Windows SSH Server – Disable Shell / Cmd access

Posted on

A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about Windows SSH Server – Disable Shell / Cmd access was one problem in server stack that need for a solution. Below are some tips in manage your windows server when you find problem about windows, ssh, tunnel, , .

I have enabled the SSH Server on Windows using the built-in feature.
Since this server is only being used as a tunnel, I would like to disable any commands from being executed.

On linux, it appears to be possible to set the shell to /sbin/nologin. What would be the equivalent on a windows machine?

You can specify the shell executable to use in the Windows version via registry (documentation). E.g. you can set powershell as default shell as follows:

New-ItemProperty -Path "HKLM:SOFTWAREOpenSSH" -Name DefaultShell -Value "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" -PropertyType String -Force

However I am not aware of any nologin shell alternative in Windows. As for a quick and dirty workaround, I have set a windows32 executable (sfc.exe) as “shell” using the method above.

New-ItemProperty -Path "HKLM:SOFTWAREOpenSSH" -Name DefaultShell -Value "C:WindowsSystem32sfc.exe" -PropertyType String -Force

In this way, clients can connect only with the -N switch, or else the connection closes immediately. Note that the ssh user must not be an administrator, so it cannot actually run sfc.exe. (Maybe there is a better choice for dummy shell than sfc.exe :P)

Leave a Reply

Your email address will not be published. Required fields are marked *