Bitvise SSH Server: Secure file transfer and terminal shell access for Windows

Screenshots

Our SSH server supports all desktop and server versions of Windows, 32-bit and 64-bit, from Windows XP SP3 and Windows Server 2003, up to the most recent – Windows 11 and Windows Server 2022.

Bitvise SSH Server includes the following:

  • SFTP server: Secure file transfer using SFTP - compatible with a wide variety of clients
  • SCP server: Secure file transfer using SCP - compatible with command line and graphical clients
  • FTPS server: Secure file transfer using FTP over TLS/SSL - compatible with secure FTPS clients
  • SSH server: Secure remote access via console - vt100, xterm and bvterm are supported
  • Secure remote access via GUI - Remote Desktop or WinVNC required
  • Secure, effortless Git integration
  • Secure TCP/IP connection tunneling (port forwarding)

You can try out Bitvise SSH Server risk-free. To begin, simply download the installation executable - you will find the download links on our download page. After installing, you are free to evaluate Bitvise SSH Server for up to 30 days. If you then decide to continue using it, purchase a license.

When the personal edition is chosen during installation, Bitvise SSH Server can be used free of charge by non-commercial personal users.

Bitvise software does not contain ads, install product bundles or collect user data for sale. We are 100% supported by users who license our software. Thank you!

Professional SSH server

We continue to invest considerable effort to create the best SSH software we can. These are some of the features that make Bitvise SSH Server special:

  • Ease of use: Bitvise SSH Server is designed for Windows, so that it is easy to install and configure. In a regular Windows environment, it will work immediately upon installation with no configuring. (We do however recommend tightening down settings to restrict access only to those accounts and features that you use.)

  • Encryption and security: Provides state-of-the-art encryption and security measures suitable as part of a standards-compliant solution meeting the requirements of PCI, HIPAA, or FIPS 140-2 validation.

  • FTPS support: Can handle file transfer connections using FTP over TLS (SSL) in addition to SFTP and SCP over SSH. See compatible clients.

  • Unlimited connections: Bitvise SSH Server imposes no limits on the number of users you can configure, and gets no more expensive for larger servers. The number of simultaneous connections is limited only by system resources.

  • Two-factor authentication: Connections using SSH, SFTP and SCP clients can require an additional time-based one-time password. Compatible with RFC 6238 authenticator apps, including Microsoft Authenticator, Google Authenticator, LastPass, Authy, WinAuth, or FreeOTP.

  • Windows groups: Bitvise SSH Server natively supports configurability through Windows groups. No need to define account settings for each Windows account individually. The SSH server knows what groups a user is in and, if configured, will use appropriate Windows group settings. Virtual filesystem mount points can be inherited from multiple groups.

  • Quotas and statistics: The SSH Server can be configured with per-user and per-group quotas and bandwidth limits, and keeps a record of daily, monthly, and annual usage statistics.

  • Speed: SFTP transfer speed mostly depends on the client, but Bitvise SSH Server allows clients to obtain some of the fastest transfer speeds available. With Bitvise SSH Client, SFTP file transfer speeds in the tens or hundreds of MB/s can be obtained. SFTP v6 optimizations, including copy-file and check-file for remote file hashing and checksums, are supported.

  • Virtual filesystem: File transfer clients can be restricted to a single directory, or several directories in a complex layout. Terminal shell clients can be restricted to the same virtual filesystem by setting their Shell access type to BvShell.

  • Large files: The SSH Server supports files of any size that are supported by the filesystem you configure to store files and the client software you are using to connect. Windows filesystems have these maximum file sizes.

  • Windows session cache: Multiple connections for the same user, either concurrent or consecutive, can use the same Windows session. This can greatly improve reliability for clients that make frequent connections that access network shares.

  • Encrypted volumes: Clients can access files which are encrypted at rest by the SSH Server. Concurrent users can access virtual filesystem mount points backed by encrypted volumes. A volume is encrypted with a key configured in SSH Server settings.

  • SFTP jump server: Users can access virtual filesystem mount points backed by a remote SFTP server to which the SSH Server connects on the user's behalf.

  • Tasks: The SSH Server can run commands periodically, or triggered by configurable conditions based on recorded log events.

  • Email notifications: The SSH Server can send email notifications triggered by configurable conditions based on recorded log events.

  • Git integration: Set an account's shell access type to Git access only, and configure the path to your Git binaries and repositories. The account can now securely access Git, without being given unnecessary access to the system.

  • Obfuscated SSH with an optional keyword. When supported and enabled in both the client and server, obfuscation makes it more difficult for an observer to detect that the protocol being used is SSH. (Protocol; OpenSSH patches)

  • Single sign-on: Bitvise SSH Server supports Kerberos 5 user authentication and key exchange via GSSAPI. Using Bitvise SSH Client or other compatible client, any user in a trusted Windows domain can log into the SSH Server without having to re-enter their password, or verify the server's host key fingerprint. Use the SSH Server's Windows group settings to manage access without configuring accounts for each user.

  • Virtual accounts: want to set up an SFTP server with many users, but don't want to create and manage 1000 Windows accounts? No problem. Bitvise SSH Server supports virtual accounts, created in SSH server settings, backed by the identity of one or more Windows accounts. SSH server settings for these accounts are also configurable on a virtual group basis.

  • Bandwidth limits: Separate upload and download speed limits can be configured for each user and group.

  • Excellent terminal support: Bitvise SSH Server provides the best terminal support available on the Windows platform. Our terminal subsystem employs sophisticated techniques to render output accurately like no other Windows SSH server. When used with Bitvise SSH Client, our bvterm protocol supports the full spectrum of a Windows console's features: colors, Unicode characters, and large scrollable buffers.

  • BvShell: Users whose filesystem access should be restricted to specific directories can have their Shell access type configured to BvShell. Similar to chroot, this provides access to a limited terminal shell which can allow for more powerful access than a file transfer client, but still restricts the user to root directories configured for them.

  • Telnet forwarding: The SSH Server can be configured to forward terminal sessions to a legacy Telnet server, providing SSH security to existing Telnet applications.

  • Flexibility: most SSH server features can be configured individually on a per-account basis from the user-friendly Bitvise SSH Server Control Panel. Using Bitvise SSH Client, the SSH server's Control Panel can be accessed and configured through the same user-friendly interface from any remote location.

  • Server-side forwarding: with Bitvise SSH Server and Client, a server and multiple clients can be set up so that all port forwarding rules are configured centrally at the server, without requiring any client-side setting updates. The SSH clients only need to be configured once, and port forwarding rules can easily be changed when necessary.

  • Scriptable settings: Using the supplied BssCfg utility, or using PowerShell, all settings can be configured from a text file, from a script, or interactively from the command-line.

  • Multi-instance support: Bitvise SSH Server supports multiple simultaneous, independent installations on the same computer for customers needing completely separate instances for different groups of users. Multiple SSH server versions can run concurrently, as separate instances on the same server.

  • Master/follower configuration: In environments with multiple SSH server installations, one can be configured to run as master, and others can be configured to run as followers. Follower installations can be configured to synchronize their settings, host keys, and/or password cache with the master. This feature can be used both for cluster support, and to reproduce aspects of SSH server settings on a large number of similar installations.

  • Delegated administration: Users can be granted limited access to SSH Server settings, where they can add or edit virtual accounts using the remote administration interface in Bitvise SSH Client. Limited administration tasks can be delegated without requiring full administrative access.

Windows version compatibility

Bitvise SSH Server supports the following Windows versions:

  • Windows Server 2022
  • Windows 11
  • Windows Server 2019
  • Windows Server 2016
  • Windows 10
  • Windows Server 2012 R2
  • Windows Server 2012
  • Windows 8.1
  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Vista SP1 or SP2
  • Windows Server 2003 R2
  • Windows Server 2003
  • Windows XP SP3

A recent Bitvise SSH Server version should be used on all platforms. The SSH Server is network-facing, security-sensitive software. Using a recent version is the only way to receive updates. Therefore, we do not recommend indefinite use of older versions.

Encryption and security features

SSH, SFTP and SCP:

  • Key exchange algorithms:

    • Curve25519
    • ECDH over elliptic curves secp256k1, nistp256, nistp384, nistp521 using SHA-512, SHA-384, or SHA-256
    • Diffie Hellman with group exchange using SHA-256
    • Diffie Hellman with fixed 4096, 3072, or 2048-bit group parameters using SHA-512 or SHA-256
    • Diffie Hellman with 1024-bit group parameters or using SHA-1 (legacy)
    • GSSAPI key exchange using Diffie Hellman and Kerberos authentication
  • Signature algorithms:

    • Ed25519
    • ECDSA over elliptic curves secp256k1, nistp256, nistp384, nistp521 using SHA-512, SHA-384, or SHA-256
    • RSA using 4096, 3072, or 2048-bit key sizes with SHA-512 or SHA-256
    • RSA using 1024-bit keys or with SHA-1 (legacy)
    • DSA using SHA-1 (legacy)
  • Encryption algorithms:

    • ChaCha20 with 512-bit keys with Poly1305
    • AES with 256, 128-bit keys in GCM mode
    • AES with 256, 192, 128-bit keys in CTR mode
    • AES with 256, 192, 128-bit keys in CBC mode (legacy)
    • 3DES in CTR or CBC mode (legacy)
  • Data integrity protection:

    • ChaCha20 with 512-bit keys with Poly1305
    • AES with 256, 128-bit keys in GCM mode
    • HMAC using SHA-256 or SHA-512, in encrypt-then-MAC mode
    • HMAC using SHA-256 or SHA-512 (classic)
    • HMAC using SHA-1 (legacy)
  • Server authentication:

    • Client verifies server identity using server host key fingerprint or public key
    • Automatic synchronization of new host keys to client supported
  • Client authentication:

    • Password authentication with Windows accounts - local or Active Directory
    • Password authentication with virtual accounts - configurable password policy
    • Password change during password authentication
    • Public key authentication
    • Kerberos single sign-on using GSSAPI
    • Two-factor authentication with a time-based one-time password

FTP over TLS (SSL):

  • TLS security:

    • Available TLS versions and cipher suites depend on the installed version of Windows
    • TLS versions 1.0, 1.1 and 1.2 can be enabled individually in Advanced settings
    • ECDHE, RSA and DHE cipher suite families can be enabled individually
  • Authentication:

    • Can use self-signed or CA-signed server certificate
    • Password authentication with Windows accounts - local or Active Directory
    • Password authentication with virtual accounts - configurable password policy
  • Requires secure clients:

    • Only secure FTPS is supported - plaintext FTP connections are not accepted
    • FTPS clients must support explicit TLS using the AUTH TLS command
    • FTPS clients must support passive mode and use the TLS resume feature for data connections

Additional security features:

  • Denial of service protection through throttling of incoming connections
  • Login attempt delay for concurrent logins for same user or from same IP address
  • Automatic temporary IP address blocking with IP whitelist
  • Username blacklist
  • Configurable client IP address, product version string restrictions
  • Account-specific IP address restrictions
  • IP-based access rules configurable by country

FIPS 140-2 validation

When FIPS is enabled in Windows, our software uses Windows built-in cryptography, validated by NIST to FIPS 140-2 under certificates #2937, #2606, #2357, and #1892. On Windows XP and 2003, our software uses the Crypto++ 5.3.0 FIPS DLL, originally validated by NIST under certificate #819 (historical). When FIPS mode is not enabled, additional non-FIPS algorithms are supported.

Cryptographic implementations and availability

Current Bitvise software versions (9.12 and higher) use the following cryptographic implementations for different algorithms, on different versions of Windows:


Algorithm
Windows XP,
Server 2003
Windows Vista to 8.1,
Server 2008 to 2012 R2
Windows 10, 11,
Server 2016 to 2022
Signature
RSA Crypto++ 5.3 Windows CNG Windows CNG
Ed25519 n/a DJB DJB
ECDSA (NIST curves) Crypto++ 5.3 Windows CNG Windows CNG
ECDSA/secp256k1 Crypto++ 5.3 OpenSSL Windows CNG
1024-bit DSA Crypto++ 5.3 Windows CNG Windows CNG
Non-standard DSA Crypto++ 5.3 Crypto++ 5.6 Crypto++ 5.6
Key exchange
Classic DH Crypto++ 5.3 Windows CNG Windows CNG
Curve25519 n/a DJB DJB
ECDH (NIST curves) Crypto++ 5.3 Windows CNG Windows CNG
ECDH/secp256k1 Crypto++ 5.3 OpenSSL Windows CNG
Encryption
AES Crypto++ 5.3 Windows CNG Windows CNG
ChaCha20 n/a OpenSSL OpenSSL
3DES Crypto++ 5.3 Windows CNG Windows CNG
Integrity
GCM n/a Windows CNG Windows CNG
Poly1305 n/a OpenSSL OpenSSL
HMAC-SHA2 Crypto++ 5.3 Windows CNG Windows CNG
HMAC-SHA1 Crypto++ 5.3 Windows CNG Windows CNG

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)

This product includes cryptographic software written by Eric Young ([email protected]).