OpenSSH on Windows with Public Key Authentication

In this guide, you will learn how to configure OpenSSH on Windows with Public Key Authentication.

Let’s get started.

Step 1: Install OpenSSH Server on Windows

You can install OpenSSH Server on any Windows OS. In this example I’m using a Windows 2020 server.

To install OpenSSH, run the below PowerShell command. I had to give the server internet access in order for the command to work.

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Screenshot below is from my local computer.

Next, you will need to start the ssh service. You can also set the service to start automatically, but that is optional. I recommend setting the service to automatic or you will need to manually start it each time when the computer reboots.

# Start the sshd service
Start-Service sshd

# OPTIONAL but recommended:
Set-Service -Name sshd -StartupType 'Automatic'

That completes the installation of OpenSSH server on Windows. At this point, you should be able to connect to the server from a client machine using password authentication. You will need to have the OpenSSH client installed on a remote computer in order to connect.

You can connect using the hostname or IP address. Below I tested the connection to my server IP address “192.168.40.4” with the account name “jojo”.

ssh jojo@192.168.40.4

When connected you can type “hostname” to verify you are connected to the remote server.

To uninstall openssh server run the below command.

# Uninstall the OpenSSH Server
Remove-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Step 2: Generate and Install SSH Key Pairs

Now you need to generate the SSH keys (private and public keys) on your local computer that will be used to connect to the remote OpenSSH server. A private key will be stored on your local computer and the public key will be copied to the OpenSSH server.

Open PowerShell 7 and run the below command:

ssh-keygen -t ed25519

You should get a message that says “Enter file in which to say the key”. The key will save to your profile path by default. You can choose to leave it as the default or change the path, I will keep the default path.

You will then be prompted to enter a passphrase to encrypt your private key. This can be empty but it is not recommended.

You should now have a public and private key pair in the location specified. Screenshot below of the steps on my local computer.

You can view the keys in windows explorer by browsing to the location you saved them. In my case, I saved them to the default path (c:\users\YOURPROFILE\.ssh).

id_ed25519 – This is your private key.
id_ed25519.pub – This is the public key that will get copied to the server.

Next, you need to copy the public key to the server, this is where it gets a little weird.

Standard User

If your account is not a member of the local administrator’s group then follow the below steps. If it is a member of the local administrator’s group then jump to the “Administrator User” section below.

First, you need to create the .ssh folder in your profile path on the server. My standard user account is “jojo” so I would create the .ssh folder at c:\Users\jojo\.ssh.

Next, run this command to copy the public key to a text file called “authorized_keys” on the server. Replace “username” with your profile name.

scp C:\Users\username\.ssh\id_ed25519.pub username@servername:C:\Users\username\.ssh\authorized_keys

Here is a screenshot of this command from my local computer.

If you go to the server and look in your profile there should now be an “authorized_keys” file.

At this point, you should be able to authenticate with your key authentication. The problem is password authentication is still allowed. I’ll show you how to disable it in the server config section.

Administrator User

If your account is a member of the local administrative group then the public key needs to be placed into a text file called “administrators_authorized_keys” in the “c:\ProgramData\ssh\” folder. Pretty strange I know, I’m not sure why Microsoft did this.

Use the below command to copy the public key for an administrator.

scp C:\Users\username\.ssh\id_ed25519.pub username@servername:C:\ProgramData\ssh\administrators_authorized_keys

Here is a screenshot from my local computer.

create administrators_authorized_keys file

Now check the “c:\ProgramData\ssh” folder on the server.

administrators_authorized_keys on the server

Test authentication, if you created a passphrase you will be prompted.

If you get the below error then you need to modify the permissions on the administrators_authorized_keys file.

“Permission denied (publickey,password,keyboard-interactive).”

On the server open PowerShell and run these commands to fix the permissions.

icacls C:\ProgramData\ssh\administrators_authorized_keys /inheritance:r
icacls C:\ProgramData\ssh\administrators_authorized_keys /grant SYSTEM:`(F`)
icacls C:\ProgramData\ssh\administrators_authorized_keys /grant BUILTIN\Administrators:`(F`)

Tip: You can also use the private key with other ssh tools such as putty when connecting to the server. You will need to configure whatever client you’re using with the private key.

Step 3: Configure OpenSSH Server with Key Authentication

If you completed steps 1 and 2 you should be able to use key authentication now instead of a password. The only problem is the server still allows password authentication and so it is recommended to disable this.

To disable the password authentication go to the server and open the “sshd_config” file with the notepad program, this file is located in the “c:\ProgramData\ssh” folder.

Make sure to test that authentication works with your private key before disabling password authentication.

Uncomment and change these two values.

PubkeyAuthentication = yes
PasswordAuthentication = no

Here is a screenshot from my local computer.

Save the file.

Now open PowerShell and restart the ssh service with this command.

restart-service sshd

This will disable password authentication and only allow connections with a private and public key pair.

Secure the Private Key (optional)

This is an optional step. Microsoft recommends using the ssh-add command to securely store the private keys within a Windows security context. The private key acts like a password so you probably don’t want it sitting on your computer, because if someone copies it, they could use it to authenticate to the ssh server.

Here are the commands to store the private key.

# By default the ssh-agent service is disabled. Allow it to be manually started for the next step to work.
# Make sure you're running as an Administrator.
Get-Service ssh-agent | Set-Service -StartupType Manual

# Start the service
Start-Service ssh-agent

# This should return a status of Running
Get-Service ssh-agent

# Now load your key files into ssh-agent
ssh-add ~\.ssh\id_ed25519

When completed, test ssh authentication.

If it works it is recommended to back up your private key to a secure location and delete it from your local computer.

That completes the tutorial. When testing and researching this guide, every article on the internet had different instructions, maybe because the Windows implementation has changed overtime. I’m not sure. If you have issues with the installation post a comment below.

Resources:

Manage OpenSSH Keys – Microsoft Documentation
How to use OpenSSH on Windows 10 – This is a separate guide I created for installing and using the OpenSSH client on windows 10.
OpenSSH.com – This is the official home page for the openSSH project. It includes release details and complete documentation.