(Friday) November 18, 2022

Setup OpenSSH Server on Windows 11 with Key-based Authencation

This article shares to setup the OpenSSH server on Windows 11. By installing the OpenSSH, it enables us to remote access our computer by using SSH command and transfer file using SFTP.

Install OpenSSH Server

Open the Start Menu and type Optional Features in the search bar.

Optional Features

Open the Optional Features and click on the View Features button and type OpenSSH in the search bar.

View Features

Check the checkbox beside the OpenSSH Server and click on Next button and wait for the installing to complete.

OpenSSH Server Feature

Once the installation has completed, open the PowerShell and type Get-Service sshd to ensure the service is available. The service status should display as Stopped at this time.

OpenSSH Service Stopped

Start the Service on Startup

We need to startup the service automatically whenever Windows starts after installing the SSH service. Otherwise, we have to go to Service to toggle the service everytime the computer starts.

We can do this by entering the following command on PowerShell. Get-Service -Name sshd | Set-Service -StartupType Automatic.

Next we have to start the service by running Start-Service sshd.

Once we run the Get-Service sshd again, the status should be changed to Running.

Create Public and Private Keys

The next step we need to do is to generate a pair of keys.

You can run the following command to generate a new key pair.

ssh-keygen -t ed25519

You should received the prompt like the following.

You can press Enter by default unless you want to store your keys on different location.

Generating public/private ed25519 key pair.
Enter file in which to save the key (C:\Users\username/.ssh/id_ed25519):

Lastly, it will prompt you for password to secure your private key.

We aren't using any password in this guide, so we can press Enter to proceed

> Enter passphrase (empty for no passphrase): [Type a passphrase]
> Enter same passphrase again: [Type passphrase again]

Most of the information can be found at Microsoft documentation.

Add Public Key to Authorized_Keys

We need to add the content of the public key into the authorized_keys text file before otherwise the server will reject the private key.

$key = Get-Content -Path $env:USERPROFILE\.ssh\<your-public-key>.pub

New-Item -Force -ItemType Directory -Path $env:USERPROFILE\.ssh; Add-Content -Force -Path $env:USERPROFILE\.ssh\authorized_keys -Value $key

If you're administrator user, the content of the public key needs to be placed into a text file called administrators_authorized_keys in C:\ProgramData\ssh (by default).


Access to the SSH Server

Let's try to access the SSH server by using the following command.

ssh -i <path-to-your-private-key> username@ip-address

Finding Username

You can obtain your username by running $env:hostname from your PowerShell.

Finding Local IP Address

Running the following command helps to obtain the IP address, otherwise try to use ipconfig /all to check.

Get-NetIPAddress -AddressFamily IPv4 -InterfaceIndex $(Get-NetConnectionProfile | Select-Object -ExpandProperty InterfaceIndex) | Select-Object -ExpandProperty IPAddress

Once you have everything ready, just replace the placeholder with your information and you're done.

Note: If the SSH is prompting for password after providing the private key, please read the following step

Setup sshd_config

If you're the Administrator user, you might encounter the terminal keep prompting for password input even private key provided.

Removing the following line of code from ssh_config file to resolve it.

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Optional: Set the path directory

This step allows user to access to the default directory when accessing the SFTP. You should able to find this line of code from the file. #ChrootDirectory none and uncomment it by removing the # then change the none to your preferred directory. For my case, I change it to D:\Downloads.

Restart the SSH server by typing Restart-Service sshd.

Reference: https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview


Please don't hesitate to submit a PR there is any misinformation, or adding information.