OpenSSH : SSH Key-Pair Authentication2021/12/01 |
Configure SSH Key-Pair Authentication.
|
|
[1] | By default setting of OpenSSH on Windows, public-key file-name for common users is the same with Linux default (authorized_keys), however, [Administrators] group is configured another file name, so take care it for configuration. |
PowerShell Copyright (C) Microsoft Corporation. All rights reserved. # for common users, it's [authorized_keys] PS C:\Users\Administrator> Get-Content C:\ProgramData\ssh\sshd_config | Select-String -Pattern "^AuthorizedKeysFile" AuthorizedKeysFile .ssh/authorized_keys # for [Administrators] group, it's [administrators_authorized_keys] PS C:\Users\Administrator> Get-Content C:\ProgramData\ssh\sshd_config -Tail 3 Match Group administrators AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys |
[2] | Logon as a user you'd like to set SSH key-pair and run PowerShell to configure. |
PowerShell Copyright (C) Microsoft Corporation. All rights reserved. # create key-pair PS C:\Users\serverworld> ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (C:\Users\serverworld/.ssh/id_rsa): # Enter or input changes if you want Created directory 'C:\Users\serverworld/.ssh'. Enter passphrase (empty for no passphrase): # set passphrase (if set no passphrase, Enter with empty) Enter same passphrase again: Your identification has been saved in C:\Users\serverworld/.ssh/id_rsa. Your public key has been saved in C:\Users\serverworld/.ssh/id_rsa.pub. The key fingerprint is: SHA256:mOyrz2MfAghFfjgBsnPVhFR3rDC3rtWbrz6kNc/2/DQ serverworld@RX-7 The key's randomart image is: PS C:\Users\serverworld> cd .ssh PS C:\Users\serverworld\.ssh> ls Directory: C:\Users\serverworld\.ssh Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 11/29/2021 11:53 PM 2655 id_rsa -a---- 11/29/2021 11:53 PM 571 id_rsa.pub # rename public-key PS C:\Users\serverworld\.ssh> mv id_rsa.pub authorized_keys PS C:\Users\serverworld\.ssh> ls Directory: C:\Users\serverworld\.ssh Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 11/29/2021 11:53 PM 571 authorized_keys -a---- 11/29/2021 11:53 PM 2655 id_rsa # verify access permission of public-key PS C:\Users\serverworld\.ssh> icacls authorized_keys authorized_keys BUILTIN\Administrators:(F) NT AUTHORITY\SYSTEM:(F) RX-7\Serverworld:(M) Everyone:(RX) Successfully processed 1 files; Failed processing 0 files # if [Everyone] is allowed on public-key, it prevents SSH key-pair authentication, so remove it PS C:\Users\serverworld\.ssh> icacls authorized_keys /remove Everyone processed file: authorized_keys Successfully processed 1 files; Failed processing 0 files PS C:\Users\serverworld\.ssh> icacls authorized_keys authorized_keys BUILTIN\Administrators:(F) NT AUTHORITY\SYSTEM:(F) RX-7\Serverworld:(M) Successfully processed 1 files; Failed processing 0 files |
[3] | Transfer the private key created on the Server to a Client, then it's possbile to login with Key-Pair authentication. |
PowerShell Copyright (C) Microsoft Corporation. All rights reserved. # create [.ssh] folder if it does not exist PS C:\Users\serverworld> mkdir .ssh PS C:\Users\serverworld> cd .ssh # transfer the private key to the local ssh directory PS C:\Users\serverworld\.ssh> scp Serverworld@10.0.0.101:'C:\Users\serverworld\.ssh\id_rsa' ./ The authenticity of host '10.0.0.101 (10.0.0.101)' can't be established. ECDSA key fingerprint is SHA256:CVf0V+qRYgYcyqEcjMOCRNqpUsikvx/Pl5fLixYjMWY. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.0.0.101' (ECDSA) to the list of known hosts. Serverworld@10.0.0.101's password: id_rsa 100% 2655 2.6KB/s 00:00 PS C:\Users\serverworld\.ssh> ls Directory: C:\Users\serverworld\.ssh Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 2021/11/30 2:07 2655 id_rsa -a---- 2021/11/30 2:07 173 known_hosts # verify access PS C:\Users\serverworld\.ssh> ssh Serverworld@10.0.0.101 hostname Enter passphrase for key 'C:\Users\serverworld/.ssh/id_rsa': # passphrase if you set RX-7 # authenticated |
[3] | If you set [PasswordAuthentication no], it's more secure. |
PowerShell Copyright (C) Microsoft Corporation. All rights reserved. # change to [PasswordAuthentication no] PS C:\Users\Administrator> (Get-Content C:\ProgramData\ssh\sshd_config).Replace("#PasswordAuthentication yes","PasswordAuthentication no") | Set-Content C:\ProgramData\ssh\sshd_config PS C:\Users\Administrator> Restart-Service -Name "sshd" |
Sponsored Link |
|