Windows 10

OpenSSH Server Windows 10 Install with Public Key authentication

OpenSSH Server Windows 10 Install with Public Key authentication. How to install OpenSSH, generate SSH key pair, and connect with Putty

Remote connectivity to your Windows Servers is a prime capability that is required by administrators to be able to control, manage, and administer their environments. With Windows environments, I feel like most of us that remote command-line access is much more difficult than it needs to be, especially with the bane of our existence WinRM to have to deal with and configure for remote PowerShell access. Recently, in the lab, I have begun the process of OpenSSH Server Windows 10 Install with Public Key authentication. What does that process look like? Let’s look at how you can get OpenSSH server up and running with Windows Server 2019.

OpenSSH Server Windows 10, Windows 11 and Windows Server 2019 & 2022

Thankfully, Microsoft has included the ability in Windows Server 2019 and Windows 10 to install both the SSH client and SSH server natively in Windows. This can help administrators to standardize on the connection technology they are using between both Linux and Windows for remote administration and security.

One of the great things that I like about SSH is its ability to use PublicKey authentication which is a secure way to connect to remote systems as is demonstrated by its use with AWS EC2 systems and other cloud environments. Also, many of the native automation technologies that were built for Linux environments initially such as Ansible makes standardizing your automation tools on a single connection protocol, even though Ansible now works well with WinRM.

Install OpenSSH Server Windows 10 and 2019

Before looking at the configuration instructions ย and setup to get PublicKey authentication to work on your system, let’s look at the process steps to install OpenSSH Server in aย Windows Server 2019ย host. Since this is now a native component of Windows Server 2019 and Windows 10, there are no external packages or install files that you have to download to get started. The installation of OpenSSH can be initiated by using the following command.

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Install openssh server windows server 2019
Install openssh server windows server 2019

After a few moments, the OpenSSH server component should install successfully.

The openssh server installation completes
The openssh server installation completes

Some installation documentation for installing OpenSSH in Windows Server 2019 depending on how old the documentation is notes that you should install the package:

Install-Module -Force OpenSSHUtils -Scope AllUsers

However, this is an outdated package that is no longer installable as you will receive the following error. However, you will find that this isnโ€™t a hindrance in getting OpenSSH installed on your computer or generating SSH keys for use in connectivity.

The installation of opensshutils fails with unable to validate the authenticode signature
The installation of opensshutils fails with unable to validate the authenticode signature

After installing the OpenSSH component in Windows Server 2019, you can check the version of OpenSSH as needed using the command:

ssh -V
Validating the openssh version installing in windows server 2019
Validating the openssh version installing in windows server 2019

After you install OpenSSH in Windows Server 2019, the service is not automatically configured as theย Startup type: Automatic. You can set the startuptype as Automatic and then start the service. You can also use theย set-service PowerShell cmdletย to set the startup type.

Starting the windows openssh service
Starting the windows openssh service

You will want to start both theย OpenSSH Authentication Agentย and theย OpenSSH SSH Server. Starting the authentication agent creates theย authorized_keysย file among other things in the Programdata\ssh directory.

Starting the openssh services including the server and authentication agent
Starting the openssh services including the server and authentication agent

Allow OpenSSH Server Firewall Exception

You will need to allow OpenSSH Server firewall exceptions for OpenSSH connectivity in Windows 10 or Windows Server 2019. SSH connectivity is on TCP port 22. You can easily do this with the following commands from the command line with the netsh command for adding the firewall rule.

netsh advfirewall firewall add rule name="SSH PORT 22" dir=in action=allow protocol=TCP localport=22

At this point, you should be able to connect to the OpenSSH server hostname using a Putty session or terminal tool of your choice. You should even be able to use something like WinSCP to SSH into your Windows box for file management. By default, password authentication is allowed. Enter the user account for authentication and password. Below, I am using a domain account to login to the IP address or hostname of the endpoint.

Password authntication to openssh server in windows server 2019
Password authentication to openssh server in windows server 2019

Successfully authenticated and changing to a PowerShell prompt over SSH. Cool stuff.

After connecting to openssh changing to powershell prompt
After connecting to openssh changing to powershell prompt

OpenSSH Server Public Key authentication

Public key authentication is a much more secure means of authenticating to SSH than using a password. With public key authentication with OpenSSH, you have to possess the private key component of an SSH key pair. It is a pair since the OpenSSH server must have a copy of your public key. When you authenticate, you are proving you have the matching private key component of the pair so authentication can be successful. You can even protect your SSH key with a password for another factor of authentication.

Enabling OpenSSH Public Key authentication

To enable OpenSSH public key authentication, there are a couple of settings and permissions you need to change in theย sshd_configย file. Where is this filename location?

C:\programdata\ssh\sshd_config

Edit the sshd_config configuration file and change the following configuration values as shown in the example:

PubkeyAuthentication yes
PasswordAuthentication no

Below shows the file with the settings changed.

Editing the sshd config file for public key authentication
Editing the sshd config file for public key authentication

How do you generate the SSH key pair in Windows? This is easy to do. From a PowerShell prompt, type in the command:

ssh-keygen

From a PowerShell prompt, type in the command and you will be asked to create the key pair and if you want to use a password (passphrase) for the key pair identification. By default, in Windows, this is saved in the user profile under a hidden directory as noted below. The .pub key of course is the public key.

c:\users\<username>\.ssh\id_rsa
c:\users\<username>\.ssh\id_rsa.pub
Generating a client side key pair for ssh connectivity
Generating a client side key pair for ssh connectivity

If you want to use Putty to connect to your OpenSSH server running in Windows Server 2019, you need to generate a .ppk file that is the Putty-formatted version of the private key. Openย Putty Key Generatorย and open your current private key (id_rsa) and then choose toย Save private key. This will save the private key fingerprint.

Generating a putty friendly key for connecting via ssh
Generating a putty friendly key for connecting via ssh

Now you should have aย .ppkย file that can be used in theย Authย properties of the SSH session to authenticate with public key authentication.

Configuring putty ssh connection with public key authentication
Configuring putty ssh connection with public key authentication

An important part of public key authentication is the actual public key that the OpenSSH Server has possession of. How do you get the public key to the OpenSSH server? Remember the files created with theย ssh-keygenย command? The .pubย file that is created and the contents within, are the contents you need to copy to the OpenSSH Server. Where are these copied?

There are two files that are used with public key authentication:

administrators_authorized_keys
authorized_keys

If the user you are trying to authenticate with is an administrator on the Windows 10 or Server 2019 OpenSSH server, you place the contents of the public key of the user in theย administrators_authorized_keysย file. If they are a standard user, you place the public key in theย authorized_keysย file. Then when creating the Putty connection, you use the private key .ppk file in the Auth configuration the session in Putty.

The authorized key files for use with public key authentication
The authorized key files for use with public key authentication

Change the default shell to PowerShell

You can change the default shell of an OpenSSH connection to Windows 10 or Windows Server 2019 by using the following command:

New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force

AllowGroups, AllowUsers, DenyGroups, DenyUsers

You can control the users and groups allowed to connect to the server. This is done using the DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. They are processed in the order just listed. It is important that all account names are specified in lower case.

Examples for domain users and groups

DenyUsers domain\[email protected] : blocks contoso\admin from 10.1.1.37
DenyUsers domain\* : blocks all users from "domain" domain
AllowGroups domain\sshusers : only allow users from domain\sshusers group

Examples for local users and groupsCopy

AllowUsers [email protected]
AllowGroups sshusers

Wrapping Up

OpenSSH Server Windows 10 Install with Public Key authentication is a great way to connect to your Windows 10 or Windows Server 2019 hosts. It helps to standardize connectivity protocols for both Windows and Linux hosts alike. This includes not having to deal with the frustrations of WinRM and configuring this for connectivity. Hopefully, this guide will help any who are wondering how OpenSSH is configured with Windows 10 or Windows Server 2019. Let me know in the comments if you have any questions or create a forum post in the VHT forums if you would like more detailed help or troubleshooting from myself and those in the community.ย 

Subscribe to VirtualizationHowto via Email ๐Ÿ””

Enter your email address to subscribe to this blog and receive notifications of new posts by email.



Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com, and a 7-time VMware vExpert, with over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, He has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family. Also, he goes through the effort of testing and troubleshooting issues, so you don't have to.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.