Windows 10 Anniversary Update now officially includes Windows Subsystem for Linux (WSL). When you enable and install WSL, you can open a Bash shell and directly use native command-line tools from Ubuntu Linux.

However, WSL can only be used from its dedicated console window; you cannot use other terminal emulators such as Token2Shell/MD for interactively using the Bash shell.

The following describes a workaround for using WSL from Token2Shell/MD. However, once you have finished setting up WSL as described below, you can in fact use any terminal emulator (ex. PuTTY) with WSL.

0 Overview

This workaround uses the OpenSSH server executable (/usr/sbin/sshd) already installed with WSL. We’ll be configuring it to accept incoming connections only from the loopback network address "" or "localhost".

OpenSSH server running on WSL cannot be connected from other devices even if you configure it to accept any connection (such usage is never intended for WSL thus probably won’t be supported any time soon). However, the following procedure explicitly limits incoming connections and improves the security.

1 Start WSL

Tap "Bash on Ubuntu on Windows" app shortcut.

2 Generate OpenSSH server host keys

WSL already includes an OpenSSH server package. However, you first need to generate its host keys before you can run the server. For generating new host keys, use the following command:

sudo dpkg-reconfigure openssh-server

Host keys are used for identifying the server to the connected client and setting up a secure encrypted connection between the two. OpenSSH supports and prepares various types of host keys (RSA, ECDSA and etc.) but only one will be selected and used for the connection according to client’s preference settings.

3 Edit /etc/ssh/sshd_config

When OpenSSH server starts, it reads /etc/ssh/sshd_config file and configures its settings. You need to make the following changes to the file:

Port 22 Port 2222
22 is the default port number for SSH servers, however, your computer may already have an SSH server running. In order to avoid any conflict, we’re using 2222 in this workaround. But a port number can be any number from 1 to 65535 (
(not present in the default sshd_config file) AddressFamily inet
A reference to this option is not found in the default sshd_config file. But adding this option with "inet" configures OpenSSH to use only IPv4 addresses; further ensures that the server can only be connected by using the loopback network address "". This option must appear before the "ListenAddress" option.
#ListenAddress ListenAddress
The default setting allows any incoming connection. Changing this to "" only accepts connections targeted for "".
UsePrivilegeSeparation yes UsePrivilegeSeparation no
When "UsePrivilegeSeparation" is set to "yes", OpenSSH uses a different user account while authenticating the connected user and then change back to the real user account once verified. However, WSL currently doesn’t support the API’s need for such additional security measures. Also, since only the loopback network address is used for this workaround, this option can be safely ignored.
PasswordAuthentication no PasswordAuthentication yes
Only "public-key" user authentication method is enabled initially. Although Token2Shell/MD supports the "public-key" method, enabling and using the "password" authentication method is simpler. Since our setup only allows "localhost" connections, using this method doesn’t really have any impact on security either.

4 Start OpenSSH server

Once you’ve finished changing the sshd_config file, start the server:

sudo /usr/sbin/sshd

• Auto starting OpenSSH server

Although OpenSSH server is automatically terminated when you close the last instance of the Bash shell window, it isn’t automatically started when the first Bash shell window is opened. Opening a Bash shell window works more like opening a terminal window rather than starting a server OS. Thus you cannot use the traditional way of adding the OpenSSH server path to an Ubuntu OS startup file. We recommend modifying the ".bashrc" file in the home folder of your login account.

The following shows an example of a script snippet that can be added to the start of your .bashrc file:

# Check if "/usr/sbin/sshd" isn't already running
if [ -z "$(pgrep -fu root /usr/sbin/sshd)" ]; then
    echo "Starting SSH server:"
    ssh –V                 # Displays the currently installed version of SSH
    sudo /usr/sbin/sshd    # Starts sshd server
    ps -ef                 # /usr/sbin/sshd should be in the snapshot of the current processes

Please note that WSL isn’t intended for running Linux "server" executables as Windows services. Hence, although there are workarounds for forcing the OpenSSH server to run as a Windows background service, we don’t recommend running it as such. It may cause various security and/or stability issues.

5 Connect from Token2Shell/MD

Before you can connect to localhost from Token2Shell/MD, you first need to use Windows 10 built-in command line tool "CheckNetIsolation.exe" and allow Token2Shell/MD for accessing the loopback network interface.

CheckNetIsolation LoopbackExempt -a -n=58486choungnetworks.token2shellmd_wdbh2zj61pq3j

For your information, when you first install any Windows Store app, it cannot connect to loopback network interface (ex. localhost). It must be explicitly added to the Windows loopback exempt list by using the "CheckNetIsolation.exe" command.

You can now connect to your WSL Bash shell from Token2Shell/MD. You just need to open a new terminal window and connect to "localhost" at the port number 2222 in SSH using the user ID and the password you’ve already setup for WSL Bash shell. For example, if your user ID for WSL Bash shell is "luca", enter "ssh://luca@localhost:2222" in "Quick Connect" popup window and tap "Connect".

Token2Shell/MD has "Login Agent" feature that can remember the password you used for SSH login. So once you logged into WSL Bash shell and entered your password, you don’t have to enter it again for additional terminal windows.

If you want to skip the password entering step all together, you can create an address book entry for your WSL Bash shell. Token2Shell/MD supports the "public-key" user authentication as well as storing your password for auto login.

If you’re using "ssh-agent" for automatic user authentication with private keys, you don’t have to setup anything on WSL Bash shell. You simply need to import your private keys to Token2Shell/MD and enable its "Login Agent" » "SSH Agent Forwarding" option before connecting to WSL Bash shell.