Authorized Keys in Windows 10 OpenSSH

With Windows now supporting OpenSSH, I figured I could setup password-less login from my Linux server and pull my home backups automatically. Currently I push backups to my server using Windows Scheduler and it’s far from ideal as any adjustment to process requires my login to each machine separately.

First attempt to get it working relied on Microsoft’s documentation and, while it did allow for password login, got me nowhere when it comes to authentication keys. There are many comments at GitHub repository dealing with the same issue but it was impossible to tell what is working and what not – especially since quite a few advises were contradictory. Mind you, recommended commands might have been working at one time or another but my Windows 10 November update was resistant to everything I found there.

So I decided to go harder route and actually check logs as I try commands. I wanted procedure that will bring the least amount of changes (ideally none) to files already installed so I can deal with upgrades and I wanted to have all those steps scriptable so I can setup everything by simply running the file.

The issue with authorized keys lied in “Authenticated Users” being allowed access to administators_authorized_keys. Once that was removed from ACL, my passwordless login started working beautifully.

My final script looked something like this:

PowerShell Script
# Start as admin
If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
$arguments = "& '" + $myinvocation.mycommand.definition + "'"
Start-Process powershell -Verb runAs -ArgumentList $arguments
Break
}

# Preferences
Set-ExecutionPolicy RemoteSigned
$ConfirmPreference = 'None'

# OpenSSH: Install
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Set-Service -Name sshd -Computer localhost -StartupType Automatic
Start-Service sshd

# OpenSSH: Setup
New-Item -Path $Env:ALLUSERSPROFILE\ssh -Name "administrators_authorized_keys" -ItemType "file" `
-Value "key"
icacls "$Env:ALLUSERSPROFILE\ssh\administrators_authorized_keys" /inheritance:d
icacls "$Env:ALLUSERSPROFILE\ssh\administrators_authorized_keys" /remove `
"NT AUTHORITY\Authenticated Users"
Restart-Service -Name sshd

3 thoughts to “Authorized Keys in Windows 10 OpenSSH”

  1. A thousand thank yous for distilling the conflicting information into the version that *works*

  2. it’s working now
    ¯\_(ツ)_/¯
    here’s what I got:
    ssh-copy-id does not somehow write the key to administrators_authorized_keys (based on using Administrator account on W10 20H2, tpb)
    Simply grab notepad++ in Admin mode and paste the id_rsa.pub from the device from where you want to connect to Windows OpenSSH Server.

    As a side note on top of all above, the registry key Computer\HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH\DefaultShell is set to C:\Windows\System32\wsl.exe
    Windows Firewall allows incoming connections from Port 22

    And finally:
    icacls “$Env:ALLUSERSPROFILE\ssh\administrators_authorized_keys” /remove `
    “NT AUTHORITY\Authenticated Users”

    Would only execute when removing the backtick after /remove ie
    icacls “$Env:ALLUSERSPROFILE\ssh\administrators_authorized_keys” /remove “NT AUTHORITY\Authenticated Users”

    Thank you though for putting your knowledge in this public place and best of luck for any visitor in making use of the instructions here to get this working!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.