Copssh FAQs

Copssh stops to work after a Windows update

The problem can be related to address changes of Windows DLLs after a Windows update operation. That behaviour may create collisions for more static Cygwin DLLs, especially in a 32-bit environment. We suggest to reboot the system as a first measure. You may need to install Copssh again by using our recipe which allows to keep an existing configuration intact. Consider to install the 64-bit version (available only in the product edition) if the problem still persists.

How can I protect Copssh against brute force attacks ?

You can use our Win2ban which is a Fail2ban implementation for Windows with Elastic Winlogbeat as the eventlog shipper. Check the related Win2ban FAQ for details: How can I configure Win2ban for brute force attacks against Copssh ?

How can I activate syslog for ssh/sftp logging !


 By default, Copssh uses Windows event log for ssh logging. Sftp logging for isolated home sftp directories doesn't work as expected however. Follow steps below to activate a syslog based logging which works for both ssh and sftp logging:

  • Run the installer appropriate for your installation (x86/32-bit, x64/64-bit). It will automatically update your Copssh installation by installing a syslog service.
  • Start SyslogServer service (it will create the socket /dev/log for syslog operations)
  • Make sure that both ssh and sftp logging are set to eventlog via Copssh Control Panel
  • Restart the service via Copssh Control Panel
  • Default syslog configuration sends all log messages to /var/log/messages. Syslog configuration file is located at /etc.

Connection fails with "no matching cipher found" message


The problem may be related to the potentially incompatible changes introduced in OpenSSH 6.7  (included in Copssh 5 and higher) to remove unsafe algorithms.

If you run Copssh 5.8.1 or higher, you can update the configuration via GUI:

Copssh Control Panel - Configuration - Advanced - Ciphers

  • Alternatively, you can add following line to the section of the configuration file control/bin/copsshcp.config before starting Copssh Control Panel:


  • Restart the service via Copssh Control Panel

Connection fails with "Fatal: Unable to negotiate a key exchange method" message


The problem may be related to the potentially incompatible changes introduced in OpenSSH 6.7 (included in Copssh 5 and higher) to remove unsafe algorithms.

If you run Copssh 5.8.1 or higher, you can update the configuration via GUI:

Copssh Control Panel - Configuration - Advanced - KexAlgorithms

  • Alternatively, you can add following line to the section of the configuration file control/bin/copsshcp.config before starting Copssh Control Panel:


  • Restart the service via Copssh Control Panel

How can I make a clean install without losing the existing setup ?


 In some situations, it may be necessary to make a clean install to make an upgrade work. You can do it by following steps below:

  • Backup your host keys in etc directory (etc/ssh_host*)
  • Uninstall the existing version of Copssh
  • Remove remnants of the installation directory except home directories if they exist
  • Make sure that the service account and the sshd account are removed
  • Install new Copssh
  • Restore host keys back to etc directory
  • Start Copssh Control Panel and verify that the service is running
  • Activate your users again and specify their existing home directories as the home directory during the activation

Which user privileges are required by a Copssh service account ?

Copssh versions 7 and higher use local system account as the service account and no further adjustments are necessary. However, you may still prefer to use a dedicated service account (domain account for example). Make sure that the service account is member of local  Administrators group and have following user rights:





Tools to set user rights: Domain Group Policy Management for domain members, Local Security Policy (secpol.msc) for local computers

I can't login as an ordinary user !

**NB: This FAQ doesn't apply to Copssh 4.3.1 and up as they handle the problem automatically. You may still need to fix it on DCs for example.

By default, normal users are not allowed to log on locally on domain controllers. Same restrictions may also apply for other Windows systems . User right Allow log on locally needs to be delegated for proper login.

One-time procedure:

  1. Create a security group for COPSSH users.
  2. Add your group to the list of authorized credentials for the required user right:

Administrative Tools--> Domain Controller Security Policy for domain controllers or Local Security Policy for other Windows systems) --> Local Policies--> User Rights Assignment--> Allow Log on locally

For every ordinary copssh user:

  1. Make the user a member of the group mentioned above.
  2. Activate user in Copssh control panel

I want to use my own PKA key pair instead of the one generated by copssh!

  •  Activate a user via Copssh control panel
  • Import your public key via Control Panel (your public key must have three fields - key type, key itself and a comment):
  • Copssh Control Panel - User - Keys - Import

Copssh Control Panel - User - Keys - Import

  •  Your Copssh server is ready to accept PKA based on your keys.

How do I access files/drives/resources outside the Copssh root directory?

  1. Start a bash shell, locally or remotely
  2. Change to the user's home directory if it is not already done
  3. Link a directory or network share to a local name by using ln command


ln -s "/cygdrive/d/pub/" "pub"

 creates a link from D:\pub to pub in the user's home directory.

 ln -s "//myserver/netdata" "netdata"

 creates a link from \\myserver\netdata to netdata in the user's home directory.

Now, the user can use pub and netdata to access D:\pub and/or \\myserver\netdata respectively.

Can I change the location of home directories ?

Copssh Control Panel User activation wizard allows you to specify a home directory of your own choice:

 Copssh Control Panel - User Activation Wizard - Home directory


I want to set up ssh communication without passwords !!

 Activate a user and create a PKA key pair with empty passphrase via Copssh control panel:

Copssh Control Panel - User - Keys

 Copssh Control Panel - Users - Keys

  • You can take your private key with you and initiate passwordless connections from other machines. An example to start ssh shell:

ssh -i privatekey user@copssh_host


NB! Your private key is NOT protected by a passphrase and can be used by anyone. Keep it safe!

How can I limit users' access to their home directories only ?

  • Activate a user and select access type Sftp via Copssh control panel. Access type Sftp instructs Control Panel to make required arrangements for a chrooted environment.
  • Activation of a new user with access type SFTP:

Copssh Control Panel - User Activation Wizard - Access Type - Sftp

  • Change access type of an already activated user to SFTP (You may need to restart the service in some occasions)

 User Activation Wizard - Users -Access Type - SFTP

I can't install copssh on a localized version of windows !

**UPDATED** Copssh Control Panel introduced in version 4 has solved that problem. Previous Copssh versions and copsshadm command line tool still have that problem.

This is a known error related to the localized names of the groups administrators and users. There is no solution yet. However, You can use the workaround below:

  •  Rename localized equivalents of the groups administrators and users to something readable in latin (can be done via Administrative Tools->Computer Management->Local Users and Groups for example)
  • Run copssh installer
  • Rename the groups above back to their original values.

How can I run Openssh daemon in debug mode ?

Sometimes it may be necessary to see directly how the openssh daemon reacts to startup or connection requests, to be able to locate daemon-related problems. 


  • Stop Openssh SSHD (system name:OpenSSHServer) service
  • Right click Start a Unix Bash Shell from Copssh start menu (assuming that you have admin privileges)
  • Enter the following command from the bash prompt:

/bin/sshd -p <listening port> -D -d -e

This will start openssh daemon in standalone debug mode and messages will be displayed on the screen. You may specify up to three -d for increased output verbosity.

  • Try to initate a putty session and watch messages at the server side.

How to make copssh service dependent on other services ?

 Dependent on software or configuration issues on your PC, copssh service may sometimes not start properly. The problem can be a service, a device helper, anti virus, firewall and so on, interferencing operations of the copssh service.

 A possible solution is to delay the service startup until the problem services are started successfully. You can use the procedure below to make copssh service dependent on MyService:


  • Create the following REG_MULTI_SZ value in the registry if it doesn't exist before:


  • Add MyService to the registry value created above. It is possible to specify multiple entries separated by space.
  • Restart your PC.

How do I improve the security of Copssh ?

Some recommendations (not all of them can be applicable in your case, no sorting by importance):


Recommendation Benefits/Side effects How
Change port 22 to something non-standard Reduces your vulnerability surface dramatically by taking a well-known parameter out of equation, not applicable if you have a general purpose server. Security by obscurity ? Yes. However, there are many script kiddies out there bombing port 22 wherever they find. Conf.file etc\sshd_config: port
Reduce the maximum number of concurrent unauthenticated con-
Reduces your vulnerability surface by allowing a smaller number of potentialy dangerous attacks simultaneously. Conf.file etc\sshd_config: MaxStartups (default 10)
Turn off authentication by password. Use public key authentication instead. Eliminates the most widely used technique of potential attacks: cracking passwords.

Conf.file etc\sshd_config: PasswordAuthentication no

(default yes)

Restrict access by host Use your firewall setting to limit hosts authorized for access


Restrict access by user/group  

Conf.file etc\sshd_config:


Why is it called copssh?

I am fond of fancy and short names :-))


Cygwin + OPENSSH is a qualified guess !!


Hi, I've misplaced my license key for CopSSH 7.1. How can I get a new key?