Copying an ssh id pub key to a windows machine

# [[Copying an ssh id pub key to a windows machine]] ``` # Make sure that the .ssh directory exists in your server's home folder ssh user1@[email protected] mkdir C:\users\user1\.ssh\ # Use scp to copy the public key file generated previously to authorized_keys on your server scp C:\Users\user1\.ssh\id_ed25519.pub user1@[email protected]:C:\Users\user1\.ssh\authorized_keys # Appropriately ACL the authorized_keys file on your server ssh --% user1@[email protected] powershell -c $ConfirmPreference = 'None'; Repair-AuthorizedKeyPermission C:\Users\user1\.ssh\authorized_keys ``` The above doesn't work for any [user in the administrators group](https://superuser.com/questions/1445976/windows-ssh-server-refuses-key-based-authentication-from-client) and instead requires either a change to the `sshd` config or installing a system-wide `$Env:ProgramData\ssh\administrators_authorized_keys` file nd updating its permissions. ``` $acl = Get-Acl C:\ProgramData\ssh\administrators_authorized_keys $acl.SetAccessRuleProtection($true, $false) $administratorsRule = New-Object system.security.accesscontrol.filesystemaccessrule("Administrators","FullControl","Allow") $systemRule = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","Allow") $acl.SetAccessRule($administratorsRule) $acl.SetAccessRule($systemRule) $acl | Set-Acl ``` The solution that ended up working for me was https://stackoverflow.com/a/64626986 - Disable the admin keys setting - Add the id pub-key to `$env:USERPROFILE\.ssh\authorized_keys` - Make sure `ssh-agent` is running, not just `sshd`. It seems like `sshd` delegates to `ssh-agent` similar to how `ssh` delegates to `ssh-agent` for key-pair auth negotiation. - Restart both `ssh-agent` and `sshd` ``` PowerShell.exe -ExecutionPolicy Bypass -File "C:\bypass\prompt\standard.ps1" 2>&1>$null Add-WindowsCapability -Online -Name OpenSSH.Server New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH SSH Server' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 -Program "%WINDIR%\System32\OpenSSH\sshd.exe" #Must Enable ssh-agent before starting Set-Service -Name ssh-agent -StartupType Automatic Set-Service -Name sshd -StartupType Automatic Start-Service ssh-agent; Start-Service sshd $sshdir="$env:USERPROFILE\.ssh" mkdir $sshdir copy .\id_rsa $sshdir\ cat $sshdir\id_rsa copy .\*.pub $sshdir\authorized_keys cat $sshdir\authorized_keys ssh-add $sshdir\id_rsa $sshd_config="C:\ProgramData\ssh\sshd_config" (Get-Content $sshd_config) -replace '#PubkeyAuthentication', 'PubkeyAuthentication' | Out-File -encoding ASCII $sshd_config (Get-Content $sshd_config) -replace 'AuthorizedKeysFile __PROGRAMDATA__', '#AuthorizedKeysFile __PROGRAMDATA__' | Out-File -encoding ASCII $sshd_config (Get-Content $sshd_config) -replace 'Match Group administrators', '#Match Group administrators' | Out-File -encoding ASCII $sshd_config cat C:\ProgramData\ssh\sshd_config Restart-Service ssh-agent; Restart-Service sshd ``` ## References - [](https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement#about-key-pairs) --- - Links: - Created at: [[2021-05-18]]