Configuring SSH Key-Based Authentication on Windows 10/ Server 2019

In this text we are going to configure SSH authentication with RSA keys on Windows to securely entry distant servers/computer systems. We’ll present easy methods to generate RSA keys (certificates) on Windows and configure a built-in OpenSSH server on Windows 10/Windows Server 2019 for key-based authentication (permits to authenticate on distant hosts with out passwords).

SSH key-based authentication is broadly used within the Linux world, however in Windows it has appeared fairly lately. The thought is that the consumer’s public key’s added on the SSH server, and when a consumer tries to connect with it, the server checks if the consumer has the corresponding personal key.

Generating SSH (RSA) on Windows

You should generate two RSA keys (private and non-private ones) on a consumer pc you’ll use to connect with the distant Windows server that’s operating OpenSSH. A non-public key’s saved on a consumer facet (don’t cross it to anybody!), and a public key’s added to the authorized_keys file on the SSH server. To generate RSA keys on a Windows consumer, you will need to set up the OpenSSH consumer.

In Windows 10 1809 (and newer) and Windows Server 2019, the OpenSSH consumer is put in as a separate function:

Add-WindowsFunctionality -Online -Name

Run a regular (non-privileged) PowerShell session and generate a pair of RSA 2048 keys utilizing the command:


You will probably be prompted to enter a password to guard the personal key. If you specify the password, you’ll have to enter it every time you employ this key for SSH authentication. I’ve not entered any passphrase (not beneficial).

a built-in ssh-keygen tool on windows - generate rsa keys

Ssh-keygen will create the .ssh listing within the profile of a present Windows consumer (C:Usersyour_username) and place 2 recordsdata in it:

  • id_rsa – a non-public key
  • – a public key

After you have got created the RSA keys, you’ll be able to add the personal key to the SSH Agent service, that enables to conveniently handle personal keys and use them for authentication. SSH Agent shops personal keys and offers them within the safety context of the present consumer. Run the ssh-agent service and configure it to startup automated utilizing the :

set-service ssh-agent StartupType ‘Automatic’
Start-Service ssh-agent

Add your personal key to the ssh-agent database:

ssh-add "C:Usersyouruser.sshid_rsa"

Or as follows:

ssh-add.exe $ENV:UserProfile.sshid_rsa

Configuring OpenSSH Server on Windows to Authenticate Using SSH Keys

Then copy the general public key you have got generated on the consumer to your SSH server (on this instance it’s a distant pc operating Windows 10 1903 and having OpenSSH configured).

Copy the file to the .ssh listing within the profile of the consumer you’ll use to connect with the SSH server. For instance, I’ve an admin consumer in my Windows 10, so I have to copy the important thing to C:Usersadmin.sshauthorized_keys.

sshauthorized_keys file in the profile folder of a windows user

You can copy the general public key to the SSH server utilizing SCP:

scp [email protected]:c:usersadmin.sshauthorized_keys

Now you’ll be able to hook up with your Windows SSH server with out a password. If you haven’t set a password (passphrase) for the personal key, you’ll robotically hook up with your distant Windows host.

To hook up with a distant host utilizing SSH, you’ll need the next command:

ssh (username)@(SSH server title or IP deal with)

For instance:

ssh [email protected]

It implies that you need to hook up with a distant SSH server with the IP deal with below the admin account. SSH Agent will robotically attempt to use the personal key saved earlier than to authenticate.

If you do not need to make use of the ssh-agent service to handle SSH keys, you’ll be able to specify the trail to the personal key file for use for the SSH authentication:

ssh [email protected] -i "C:Usersyouruser.sshid_rsa"

If you weren’t in a position to connect with your SSH server utilizing the RSA key and you’re nonetheless prompted to enter a password, it’s probably that the consumer account you are attempting to connect with is a member of native server directors group (the is S-1-5-32-544). We will talk about it later.

access windows over ssh with private key (without a password)

How to Login Windows Using SSH Key Under Local Admin?

OpenSSH makes use of particular key-based entry settings for the customers with Windows native administrator privileges.

First of all, use a key file C:ProgramDatasshadministrators_authorized_keys as a substitute of the authorized_keys file within the consumer profile. You should add your SSH key to this textual content file (for safety functions, solely the Administrators group and SYSTEM ought to have permissions to learn this file).

In order to make use of the authorized_keys file from a consumer profile and to not transfer the general public key information to the administrators_authorized_keys file, you’ll be able to remark the associated line within the OpenSSH configuration file (C:ProgramDatasshsshd_config).

Comment these traces:
#Match Group directors
# ApprovedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

sshd_config AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Allow entry Windows utilizing RSA keys within the sshd_config file:

PubkeyAuthentication sure

And disable ssh password login:

PasswordAuthentication no

Don’t neglect to restart the sshd service after saving adjustments in sshd_config.

restart-service sshd

Here is one other necessary factor. In earlier OpenSSH variations you needed to grant NT Servicesshd the learn permissions on the authorized_keys file.

To do it, it’s a must to do one of many following:

  • Install the OpenSSHUtils module: Install-Module -Force OpenSSHUtils -Scope AllUsers . To change file permissions, run this command: Repair-ApprovedKeyPermission -FilePath C:Usersadmin.sshauthorized_keys repair-authorizedkeypermisson on windows openssh server
  • Change the NTFS permissions for the file utilizing module or ;
  • Or you’ll be able to disable StrictModes within the sshd_config file. By default, this mode is enabled and prevents key-based authentication, if a private and non-private keys usually are not protected effectively. Uncomment the road #StrictModes sure, and alter it to StrictModes no. sshd-config - disable strict mode

So you have got configured the SSH authentication on Windows utilizing a public RSA key (certificates). Now you need to use this authentication technique to soundly entry distant servers, robotically , run scripts and do another automation-related duties.

Check Also

How to Restore Deleted EFI System Partition in Windows 10?

In this text we’ll present you ways to manually restore an by chance deleted Windows …

Leave a Reply

Your email address will not be published. Required fields are marked *