Setting SSH keys on Windows 10 OpenSSH server
Solution 1
You seem to mix server hosts keys and your account public keys.
Server host keys are generated by Win32-OpenSSH in %PROGRAMDATA%/ssh
on its first start. They are also given correct permissions, no need to modify them. These are the keys you see loaded as "private host key" in your log. That also indicates they have the correct permissions (otherwise they won't load).
Your account public keys go to %USERPROFILE%/.ssh/authorized_keys
. That file must have write access only for the account to which they belong.
The authorized_keys
file should contain public key part of your account key pair. That's no way related to .pub
files from %PROGRAMDATA%/ssh
.
A comment in the authorized_keys
file does not matter at all.
Keys from authorized_keys
file are not loaded when the server starts. They are loaded only, when you try to log in.
See also my guides to:
Solution 2
Note that if you are setting up keys for an administrator user, putting the public key to %USERPROFILE%/.ssh/authorized_keys
will not work. You must append the public key to %PROGRAMDATA%/ssh/administrators_authorized_keys
instead.
And you have to set permission with this script run in powershell admin:
$acl = Get-Acl C:\ProgramData\ssh\administrators_authorized_keys
$acl.SetAccessRuleProtection($true, $false)
$administratorsRule = New-Object system.security.accesscontrol.filesystemaccessrule("Administrators","FullControl","Allow")
$systemRule = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","Allow")
$acl.SetAccessRule($administratorsRule)
$acl.SetAccessRule($systemRule)
$acl | Set-Acl
Related videos on Youtube
shenk
Updated on September 18, 2022Comments
-
shenk over 1 year
I've set up OpenSSH on various flavors of Linux tons of times. But I can't for the life of me get it functioning correctly on windows.
There seem to be two sides to the issue. The permissions and the key used by
sshd
/ssh-agent
.Permissions
Every page I read has a different answer for the correct permissions. Some work, and sometimes the program complains about them.
From what I understand the keys should all be owned by
SYSTEM
, with read access forNT SERVICE\sshd
and Full Control forAdministrators
andSYSTEM
? (As I understandSYSTEM
andAdministrators
represent root in Windows). I read in the documentation that the read access is only necessary if not usingssh-add
/ssh-agent
. I also configured the same permissions for the%USERPROFILE%/.ssh/authorized_keys
file and added the.pub
the Ed25519 key which is the one I'm using to try and connect, though I've also tried it with my own generated RSA key.With the permissions set this way the program doesn't complain when adding keys to the agent or running the daemon. The only option I changed in
sshd_config
is theListenAddress
which was binding to 0.0.0.0, I set it to the machines local IP as SSH will only be used locally.Keys
When I run
sshd.exe
with the-d
option, I notice it importing the 4 default keys from%PROGRAMDATA%/ssh
. When I added theed25519.pub
key toauthorized_keys
it was followed byHOSTNAME@workstation@HOSTNAME
,HOSTNAME
being my PC's hostname. Normally I would expected to seeuser@host
. I tried creating my own key and adding it but when I runsshd.exe -d
it never seems to use anything other than the default keys.In the end, I'm unable to connect to the OpenSSH server, and the logs in
%PROGRAMDATA%/ssh/Logs
only seem to show the server starting. To sum up my questions: What are the correct permissions for the key files andauthorized_hosts
? Does the annotation inauthorized_keys
being wrong make a difference? Should I be adding all of the default keys.pub
's intoauthorized_hosts
? And last, what doessshd
mean when it mentions those keys during startup (see log)? Shouldn't my own generated key just work as long as I add it toauthorized_hosts
?debug1: sshd version OpenSSH_for_Windows_7.6, LibreSSL 2.6.4 debug1: private host key #0: ssh-rsa SHA256:and12LVkEqyXJ2gr0SxFEQObaSFF+Czlcnx2uFjZaJQ debug1: private host key #1: ssh-dss SHA256:waeLdy4Sm3NT+zbwEMIhbfl8TLe6WeQ0MuZE07CzFQU debug1: private host key #2: ecdsa-sha2-nistp256 SHA256:G8/7y/04cSE3EezTrcmpK4lRmJ5f5I/CDPcHaPzsv4o debug1: private host key #3: ssh-ed25519 SHA256:Jvn9UjsbdzH54L/yvGYGfCzJQVIMiIWL5RETbaL2ACA debug1: rexec_argv[0]='C:\\WINDOWS\\System32\\OpenSSH\\sshd.exe' debug1: rexec_argv[1]='-d' debug1: Bind to port 22 on 192.168.1.144. Server listening on 192.168.1.144 port 22.
-
Kurtis Rader about 4 yearsNote that you also have to set the ACLs correctly. See concurrency.com/blog/may-2019/….
-
tigertang about 4 yearsKurtis Rader's saying is really crucial!
-
korona over 3 yearsI can't stress enough how absolutely bonkers it is that changing file permissions is such a verbose operation on Windows
-
JCQuintas almost 3 yearsI had everything done but the powershell script... thanks!
-
cswilby over 2 yearsThis is
chmod 600 ~/.ssh/authorized_keys
on every other operating system... alas this worked, thank you! -
ivanlan over 2 yearsWow. I've been trying for several days (never mind exactly how many) to get this puppy to work, and ONLY this little script did the trick. Thank you SO MUCH!
-
Anthon over 2 yearsthe script gives
Exception lors de l'appel de «SetAccessRule» avec «1» argument(s): «Impossible de traduire certaines ou toutes les références d'identité.»
You'll have to changeAdministrators
to the appropriate string on your language version of Windows