extracted by AWS prior to the script being executed.

      <powershell>
      
      # Userdata script to enable SSH access as user Administrator via SSH keypair.
      # This assumes that
      # 1. the SSH service (sshd) has already been installed, configured, and started during AMI creation;
      # 2. a valid SSH key is selected when the EC2 instance is being launched; and
      # 3. IMDSv2 is selected when launching the EC2 instance.
      
      # Save the private key from instance metadata.
      $ImdsToken = (Invoke-WebRequest -Uri 'http://169.254.169.254/latest/api/token' -Method 'PUT' -Headers @{'X-aws-ec2-metadata-token-ttl-seconds' = 2160} -UseBasicParsing).Content
      $ImdsHeaders = @{'X-aws-ec2-metadata-token' = $ImdsToken}
      $AuthorizedKey = (Invoke-WebRequest -Uri 'http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key' -Headers $ImdsHeaders -UseBasicParsing).Content
      $AuthorizedKeysPath = 'C:\ProgramData\ssh\administrators_authorized_keys'
      New-Item -Path $AuthorizedKeysPath -ItemType File -Value $AuthorizedKey -Force
      
      # Set appropriate permissions on administrators_authorized_keys by copying them from an existing key.
      Get-ACL C:\ProgramData\ssh\ssh_host_dsa_key | Set-ACL $AuthorizedKeysPath
      
      # Ensure the SSH agent pulls in the new key.
      Set-Service -Name ssh-agent -StartupType "Automatic"
      Restart-Service -Name ssh-agent
      
      </powershell>
      

3. Connect to the instance via SSH like normal. Provide the SSH keypair you specified when launching and user Administrator. For example:

   ssh -i ~/.ssh/my-keypair [email protected]