Windows 2022
Sponsored Link

OpenSSH : SSH Key-Pair Authentication2021/12/01
 
Configure SSH Key-Pair Authentication.
[1] By default setting of OpenSSH on Windows, public-key file-name for common users is the same with Linux default (authorized_keys), however, [Administrators] group is configured another file name, so take care it for configuration. 
PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

# for common users, it's [authorized_keys]
PS C:\Users\Administrator> Get-Content C:\ProgramData\ssh\sshd_config | Select-String -Pattern "^AuthorizedKeysFile" 

AuthorizedKeysFile      .ssh/authorized_keys


# for [Administrators] group, it's [administrators_authorized_keys]
PS C:\Users\Administrator> Get-Content C:\ProgramData\ssh\sshd_config -Tail 3 

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
[2] Logon as a user you'd like to set SSH key-pair and run PowerShell to configure. 
PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

# create key-pair
PS C:\Users\serverworld> ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\serverworld/.ssh/id_rsa):   # Enter or input changes if you want
Created directory 'C:\Users\serverworld/.ssh'.
Enter passphrase (empty for no passphrase):   # set passphrase (if set no passphrase, Enter with empty)
Enter same passphrase again:
Your identification has been saved in C:\Users\serverworld/.ssh/id_rsa.
Your public key has been saved in C:\Users\serverworld/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:mOyrz2MfAghFfjgBsnPVhFR3rDC3rtWbrz6kNc/2/DQ serverworld@RX-7
The key's randomart image is:

PS C:\Users\serverworld> cd .ssh 
PS C:\Users\serverworld\.ssh> ls 

    Directory: C:\Users\serverworld\.ssh


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        11/29/2021  11:53 PM           2655 id_rsa
-a----        11/29/2021  11:53 PM            571 id_rsa.pub

# rename public-key
PS C:\Users\serverworld\.ssh> mv id_rsa.pub authorized_keys 
PS C:\Users\serverworld\.ssh> ls 

    Directory: C:\Users\serverworld\.ssh


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        11/29/2021  11:53 PM            571 authorized_keys
-a----        11/29/2021  11:53 PM           2655 id_rsa

# verify access permission of public-key
PS C:\Users\serverworld\.ssh> icacls authorized_keys 
authorized_keys BUILTIN\Administrators:(F)
                NT AUTHORITY\SYSTEM:(F)
                RX-7\Serverworld:(M)
                Everyone:(RX)

Successfully processed 1 files; Failed processing 0 files

# if [Everyone] is allowed on public-key, it prevents SSH key-pair authentication, so remove it
PS C:\Users\serverworld\.ssh> icacls authorized_keys /remove Everyone 
processed file: authorized_keys
Successfully processed 1 files; Failed processing 0 files

PS C:\Users\serverworld\.ssh> icacls authorized_keys 
authorized_keys BUILTIN\Administrators:(F)
                NT AUTHORITY\SYSTEM:(F)
                RX-7\Serverworld:(M)

Successfully processed 1 files; Failed processing 0 files
[3] Transfer the private key created on the Server to a Client, then it's possbile to login with Key-Pair authentication. 
PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

# create [.ssh] folder if it does not exist
PS C:\Users\serverworld> mkdir .ssh 
PS C:\Users\serverworld> cd .ssh 

# transfer the private key to the local ssh directory
PS C:\Users\serverworld\.ssh> scp Serverworld@10.0.0.101:'C:\Users\serverworld\.ssh\id_rsa' ./ 
The authenticity of host '10.0.0.101 (10.0.0.101)' can't be established.
ECDSA key fingerprint is SHA256:CVf0V+qRYgYcyqEcjMOCRNqpUsikvx/Pl5fLixYjMWY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.0.101' (ECDSA) to the list of known hosts.
Serverworld@10.0.0.101's password:
id_rsa                                                                                        100% 2655     2.6KB/s   00:00

PS C:\Users\serverworld\.ssh> ls 

    Directory: C:\Users\serverworld\.ssh


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        2021/11/30      2:07           2655 id_rsa
-a----        2021/11/30      2:07            173 known_hosts

# verify access
PS C:\Users\serverworld\.ssh> ssh Serverworld@10.0.0.101 hostname
Enter passphrase for key 'C:\Users\serverworld/.ssh/id_rsa':   # passphrase if you set
RX-7   # authenticated
[3] If you set [PasswordAuthentication no], it's more secure. 
PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

# change to [PasswordAuthentication no]
PS C:\Users\Administrator> (Get-Content C:\ProgramData\ssh\sshd_config).Replace("#PasswordAuthentication yes","PasswordAuthentication no") | Set-Content C:\ProgramData\ssh\sshd_config 

PS C:\Users\Administrator> Restart-Service -Name "sshd"
Matched Content