Bitvise SSH Server: Secure file transfer and terminal shell access for Windows
Our SSH server supports all desktop and server versions of Windows, 32-bit and 64-bit, from Windows XP SP3 and Windows Server 2003, up to the most recent – Windows 10 and Windows Server 2016.
Bitvise SSH Server supports the following SSH services:
- Secure remote access via console (vt100, xterm and bvterm supported)
- Secure remote access via GUI (Remote Desktop or WinVNC required)
- Secure file transfer using SFTP and SCP (compatible with all major clients)
- Secure, effortless Git integration
- Secure TCP/IP connection tunneling (port forwarding)
You can try out Bitvise SSH Server risk-free. To begin, simply download the installation executable - you will find the download links on our download page. After installing, you are free to evaluate Bitvise SSH Server for up to 30 days. If you then decide to continue using it, purchase a license.
When the personal edition is chosen during installation, Bitvise SSH Server can be used free of charge by non-commercial personal users.
Professional SSH server
We continue to invest considerable effort to create the best SSH software we can. These are some of the features that make Bitvise SSH Server special:
Ease of use: Bitvise SSH Server is designed for Windows, so that it is easy to install and configure. In a regular Windows environment, it will work immediately upon installation with no configuring. (We do however recommend tightening down settings to restrict access only to those accounts and features that you use.)
Encryption and security: Provides state-of-the-art encryption and security measures suitable as part of a standards-compliant solution meeting the requirements of PCI, HIPAA, or FIPS 140-2 validation.
Unlimited connections: Bitvise SSH Server imposes no limits on the number of users who can connect, and gets no more expensive for a larger number of connections. The number of simultaneous connections is limited only by system resources!
Windows groups: Bitvise SSH Server natively supports configurability through Windows groups. No need to define account settings for each Windows account individually. The SSH server knows what groups a user is in and, if configured, will use appropriate Windows group settings. Virtual filesystem mount points can be inherited from multiple groups.
Quotas and statistics: The SSH Server can be configured with per-user and per-group quotas and bandwidth limits, and keeps a record of daily, monthly, and annual usage statistics.
Speed: SFTP transfer speed mostly depends on the client, but Bitvise SSH Server allows clients to obtain some of the fastest transfer speeds available. With Bitvise SSH Client, SFTP file transfer speeds in the tens or hundreds of MB/s can be obtained. SFTP v6 optimizations, including copy-file and check-file for remote file hashing and checksums, are supported.
Virtual filesystem: Users connecting with file transfer clients can be restricted to a single directory, or several directories in a complex layout. Users connecting with terminal shell clients can also be restricted in the same way if their Shell access type is set to BvShell.
Git integration: Set an account's shell access type to Git access only, and configure the path to your Git binaries and repositories. The account can now securely access Git, without being given unnecessary access to the system.
Obfuscated SSH with an optional keyword. When supported and enabled in both the client and server, obfuscation makes it more difficult for an observer to detect that the protocol being used is SSH. (Protocol; OpenSSH patches)
Single sign-on: Bitvise SSH Server supports GSSAPI-enabled Kerberos 5 key exchange, as well as NTLM and Kerberos 5 user authentication. This means that, using Bitvise SSH Client or another compatible GSSAPI-enabled client, any user in the same Windows domain, or a trusted one, can log into the SSH server without having to verify the server's host key fingerprint, and without even having to supply a password! Using Windows group-based settings, the user's account doesn't even have to be configured in the SSH server.
Virtual accounts: want to set up an SFTP server with many users, but don't want to create and manage 1000 Windows accounts? No problem. Bitvise SSH Server supports virtual accounts, created in SSH server settings, backed by the identity of one or more Windows accounts. SSH server settings for these accounts are also configurable on a virtual group basis.
Bandwidth limits: Separate upload and download speed limits can be configured for each user and group.
Excellent terminal support: Bitvise SSH Server provides the best terminal support available on the Windows platform. Our terminal subsystem employs sophisticated techniques to render output accurately like no other Windows SSH server. And when used with Bitvise SSH Client, our bvterm protocol supports the full spectrum of a Windows console's features: colors, Unicode characters, and large scrollable buffers.
BvShell: Users whose filesystem access should be restricted to specific directories can have their Shell access type configured to BvShell. Similar to chroot, this provides access to a limited terminal shell which can allow for more powerful access than a file transfer client, but still restricts the user to root directories configured for them.
Telnet forwarding: The SSH Server can be configured to forward terminal sessions to a legacy Telnet server, providing SSH security to existing Telnet applications.
Flexibility: most SSH server features can be configured individually on a per-account basis from the user-friendly Bitvise SSH Server Control Panel. Using Bitvise SSH Client, the SSH server's Control Panel can be accessed and configured through the same user-friendly interface from any remote location.
Server-side forwarding: with Bitvise SSH Server and Client, a server and multiple clients can be set up so that all port forwarding rules are configured centrally at the server, without requiring any client-side setting updates. The SSH clients only need to be configured once, and port forwarding rules can easily be changed when necessary.
Scriptable settings: Using the supplied BssCfg utility, or using PowerShell, all settings can be configured from a text file, from a script, or interactively from the command-line.
Multi-instance support: Bitvise SSH Server supports multiple simultaneous, independent installations on the same computer for customers needing completely separate instances for different groups of users. Multiple SSH server versions can run concurrently, as separate instances on the same server.
Master/slave configuration: In environments with multiple SSH server installations, one can be configured to run as master, and others can be configured to run as slaves. Slave installations can be configured to synchronize their settings, host keys, and/or password cache with the master. This feature can be used both for cluster support, and to reproduce aspects of SSH server settings on a large number of similar installations.
Delegated administration: Users of the SSH Server who do not have full administrative rights can be granted limited access to SSH Server settings, where they can add or edit virtual accounts using the remote administration interface in Bitvise SSH Client. Limited administration tasks can be delegated without requiring full administrative access.
Encryption and security features
Key exchange algorithms:
- ECDH over elliptic curves secp256k1, nistp256, nistp384, nistp521 using SHA-512, SHA-384, or SHA-256
- Diffie Hellman with group exchange using SHA-256 or SHA-1
- Diffie Hellman with fixed 4096, 3072, 2048, or 1024-bit group parameters using SHA-512, SHA-256, or SHA-1
- GSSAPI key exchange using Diffie Hellman and Kerberos authentication
- ECDSA over elliptic curves secp256k1, nistp256, nistp384, nistp521 using SHA-512, SHA-384, or SHA-256
- RSA using 4096, 3072, 2048, 1024-bit key sizes with SHA-512, SHA-256, or SHA-1
- DSA using SHA-1 (legacy)
- AES with 256, 128-bit keys in GCM mode
- AES with 256, 192, 128-bit keys in CTR mode
- AES with 256, 192, 128-bit keys in CBC mode (legacy)
- 3DES in CTR or CBC mode (legacy)
Data integrity protection:
- AES with 256, 128-bit keys in GCM mode
- HMAC using SHA-256, SHA-1
- Password authentication with Windows accounts - local or Active Directory
- Password authentication with virtual accounts - configurable password policy
- Public key authentication
- Kerberos single sign-on using GSSAPI
- Time-based one-time password (SSH Server versions 8.xx and newer)
Additional security features:
- Denial of service protection through throttling of incoming connections
- Login attempt delay for concurrent logins for same user or from same IP address
- Automatic temporary IP address blocking with IP whitelist
- Username blacklist
- Configurable client IP address, product version string restrictions
- Account-specific IP address restrictions
- Account-specific IP address restrictions
FIPS 140-2 validation
When FIPS is enabled in Windows, our software uses Windows built-in cryptography, validated by NIST to FIPS 140-2 under certificates #2937, #2606, #2357, and #1892. On Windows XP and 2003, our software uses the Crypto++ 5.3.0 FIPS DLL, originally validated by NIST under certificate #819 (historical). When FIPS mode is not enabled, additional non-FIPS algorithms are supported.