Setting SSH keys on Windows 10 OpenSSH server
I've set up OpenSSH on various flavors of Linux tons of times. But I can't for the life of me get it functioning correctly on windows.
There seem to be two sides to the issue. The permissions and the key used by sshd/ssh-agent.
Permissions
Every page I read has a different answer for the correct permissions. Some work, and sometimes the program complains about them.
From what I understand the keys should all be owned by SYSTEM, with read access for NT SERVICEsshd and Full Control for Administrators and SYSTEM? (As I understand SYSTEM and Administrators represent root in Windows). I read in the documentation that the read access is only necessary if not using ssh-add/ssh-agent. I also configured the same permissions for the %USERPROFILE%/.ssh/authorized_keys file and added the .pub the Ed25519 key which is the one I'm using to try and connect, though I've also tried it with my own generated RSA key.
With the permissions set this way the program doesn't complain when adding keys to the agent or running the daemon. The only option I changed in sshd_config is the ListenAddress which was binding to 0.0.0.0, I set it to the machines local IP as SSH will only be used locally.
Keys
When I run sshd.exe with the -d option, I notice it importing the 4 default keys from %PROGRAMDATA%/ssh. When I added the ed25519.pub key to authorized_keys it was followed by HOSTNAME@workstation@HOSTNAME, HOSTNAME being my PC's hostname. Normally I would expected to see user@host. I tried creating my own key and adding it but when I run sshd.exe -d it never seems to use anything other than the default keys.
In the end, I'm unable to connect to the OpenSSH server, and the logs in %PROGRAMDATA%/ssh/Logs only seem to show the server starting. To sum up my questions: What are the correct permissions for the key files and authorized_hosts? Does the annotation in authorized_keys being wrong make a difference? Should I be adding all of the default keys .pub's into authorized_hosts? And last, what does sshd mean when it mentions those keys during startup (see log)? Shouldn't my own generated key just work as long as I add it to authorized_hosts?
debug1: sshd version OpenSSH_for_Windows_7.6, LibreSSL 2.6.4
debug1: private host key #0: ssh-rsa SHA256:and12LVkEqyXJ2gr0SxFEQObaSFF+Czlcnx2uFjZaJQ
debug1: private host key #1: ssh-dss SHA256:waeLdy4Sm3NT+zbwEMIhbfl8TLe6WeQ0MuZE07CzFQU
debug1: private host key #2: ecdsa-sha2-nistp256 SHA256:G8/7y/04cSE3EezTrcmpK4lRmJ5f5I/CDPcHaPzsv4o
debug1: private host key #3: ssh-ed25519 SHA256:Jvn9UjsbdzH54L/yvGYGfCzJQVIMiIWL5RETbaL2ACA
debug1: rexec_argv[0]='C:\WINDOWS\System32\OpenSSH\sshd.exe'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on 192.168.1.144.
Server listening on 192.168.1.144 port 22.
windows windows-10 ssh permissions openssh
edited Oct 15 '18 at 13:49
Martin Prikryl
11k43277
asked Jul 23 '18 at 0:13
shenkshenk
12928
add a comment |
I've set up OpenSSH on various flavors of Linux tons of times. But I can't for the life of me get it functioning correctly on windows.
There seem to be two sides to the issue. The permissions and the key used by sshd/ssh-agent.
Permissions
Every page I read has a different answer for the correct permissions. Some work, and sometimes the program complains about them.
From what I understand the keys should all be owned by SYSTEM, with read access for NT SERVICEsshd and Full Control for Administrators and SYSTEM? (As I understand SYSTEM and Administrators represent root in Windows). I read in the documentation that the read access is only necessary if not using ssh-add/ssh-agent. I also configured the same permissions for the %USERPROFILE%/.ssh/authorized_keys file and added the .pub the Ed25519 key which is the one I'm using to try and connect, though I've also tried it with my own generated RSA key.
With the permissions set this way the program doesn't complain when adding keys to the agent or running the daemon. The only option I changed in sshd_config is the ListenAddress which was binding to 0.0.0.0, I set it to the machines local IP as SSH will only be used locally.
Keys
When I run sshd.exe with the -d option, I notice it importing the 4 default keys from %PROGRAMDATA%/ssh. When I added the ed25519.pub key to authorized_keys it was followed by HOSTNAME@workstation@HOSTNAME, HOSTNAME being my PC's hostname. Normally I would expected to see user@host. I tried creating my own key and adding it but when I run sshd.exe -d it never seems to use anything other than the default keys.
In the end, I'm unable to connect to the OpenSSH server, and the logs in %PROGRAMDATA%/ssh/Logs only seem to show the server starting. To sum up my questions: What are the correct permissions for the key files and authorized_hosts? Does the annotation in authorized_keys being wrong make a difference? Should I be adding all of the default keys .pub's into authorized_hosts? And last, what does sshd mean when it mentions those keys during startup (see log)? Shouldn't my own generated key just work as long as I add it to authorized_hosts?
debug1: sshd version OpenSSH_for_Windows_7.6, LibreSSL 2.6.4
debug1: private host key #0: ssh-rsa SHA256:and12LVkEqyXJ2gr0SxFEQObaSFF+Czlcnx2uFjZaJQ
debug1: private host key #1: ssh-dss SHA256:waeLdy4Sm3NT+zbwEMIhbfl8TLe6WeQ0MuZE07CzFQU
debug1: private host key #2: ecdsa-sha2-nistp256 SHA256:G8/7y/04cSE3EezTrcmpK4lRmJ5f5I/CDPcHaPzsv4o
debug1: private host key #3: ssh-ed25519 SHA256:Jvn9UjsbdzH54L/yvGYGfCzJQVIMiIWL5RETbaL2ACA
debug1: rexec_argv[0]='C:\WINDOWS\System32\OpenSSH\sshd.exe'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on 192.168.1.144.
Server listening on 192.168.1.144 port 22.
windows windows-10 ssh permissions openssh
edited Oct 15 '18 at 13:49
Martin Prikryl
11k43277
asked Jul 23 '18 at 0:13
shenkshenk
12928
add a comment |
I've set up OpenSSH on various flavors of Linux tons of times. But I can't for the life of me get it functioning correctly on windows.
There seem to be two sides to the issue. The permissions and the key used by sshd/ssh-agent.
Permissions
Every page I read has a different answer for the correct permissions. Some work, and sometimes the program complains about them.
From what I understand the keys should all be owned by SYSTEM, with read access for NT SERVICEsshd and Full Control for Administrators and SYSTEM? (As I understand SYSTEM and Administrators represent root in Windows). I read in the documentation that the read access is only necessary if not using ssh-add/ssh-agent. I also configured the same permissions for the %USERPROFILE%/.ssh/authorized_keys file and added the .pub the Ed25519 key which is the one I'm using to try and connect, though I've also tried it with my own generated RSA key.
With the permissions set this way the program doesn't complain when adding keys to the agent or running the daemon. The only option I changed in sshd_config is the ListenAddress which was binding to 0.0.0.0, I set it to the machines local IP as SSH will only be used locally.
Keys
When I run sshd.exe with the -d option, I notice it importing the 4 default keys from %PROGRAMDATA%/ssh. When I added the ed25519.pub key to authorized_keys it was followed by HOSTNAME@workstation@HOSTNAME, HOSTNAME being my PC's hostname. Normally I would expected to see user@host. I tried creating my own key and adding it but when I run sshd.exe -d it never seems to use anything other than the default keys.
In the end, I'm unable to connect to the OpenSSH server, and the logs in %PROGRAMDATA%/ssh/Logs only seem to show the server starting. To sum up my questions: What are the correct permissions for the key files and authorized_hosts? Does the annotation in authorized_keys being wrong make a difference? Should I be adding all of the default keys .pub's into authorized_hosts? And last, what does sshd mean when it mentions those keys during startup (see log)? Shouldn't my own generated key just work as long as I add it to authorized_hosts?
debug1: sshd version OpenSSH_for_Windows_7.6, LibreSSL 2.6.4
debug1: private host key #0: ssh-rsa SHA256:and12LVkEqyXJ2gr0SxFEQObaSFF+Czlcnx2uFjZaJQ
debug1: private host key #1: ssh-dss SHA256:waeLdy4Sm3NT+zbwEMIhbfl8TLe6WeQ0MuZE07CzFQU
debug1: private host key #2: ecdsa-sha2-nistp256 SHA256:G8/7y/04cSE3EezTrcmpK4lRmJ5f5I/CDPcHaPzsv4o
debug1: private host key #3: ssh-ed25519 SHA256:Jvn9UjsbdzH54L/yvGYGfCzJQVIMiIWL5RETbaL2ACA
debug1: rexec_argv[0]='C:\WINDOWS\System32\OpenSSH\sshd.exe'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on 192.168.1.144.
Server listening on 192.168.1.144 port 22.
windows windows-10 ssh permissions openssh
edited Oct 15 '18 at 13:49
Martin Prikryl
11k43277
asked Jul 23 '18 at 0:13
shenkshenk
12928
I've set up OpenSSH on various flavors of Linux tons of times. But I can't for the life of me get it functioning correctly on windows.
There seem to be two sides to the issue. The permissions and the key used by sshd/ssh-agent.
Permissions
Every page I read has a different answer for the correct permissions. Some work, and sometimes the program complains about them.
From what I understand the keys should all be owned by SYSTEM, with read access for NT SERVICEsshd and Full Control for Administrators and SYSTEM? (As I understand SYSTEM and Administrators represent root in Windows). I read in the documentation that the read access is only necessary if not using ssh-add/ssh-agent. I also configured the same permissions for the %USERPROFILE%/.ssh/authorized_keys file and added the .pub the Ed25519 key which is the one I'm using to try and connect, though I've also tried it with my own generated RSA key.
With the permissions set this way the program doesn't complain when adding keys to the agent or running the daemon. The only option I changed in sshd_config is the ListenAddress which was binding to 0.0.0.0, I set it to the machines local IP as SSH will only be used locally.
Keys
When I run sshd.exe with the -d option, I notice it importing the 4 default keys from %PROGRAMDATA%/ssh. When I added the ed25519.pub key to authorized_keys it was followed by HOSTNAME@workstation@HOSTNAME, HOSTNAME being my PC's hostname. Normally I would expected to see user@host. I tried creating my own key and adding it but when I run sshd.exe -d it never seems to use anything other than the default keys.
In the end, I'm unable to connect to the OpenSSH server, and the logs in %PROGRAMDATA%/ssh/Logs only seem to show the server starting. To sum up my questions: What are the correct permissions for the key files and authorized_hosts? Does the annotation in authorized_keys being wrong make a difference? Should I be adding all of the default keys .pub's into authorized_hosts? And last, what does sshd mean when it mentions those keys during startup (see log)? Shouldn't my own generated key just work as long as I add it to authorized_hosts?
debug1: sshd version OpenSSH_for_Windows_7.6, LibreSSL 2.6.4
debug1: private host key #0: ssh-rsa SHA256:and12LVkEqyXJ2gr0SxFEQObaSFF+Czlcnx2uFjZaJQ
debug1: private host key #1: ssh-dss SHA256:waeLdy4Sm3NT+zbwEMIhbfl8TLe6WeQ0MuZE07CzFQU
debug1: private host key #2: ecdsa-sha2-nistp256 SHA256:G8/7y/04cSE3EezTrcmpK4lRmJ5f5I/CDPcHaPzsv4o
debug1: private host key #3: ssh-ed25519 SHA256:Jvn9UjsbdzH54L/yvGYGfCzJQVIMiIWL5RETbaL2ACA
debug1: rexec_argv[0]='C:\WINDOWS\System32\OpenSSH\sshd.exe'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on 192.168.1.144.
Server listening on 192.168.1.144 port 22.
windows windows-10 ssh permissions openssh
windows windows-10 ssh permissions openssh
edited Oct 15 '18 at 13:49
Martin Prikryl
11k43277
asked Jul 23 '18 at 0:13
shenkshenk
12928
edited Oct 15 '18 at 13:49
Martin Prikryl
11k43277
asked Jul 23 '18 at 0:13
shenkshenk
12928
edited Oct 15 '18 at 13:49
Martin Prikryl
11k43277
edited Oct 15 '18 at 13:49
Martin Prikryl
11k43277
edited Oct 15 '18 at 13:49
Martin Prikryl
11k43277
11k43277
asked Jul 23 '18 at 0:13
shenkshenk
12928
asked Jul 23 '18 at 0:13
shenkshenk
12928
asked Jul 23 '18 at 0:13
shenkshenk
12928
12928
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
You seem to mix server hosts keys and your account public keys.
Server host keys are generated by Win32-OpenSSH in %PROGRAMDATA%/ssh on its first start. They are also given correct permissions, no need to modify them. These are the keys you see loaded as "private host key" in your log. That also indicates they have the correct permissions (otherwise they won't load).
Your account public keys go to %USERPROFILE%/.ssh/authorized_keys. That file must have write access only to the account for which they belong.
The authorized_keys file should contain public key part of your account key pair. That's no way related to .pub files from %PROGRAMDATA%/ssh.
A comment in the authorized_keys file does not matter at all.
Keys from authorized_keys file are not loaded when the server starts. They are loaded only, when you try to log in.
See also my guide to Setting up SSH public key authentication on Win32-OpenSSH.
answered Jul 23 '18 at 7:49
Martin PrikrylMartin Prikryl
11k43277
1
Incredible! Thanks man worked like charm.
– Elad Weiss
Jan 6 at 10:41
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1342411%2fsetting-ssh-keys-on-windows-10-openssh-server%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You seem to mix server hosts keys and your account public keys.
Server host keys are generated by Win32-OpenSSH in %PROGRAMDATA%/ssh on its first start. They are also given correct permissions, no need to modify them. These are the keys you see loaded as "private host key" in your log. That also indicates they have the correct permissions (otherwise they won't load).
Your account public keys go to %USERPROFILE%/.ssh/authorized_keys. That file must have write access only to the account for which they belong.
The authorized_keys file should contain public key part of your account key pair. That's no way related to .pub files from %PROGRAMDATA%/ssh.
A comment in the authorized_keys file does not matter at all.
Keys from authorized_keys file are not loaded when the server starts. They are loaded only, when you try to log in.
See also my guide to Setting up SSH public key authentication on Win32-OpenSSH.
answered Jul 23 '18 at 7:49
Martin PrikrylMartin Prikryl
11k43277
1
Incredible! Thanks man worked like charm.
– Elad Weiss
Jan 6 at 10:41
add a comment |
You seem to mix server hosts keys and your account public keys.
Server host keys are generated by Win32-OpenSSH in %PROGRAMDATA%/ssh on its first start. They are also given correct permissions, no need to modify them. These are the keys you see loaded as "private host key" in your log. That also indicates they have the correct permissions (otherwise they won't load).
Your account public keys go to %USERPROFILE%/.ssh/authorized_keys. That file must have write access only to the account for which they belong.
The authorized_keys file should contain public key part of your account key pair. That's no way related to .pub files from %PROGRAMDATA%/ssh.
A comment in the authorized_keys file does not matter at all.
Keys from authorized_keys file are not loaded when the server starts. They are loaded only, when you try to log in.
See also my guide to Setting up SSH public key authentication on Win32-OpenSSH.
answered Jul 23 '18 at 7:49
Martin PrikrylMartin Prikryl
11k43277
1
Incredible! Thanks man worked like charm.
– Elad Weiss
Jan 6 at 10:41
add a comment |
You seem to mix server hosts keys and your account public keys.
Server host keys are generated by Win32-OpenSSH in %PROGRAMDATA%/ssh on its first start. They are also given correct permissions, no need to modify them. These are the keys you see loaded as "private host key" in your log. That also indicates they have the correct permissions (otherwise they won't load).
Your account public keys go to %USERPROFILE%/.ssh/authorized_keys. That file must have write access only to the account for which they belong.
The authorized_keys file should contain public key part of your account key pair. That's no way related to .pub files from %PROGRAMDATA%/ssh.
A comment in the authorized_keys file does not matter at all.
Keys from authorized_keys file are not loaded when the server starts. They are loaded only, when you try to log in.
See also my guide to Setting up SSH public key authentication on Win32-OpenSSH.
answered Jul 23 '18 at 7:49
Martin PrikrylMartin Prikryl
11k43277
You seem to mix server hosts keys and your account public keys.
Server host keys are generated by Win32-OpenSSH in %PROGRAMDATA%/ssh on its first start. They are also given correct permissions, no need to modify them. These are the keys you see loaded as "private host key" in your log. That also indicates they have the correct permissions (otherwise they won't load).
Your account public keys go to %USERPROFILE%/.ssh/authorized_keys. That file must have write access only to the account for which they belong.
The authorized_keys file should contain public key part of your account key pair. That's no way related to .pub files from %PROGRAMDATA%/ssh.
A comment in the authorized_keys file does not matter at all.
Keys from authorized_keys file are not loaded when the server starts. They are loaded only, when you try to log in.
See also my guide to Setting up SSH public key authentication on Win32-OpenSSH.
answered Jul 23 '18 at 7:49
Martin PrikrylMartin Prikryl
11k43277
edited Jan 6 at 13:02
answered Jul 23 '18 at 7:49
Martin PrikrylMartin Prikryl
11k43277
answered Jul 23 '18 at 7:49
Martin PrikrylMartin Prikryl
11k43277
answered Jul 23 '18 at 7:49
Martin PrikrylMartin Prikryl
11k43277
11k43277
1
Incredible! Thanks man worked like charm.
– Elad Weiss
Jan 6 at 10:41
add a comment |
1
Incredible! Thanks man worked like charm.
– Elad Weiss
Jan 6 at 10:41
1
1
Incredible! Thanks man worked like charm.
– Elad Weiss
Jan 6 at 10:41
Incredible! Thanks man worked like charm.
– Elad Weiss
Jan 6 at 10:41
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1342411%2fsetting-ssh-keys-on-windows-10-openssh-server%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
