In this text we are going to configure SSH authentication with RSA keys on Windows to securely entry distant servers/computer systems. We’ll present easy methods to generate RSA keys (certificates) on Windows and configure a built-in OpenSSH server on Windows 10/Windows Server 2019 for key-based authentication (permits to authenticate on distant hosts with out passwords).
SSH key-based authentication is broadly used within the Linux world, however in Windows it has appeared fairly lately. The thought is that the consumer’s public key’s added on the SSH server, and when a consumer tries to connect with it, the server checks if the consumer has the corresponding personal key.
Generating SSH (RSA) on Windows
You should generate two RSA keys (private and non-private ones) on a consumer pc you’ll use to connect with the distant Windows server that’s operating OpenSSH. A non-public key’s saved on a consumer facet (don’t cross it to anybody!), and a public key’s added to the authorized_keys file on the SSH server. To generate RSA keys on a Windows consumer, you will need to set up the OpenSSH consumer.
In Windows 10 1809 (and newer) and Windows Server 2019, the OpenSSH consumer is put in as a separate function:
Add-WindowsFunctionality -Online -Name OpenSSH.Client~~~~zero.zero.1.zero
Run a regular (non-privileged) PowerShell session and generate a pair of RSA 2048 keys utilizing the command:
You will probably be prompted to enter a password to guard the personal key. If you specify the password, you’ll have to enter it every time you employ this key for SSH authentication. I’ve not entered any passphrase (not beneficial).
Ssh-keygen will create the .ssh listing within the profile of a present Windows consumer (C:Usersyour_username) and place 2 recordsdata in it:
- id_rsa – a non-public key
- id_rsa.pub – a public key
After you have got created the RSA keys, you’ll be able to add the personal key to the SSH Agent service, that enables to conveniently handle personal keys and use them for authentication. SSH Agent shops personal keys and offers them within the safety context of the present consumer. Run the ssh-agent service and configure it to startup automated utilizing the :
set-service ssh-agent StartupType ‘Automatic’
Add your personal key to the ssh-agent database:
Or as follows:
Configuring OpenSSH Server on Windows to Authenticate Using SSH Keys
Then copy the general public key you have got generated on the consumer to your SSH server (on this instance it’s a distant pc operating Windows 10 1903 and having OpenSSH configured).
Copy the id_rsa.pub file to the .ssh listing within the profile of the consumer you’ll use to connect with the SSH server. For instance, I’ve an admin consumer in my Windows 10, so I have to copy the important thing to C:Usersadmin.sshauthorized_keys.
You can copy the general public key to the SSH server utilizing SCP:
scp C:Usersyouruser.sshid_rsa.pub [email protected]:c:usersadmin.sshauthorized_keys
Now you’ll be able to hook up with your Windows SSH server with out a password. If you haven’t set a password (passphrase) for the personal key, you’ll robotically hook up with your distant Windows host.
To hook up with a distant host utilizing SSH, you’ll need the next command:
ssh (username)@(SSH server title or IP deal with)
It implies that you need to hook up with a distant SSH server with the IP deal with 192.168.1.15 below the admin account. SSH Agent will robotically attempt to use the personal key saved earlier than to authenticate.
ssh [email protected] -i "C:Usersyouruser.sshid_rsa"
If you weren’t in a position to connect with your SSH server utilizing the RSA key and you’re nonetheless prompted to enter a password, it’s probably that the consumer account you are attempting to connect with is a member of native server directors group (the is S-1-5-32-544). We will talk about it later.
How to Login Windows Using SSH Key Under Local Admin?
OpenSSH makes use of particular key-based entry settings for the customers with Windows native administrator privileges.
First of all, use a key file C:ProgramDatasshadministrators_authorized_keys as a substitute of the authorized_keys file within the consumer profile. You should add your SSH key to this textual content file (for safety functions, solely the Administrators group and SYSTEM ought to have permissions to learn this file).
In order to make use of the authorized_keys file from a consumer profile and to not transfer the general public key information to the administrators_authorized_keys file, you’ll be able to remark the associated line within the OpenSSH configuration file (C:ProgramDatasshsshd_config).
Comment these traces:
#Match Group directors
# ApprovedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
Allow entry Windows utilizing RSA keys within the sshd_config file:
And disable ssh password login:
Don’t neglect to restart the sshd service after saving adjustments in sshd_config.
Here is one other necessary factor. In earlier OpenSSH variations you needed to grant NT Servicesshd the learn permissions on the authorized_keys file.
To do it, it’s a must to do one of many following:
- Install the OpenSSHUtils module:
Install-Module -Force OpenSSHUtils -Scope AllUsers. To change file permissions, run this command: R
epair-ApprovedKeyPermission -FilePath C:Usersadmin.sshauthorized_keys
- Change the NTFS permissions for the file utilizing module or ;
- Or you’ll be able to disable StrictModes within the sshd_config file. By default, this mode is enabled and prevents key-based authentication, if a private and non-private keys usually are not protected effectively. Uncomment the road
#StrictModes sure, and alter it to
So you have got configured the SSH authentication on Windows utilizing a public RSA key (certificates). Now you need to use this authentication technique to soundly entry distant servers, robotically , run scripts and do another automation-related duties.