Setting up OpenSSH for Windows using public key authentication (original) (raw)

n0rd's solution is on the money but there's an added complication for users that are also in the administrator's group. If you're looking for a solution to a situation involving the following conditions:

• You want to use public keys on a per-user basis (or you don't want to use the administrators_authorized_keys file).
• And you don't want to use PasswordAuthentication.
• And some of the users also belong to the admin group.

The issue I ran across is that when I tried n0rd's solution it didn't work for users under the conditions above. After some tinkering, I found a solution that works consistently for me. Follow n0rd's solution and just change the following

In the ssh_config make sure the following settings are set:

AuthorizedKeysFile  .ssh/authorized_keys 
PasswordAuthentication no
PubkeyAuthentication yes

Also, make sure to comment out the Match Group Administrators setting:

#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Make sure to include the client's public key in the servers C:\Users\username\.ssh\authorized_keys file.

Finally, to help match the user to the account I found it helpful to be more specific with the user data on the client. Instead of using the plain username, I used the username along with the domain of the user on the server. In my case, my client's C:\Users\UserName\.ssh\config file looked like this:

Host my_short_name
  HostName my.serveraddress.net
  User serversname\username
  IdentityFile .ssh\id_rsa

In this case, my Windows 10 server would be called serversname (under device name). By specifying the user in this way I could avoid password authentication.

As an added bonus, this worked very well with a default shell of PowerShell 7. Even my default PowerShell profile worked over ssh and I got full support for posh-git and oh-my-posh. However, I found that the default method suggested for making PowerShell the default shell environment, (by editing the ssh_conf to include 'Subsystem powershell c:/progra~1/powershell/7/pwsh.exe -sshs -NoLogo') did not work for me. Instead, on the server use the command in an elevated PowerShell window:

New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "c:/progra~1/powershell/7/pwsh.exe" -PropertyType String -Force

This just creates a registry entry. You can always pop in the registry to remove it later if you want.