Remotely shutting down a Windows 10 PC with SSH

CaptainSolidus · January 15, 2019, 1:01am

Intro

In this, I’ll show you how to remotely shutdown (or really do anything with) a Windows 10 PC with Microsoft’s implementation of an OpenSSH server. This helps with controlling HTPCs or living room gaming PCs without installing anything third-party.

I’ll be making the assumption that you have physical or RDP access to the Windows computer that you want to control, and that you’re the Administrator of the computer. I’m also assuming you have a basic understanding of PowerShell. I’m also assuming that you’re running Hassio with an SSH addon or something equivalent, or otherwise have a Linux installation of Home Assistant and know how to operate SSH.

I basically combined a couple of different guides and suggestions to get to this, but this way you don’t need to figure as much out. Alright! Here we go.

Configuration

First and foremost, you’re going to want to install OpenSSH Client and Server on your Windows PC. Open PowerShell with administrative access and run these two commands to install OpenSSH

# Install OpenSSH Client and Server
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Now, we’re going to start the SSH server service and make sure it always starts the service on boot

Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic'

At this point, try connecting with another computer, or even your Hassio install. Your username will be whatever your local account name is. Not your Microsoft account. You can figure this out just by looking in C:\Users\[one of these is your account]

Can you connect? Sweet! Now on to setting up key pairs so you don’t need those pesky passwords. Following GitHub’s guide to this is the easiest way to figuring this out, but I’ll copy the relevant steps here if you just wanna power through it.

After connecting to your Hassio machine, do the following:

# Generate the public and private key pairs on Hass.io
# Just press enter through everything, you don't need to enter a passphrase
ssh-keygen

# Start ssh-agent in the background
eval "$(ssh-agent -s)"

# Add your keys
ssh-add ~/.ssh/id_rsa

# Next, copy your generated files to /config (or equivalent) so Home Assistant can access it
cp ~/.ssh /config

Check that you now have a .ssh folder in your /config directory, containing at least id_rsa and id_rsa.pub

Now let’s add those keys to Windows! Copy the contents of id_rsa.pub somewhere where you can access it on your Windows computer. The file should be one line, starting with ssh-rsa AAgoosFI%3gh$rf...(etc)

After logging into your account on Windows, open Explorer and go to:
C:\Users\\[username]\.ssh
If this folder doesn’t exist, create it. Create a new file called authorized_keys with no file extension, open it in Notepad, and paste in the contents of the id_rsa.pub file from earlier. Now we need to set permissions on the file.

Right click authorized_keys
Go to Properties\Security\Advanced
Click “Disable Inheritance”, then choose “Convert inherited permissions into explicit permissions on this object”
Remove all permissions on the file except for SYSTEM and your user. There should only be two entries in the list, both with “Full Control”

Now’s the most important step. After SSHing into your Hassio install, attempt to connect again to your Windows machine with
ssh [ local windows username]@[windows computer]
If it worked, and didn’t ask for a password, we’re in the home stretch. If it did, double check the instructions and check the sources for more details.

Setting up the wake_on_lan component

If you didn’t already have a wake_on_lan switch, here’s the syntax

switch:
  - platform: wake_on_lan
    mac_address: "PC-MA-CA-DD-RE-SS"
    name: "Friendly name"
    host: "Computer's IP address to determine state"
    turn_off:
      service: shell_command.turn_off_yourpc

# The shell_command is where the actual shutdown command takes place
shell_command:
  turn_off_yourpc: 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i /config/.ssh/id_rsa [user]@[windows ip] shutdown /h /f'
# You can also use a different shutdown command, but shutdown -h -f forces a hibernation

Passing a normal 'ssh [user]@[windows box] shutdown /h /f resulted in error 255, but this solution found by @keith-michael worked.

Let me know if you need anything else! This was probably a convoluted method but it worked for me.

CaptainSolidus · January 15, 2019, 2:14am

Sources:
Solution to shell_command error 255, courtesy @keith-michael

Installation of OpenSSH For Windows Server 2019 and Windows 10
Setting up OpenSSH for Windows using public key authentication (Stack Overflow)
Generating a new SSH key and adding it to the ssh-agent
switch.wake_on_lan Component

elementoulis · March 13, 2019, 9:35pm

This worked perfectly for my computer! I can now put it to sleep and wake it up on demand via a switch in my hassio. What if I wanted to add a second pc?

What would the process be? Do I need a separate set of SSH keys to be re-created or I can use the same?

King regards,
-G

anilet · March 13, 2019, 9:56pm

No you do not need to create a new SSH key, all you have to do is to add another switch and point it to the second pc’s ip like so

switch:
  - platform: wake_on_lan
    mac_address: "PC-MA-CA-DD-RE-SS"
    name: "Friendly name"
    host: "Computer's IP address to determine state"
    turn_off:
      service: shell_command.turn_off_yourpc
  - platform: wake_on_lan_for_second_PC
    mac_address: "2N-D-MC-AD-RE-SS"
    name: "Second Friendly name"
    host: "Second Computer's IP address to determine state"
    turn_off:
      service: shell_command.turn_off_yoursecondpc

# The shell_command is where the actual shutdown command takes place
shell_command:
  turn_off_yoursecondpc: 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i /config/.ssh/id_rsa [user]@[second ip] shutdown /h /f'
# You can also use a different shutdown command, but shutdown -h -f forces a hibernation

CaptainSolidus · March 14, 2019, 3:45pm

@anilet is more or less correct. Just re-follow the guide from the point where you add the keys to the Windows machine. You could generate unique SSH keys for each computer, but that kinda defeats the purpose of them.

You can add those to your personal machine as well, so if you want to remote into one of your computers you won’t need a password. For Linux, just use the command ssh-copy-id. Windows is the above, although there are other, better supported ways to remote in.

elementoulis · March 16, 2019, 2:41pm

Is there any chance that I need to have signed in (via SSH) to the hassio machine at least once with password from the windows machine in order for the without password process to work thereafter? Because, although I was able to do this for my windows machine , now trying to replicate the process (with the same SSH keys) on another windows machine it will not work.

The only difference I spotted is that the second windows machine has never SSH-ed to hassio with password.

Regards

CaptainSolidus · May 21, 2019, 5:01pm

Sorry for the late reply.

The SSH key should work on multiple machines, or at least it did when I tried it out to test that. Your Hassio box is SSHing into Windows, not the other way around, so make sure you did it in that direction. Are you getting some specific error when you try to SSH in to the WIndows machine from your Hassio box?

It’s also possible with upcoming changes to WSL and Linux on Windows that this may be nearly identical to doing this on a Linux box, but I haven’t messed with it too much. Worth looking out for.

mrbc · December 22, 2019, 8:10am

Thanks for all your instructions and comments. I also managed to get it working with them.

However, I didn’t like the thought of a password-less ssh key existing, that could login to my computers and could execute arbitrary commands.

Therefore, I prefixed the public key I copied in authorized_keys with a command:

command="shutdown /h /f" <ssh-key>

This means, that only that specific command is executed once the specified key connects to my computer. The command, that is given in your Home Assistant shell command, is then ignored and you can safely replace it with something like cd . for example.

Stooovie · June 18, 2020, 8:59am

No matter what I do, ssh from HA to PC always requests password. I’ve followed the walkthrough several times to a T, triple checked that the keys match but no dice. Is there any other way to connect? just simply passing the password in the command? Thanks.

CaptainSolidus · June 19, 2020, 1:54pm

It’s still working for me, although I’ve switched over to IOTlink for general control. Are you able to test with anything else? Generally, once you get the SSH connection working on one machine, it’s easy to migrate to HASS.

Another option would be to just install WSL, and use that SSH server instead of the Windows server. That one works like any other Linux box, and can still pass shutdown commands and such for whatever you wanna do.

Stooovie · June 19, 2020, 2:15pm

Yeah I have WSL2 installed. Didn’t occur to me, thanks!

Metropolis · July 22, 2020, 8:44am

this doesn’t work if the local Windows user is part of the Administrators group,
in this case you need to create C:\ProgramData\ssh\administrators_authorized_keys

I’ve followed : https://www.concurrency.com/blog/may-2019/key-based-authentication-for-openssh-on-windows

BullFrog · November 15, 2023, 6:23pm

cp ~/.ssh /config

This line gives error :

cp: omitting directory ‘/root/.ssh’

After googling I used -r run without error but .ssh folder is missing from config folder, any suggestions?

Zannys · December 12, 2023, 11:59pm

put -r in front of CP ex:

cp -r ~/.ssh /config