In this post I will configure SSH authentication with RSA keys on Windows to securely access remote servers/computers. I’ll show how to generate RSA keys (certificates) on Windows and configure a built-in OpenSSH server on Windows 10/Windows Server 2019 for key-based authentication (allows you to authenticate on remote hosts without passwords).
SSH key-based authentication is widely used in the Linux world, but in Windows it has appeared more recently. The idea is that the client’s public key is added on the SSH server, and when a client tries to connect to it, the server checks if the client has the corresponding private key.
Generating SSH (RSA) on Windows
You must generate two RSA keys (public and private ones) on a client computer you will use to connect to the remote Windows server that is running OpenSSH. A private key is stored on a client side (do not share it with anyone), and a public key is added to the authorized_keys file on the SSH server. To generate RSA keys on a Windows client, you must install the OpenSSH client.
In Windows 10 1809 (and newer) and Windows Server 2019, the OpenSSH client is installed as a separate feature:
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
In previous Windows versions you can install the Win32-OpenSSH port from GitHub (see the example in the post setting up an SFTP (SSH FTP) server on Windows).
Run a standard (non-privileged) PowerShell session and generate a pair of RSA 2048 keys using the command:
ssh-keygen
You will be prompted to enter a password to protect the private key. If you specify the password, you will have to enter it each time you use this key for SSH authentication. I have not entered any passphrase (not recommended).
Ssh-keygen will create the .ssh directory in the profile of a current Windows user (C:\Users\your_username) and place 2 files in it:
- id_rsa – a private key
- id_rsa.pub – a public key
After you have created the RSA keys, you can add the private key to the SSH Agent service, that allows to conveniently manage private keys and use them for authentication. SSH Agent stores private keys and provides them in the security context of the current user. Run the ssh-agent service and configure it to startup automatic using the PowerShell service management commands:
set-service ssh-agent StartupType ‘Automatic’
Start-Service ssh-agent
Add your private key to the ssh-agent database:
ssh-add "C:\Users\youruser\.ssh\id_rsa"
Or as follows:
ssh-add.exe $ENV:UserProfile\.ssh\id_rsa
Configuring OpenSSH Server on Windows to Authenticate Using SSH Keys
Then copy the public key you have generated on the client to your SSH server (in this example it is a remote computer running Windows 10 1903 and having OpenSSH configured). I have already discussed how to configure an OpenSSH server in Windows in more detail.
Copy the id_rsa.pub file to the .ssh directory in the profile of the user you will use to connect to the SSH server. For example, I have an admin user in my Windows 10, so I must copy the key to C:\Users\admin\.ssh\authorized_keys.
You can copy the public key to the SSH server using SCP:
scp C:\Users\youruser\.ssh\id_rsa.pub [email protected]:c:\users\admin\.ssh\authorized_keys
Now you can connect to your Windows SSH server without a password. If you have not set a password (passphrase) for the private key, you will automatically connect to your remote Windows host.
To connect to a remote host using native SSH client, you will need the following command:
ssh (username)@(SSH server name or IP address)
For example:
It means that you want to connect to a remote SSH server with the IP address 192.168.1.15 under the admin account. SSH Agent will automatically try to use the private key saved before to authenticate. If you do not want to use the ssh-agent service to manage SSH keys, you can specify the path to the private key file to be used for the SSH authentication:
ssh [email protected] -i "C:\Users\youruser\.ssh\id_rsa"
If you were not able to connect to your SSH server using the RSA key and you are still prompted to enter a password, it is likely that the user account you are trying to connect to is a member of local server administrators group (the group SID is S-1-5-32-544). I will discuss it later.
How to Login Windows Using SSH Key Under Local Admin?
OpenSSH uses special key-based access settings for the users with Windows local administrator privileges.
First of all, use a key file C:\ProgramData\ssh\administrators_authorized_keys instead of the authorized_keys file in the user profile. You must add your SSH key to this text file (for security purposes, only the Administrators group and SYSTEM should have permissions to read this file).
In order to use the authorized_keys file from a user profile and not to move the public key data to the administrators_authorized_keys file, you can comment the related line in the OpenSSH configuration file (C:\ProgramData\ssh\sshd_config).
Comment these lines:#Match Group administrators
# AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
Allow access Windows using RSA keys in the sshd_config file:
PubkeyAuthentication yes
And disable ssh password login:
PasswordAuthentication no
Don’t forget to restart the sshd service after saving changes in sshd_config.
restart-service sshd
Here is another important thing. In earlier OpenSSH versions you had to grant NT Service\sshd the read permissions on the authorized_keys file.
To do it, you have to do one of the following:
- Install the OpenSSHUtils module:
Install-Module -Force OpenSSHUtils -Scope AllUsers. To change file permissions, run this command: Repair-AuthorizedKeyPermission -FilePath C:\Users\admin\.ssh\authorized_keys
- Change the NTFS permissions for the file using NTFSSecurity module or icacls;
- Or you can disable StrictModes in the sshd_config file. By default, this mode is enabled and prevents key-based authentication, if a public and private keys are not protected well. Uncomment the line
#StrictModes yes, and change it toStrictModes no.
So you have configured the SSH authentication on Windows using a public RSA key (certificate). Now you can use this authentication method to safely access remote servers, automatically forward ports in the SSH tunnel, run scripts and do any other automation-related tasks.
