sshShell
Controls what happens when a client opens an SSH shell session. The shell type determines whether the user gets a minimal shell restricted to their virtual path mappings, or a full terminal (e.g. cmd.exe or PowerShell) with unrestricted file system access. Most of these settings can be overridden per user.
These settings only apply to SSH endpoints with the Shell/SCP subsystem enabled.
See SSH Access for background on shell types and their security implications, and Configure SSH Access for step-by-step setup.
sshShell:
allowSystemAccount: false
defaultShellType: terminal
defaultShellPath: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
defaultHomeDirectory: 'C:\'sshShell.allowSystemAccount
boolean = false
Allow the SYSTEM account to spawn terminal and other processes. Disabled by default because the SYSTEM account has access to virtually everything on the local filesystem.
Enabling this in combination with terminal shell type gives SSH users full shell access under SYSTEM privileges. Consider using a dedicated service account with limited NTFS permissions instead. See File Access and Permissions for details.
sshShell.defaultShellType
"none" | "legacy" | "terminal" = "none"
| Shell type | Description |
|---|---|
none | Minimal shell restricted to the user’s path mappings. SCP is available. |
legacy | Minimal shell restricted to the user’s path mappings. SCP and SSH aliases are available. |
terminal | Full terminal shell (e.g. cmd.exe, PowerShell). The user is not restricted to their path mappings. Requires Windows 10 version 1809+ or Windows Server 2019+. |
When terminal is selected, SCP becomes unavailable on the endpoint. See bindings[].scp for details.
sshShell.defaultShellPath
string = "cmd.exe"
Path to the default shell executable. Only applies when defaultShellType is terminal.
sshShell.defaultHomeDirectory
string = <installation directory>
Path to the default home directory. Only applies when defaultShellType is terminal.
Enclose Windows paths containing colons (:) or spaces in single quotes to avoid YAML parsing errors, for example: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'.