Setting up OpenSSH for Windows using public key authentication

Question

I am having issues setting up OpenSSH for Windows, using public key authentication.

I have this working on my local desktop and can ssh with a key from Unix machines

Answer 1

I've thoroughly tested n0rd's solution on multiple Windows Pro 1809 and 2004 computers. I concur with most of his steps.

Server setup (elevated PowerShell): Agree with all.

Client setup (non-elevated PowerShell): Agree with all.

Server setup continued (non-elevated PowerShell): Steps 1,2,3: Agree

Server setup continued (non-elevated PowerShell): Step 4: Do NOT perform anything in step 4.

Server setup continued (non-elevated PowerShell): Step 5: Agree

Server setup continued (non-elevated PowerShell): Step 6: (added) Uncomment (remove #) from C:\ProgramData\ssh\sshd_config: #PasswordAuthentication yes

Server setup continued (non-elevated PowerShell): Step 7: (added) In Services, restart OpenSSH SSH Server.

I did not find any issues, with any file, regarding security, permissions or Unicode. They were all correct out of the box.

Answer 2

One more tip, if you are stuck, is to run sshd in debug mode. I did this:

1. Stop the sshd service
2. Open a PowerShell console with administrator privileges
3. Type 'sshd -d'
4. Type login from my client machine

It turns out the key need to be in e.g. C:\ProgramData\ssh\administrators_authorized_keys instead of C:\Users\yourUsser.ssh\authorized_keys.

Answer 3

Use this sequence of commands in PowerShell to correct permission of administrators_authorized_keys

$acl = Get-Acl C:\ProgramData\ssh\administrators_authorized_keys
$acl.SetAccessRuleProtection($true, $false)
$administratorsRule = New-Object system.security.accesscontrol.filesystemaccessrule("Administrators","FullControl","Allow")
$systemRule = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","Allow")
$acl.SetAccessRule($administratorsRule)
$acl.SetAccessRule($systemRule)
$acl | Set-Acl

Only SYSTEM and Administrators group must be have permission in file without inherited.

Answer 4

Following are setup steps for OpenSSH shipped with Windows 10 v.1803 (April 2018 update. See comments to this post, it might not work with 1809).

Server setup (elevated powershell):

1. Install OpenSSH server: Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0.

2. Start agent and sshd services: Start-Service ssh-agent; Start-Service sshd (this will generate host keys and default configuration automatically in $env:ProgramData\ssh).

3. [Optional] Install OpenSSHUtils powershell module: Install-Module -Force OpenSSHUtils

Client setup (non-elevated powershell):

1. Generate user key: cd $env:USERPROFILE\.ssh; ssh-keygen.exe, follow prompts, agree to the default suggested file location. This will create 2 files: id_rsa and id_rsa.pub;

2. [Optional] add key to authentication agent, so you don't have to enter password each time you use it: ssh-add .\id_rsa (or whatever file was generated);

Server setup continued (non-elevated powershell):

1. Log in as a user, for which public key auth to be used
2. cd $env:USERPROFILE; mkdir .ssh; cd .ssh; New-Item authorized_keys;
3. Paste the contents of the id_rsa.pub file from the client to the .ssh\authorized_keys file from the previous step.
4. Setup permissions properly (important!!!):
   1. Run start . to open explorer with the current folder ($env:USERPROFILE\.ssh);
   2. Right click authorized_keys, go to Properties -> Security -> Advanced
   3. Click "Disable inheritance";
   4. Choose "Convert inherited permissions into explicit permissions on this object" when prompted;
   5. (really, really important) Remove all permissions on file except for the SYSTEM and yourself. There must be exactly two permission entries on the file. Some guides suggest running the Repair-AuthorizedKeyPermission $env:USERPROFILE\.ssh\authorized_keys - this will try to add the sshd user to the permission list and it will break the authentication, so, don't do that, or at least do not agree on adding the sshd user). Both SYSTEM and yourself should have full control over the file.
5. If your Windows build is 1809 or later, it is required to comment out the following lines in C:\ProgramData\ssh\sshd_config file. Then restart the sshd service.

   # Match Group administrators                                                    
   #       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys  
   

Client:

1. Run ssh <serverusername>@<serverhostname>. It should work at this point.

Tried that with Windows 10 as server and both itself and a Debian Linux as a client.

Answer 5

If you are using mls-software.com's version of OpenSSH here is another note.

If you install using the SSHD_SERVER account and privilege separation you will be able to use public key authentication (per http://www.mls-software.com/opensshd-pki.html). However if UAC is enable you will not be successful with the install. The user(s) will not be created properly and the service will not be created. Manually trying to get these items up after the fact is very difficult. Simply disabling UAC before installation will allow the installation process to properly create the user(s) and the service. After installation you can re-enable UAC.

When I created the SSHD_SERVER account manually authentication succeed when using password authentication but the client termination the connection with "/bin/bash: Operation not permitted". Authentication with public keys was closed by the server (original error posted by Cambolie).

Answer 6

I have solved the issue...

It is related to the account that started the service - it was using the Local System account - this was stopping it accessing the public key and authorized_keys file.

Once I stopped the service and started as the user I was trying to connect into, it worked!

So basically, you need to start with a service account and then external users connect in as that user.