This article describes server behavior when the client connects to the server using an SSH client (using e.g. PuTTY) and related configuration options.
SSH shell modes
The server supports three modes of behavior for SSH shells.
No shell (except for minimal shell when SCP is enabled) will be available. File system access will be restricted to user’s path mapping. This is the default option.
Shell process (e.g. cmd.exe, PowerShell) will be spawned.
none, with SSH aliases support. This corresponds to
sshShell.enabled: true in earlier versions.
DEPRECATEDLegacy mode is marked as deprecated and most likely will be removed.
SSH terminal mode
Since version 2.5 clients may use SSH to connect to their favourite shell (cmd.exe, PowerShell, bash, etc.), with similar experience as when connecting to a Linux machine. The shell executable and home directory can be configured globally with the possibility of per-user override.
The shell process runs under the service’s user account, unless the user has Windows impersonation enabled (in which case uses the associated Windows account).
Clients connected using SSH bypass path mappings and gain access to the whole file system, with restrictions imposed only by the operating system for the service (or impersonated) user.
This is especially dangerous when the service account runs under a privileged user.
Use this mode only if you know what you are doing.
The server needs to run using a privileged account (e.g. SYSTEM) in order to spawn impersonated processes.
Terminal mode relies on Windows’ ConPTY API, which is available only on new platforms: Windows 10 version 1809 and newer, Windows Server 2019 and newer. Impersonation is available in Pro edition only.
Clients may ask to execute a command directly, using SSH ’exec’ command (overriding the default shell), which is useful for executing commands which do not require a shell session.
Putty example configuration: