OpenSSH on Windows
-
SSH is a secure shell, a remote access tool that Linux/UNIX users have been using for years and years. Many projects have attempted to get SSH onto Windows over the years, with various level of success. So I was thrilled when Microsoft finally seems to embrace it and made it a feature of Windows 10 and then 11.
Windows is such a confused and confusing beast for so long! One has to marvel at its monstrosity!
Back to OpenSSH on Windows. I recently got myself a Windows 11 mini PC. I normally just use Remote Desktop with it. But I want to use it for coding so I would like to get SSH working with a key instead of using password.
I thought that would be easy!
And I would be wrong!
Windows is dead set to deny connection using an SSH key!
It accepts my password. But when I put this in
sshd_config:PasswordAuthentication noIt simply responds with
Permission denied (publickey).I asked Microsoft Copilot about the error. It suggested that I should make sure that my public key is in the
C:\Users\<target-username>\.ssh\authorized_keysfile and make sure that it has proper permissions:icacls "$env:USERPROFILE\.ssh\authorized_keys" /inheritance:r icacls "$env:USERPROFILE\.ssh\authorized_keys" /grant "$env:USERNAME:F"We went back and forth about
icaclsworking differently in a PowerShell window vs. Command, verifying that the permissions were right, stopping and restartingsshdservice numerous times, etc.. Nothing worked! On the client (Linux) side,ssh -vvvshowed that various keys were presented to the server, none were accepted.Copilot suggested creating a new pair of keys and
ssh-copy-idthe new public key to the remote host and test with that specifically. Didn't work!Copilot suggested to debug with an interactive
sshd.exe -dddrun in Windows. That got me some complaints about UNPROTECTED PRIVATE KEY FILE!. Now that seems to indicate thatsshdmay also have the same issue reading private host keys when starting as a service.Copilot thought so, too. It said that this is the breakthrough we needed.
It told me to open up the Command Prompt as Administrator and ran these commands:
cd C:\ProgramData\ssh :: Remove inheritance icacls ssh_host_rsa_key /inheritance:r icacls ssh_host_ecdsa_key /inheritance:r icacls ssh_host_ed25519_key /inheritance:r :: Remove all existing permissions icacls ssh_host_rsa_key /remove:g Everyone icacls ssh_host_ecdsa_key /remove:g Everyone icacls ssh_host_ed25519_key /remove:g Everyone :: Grant SYSTEM and Administrators full control icacls ssh_host_rsa_key /grant SYSTEM:F icacls ssh_host_rsa_key /grant Administrators:F icacls ssh_host_ecdsa_key /grant SYSTEM:F icacls ssh_host_ecdsa_key /grant Administrators:F icacls ssh_host_ed25519_key /grant SYSTEM:F icacls ssh_host_ed25519_key /grant Administrators:FBut
sshdstill complained about UNPROTECTED PRIVATE KEY FILE!.Copilot gave more suggestions:
cd C:\ProgramData\ssh :: Remove all existing permissions icacls ssh_host_rsa_key /reset icacls ssh_host_ecdsa_key /reset icacls ssh_host_ed25519_key /reset :: Remove inheritance icacls ssh_host_rsa_key /inheritance:r icacls ssh_host_ecdsa_key /inheritance:r icacls ssh_host_ed25519_key /inheritance:r :: Grant SYSTEM full control icacls ssh_host_rsa_key /grant SYSTEM:F icacls ssh_host_ecdsa_key /grant SYSTEM:F icacls ssh_host_ed25519_key /grant SYSTEM:F :: Grant Administrators full control icacls ssh_host_rsa_key /grant Administrators:F icacls ssh_host_ecdsa_key /grant Administrators:F icacls ssh_host_ed25519_key /grant Administrators:FWe verified permissions:
icacls ssh_host_rsa_key ssh_host_rsa_key BUILTIN\Administrators:(F) NT AUTHORITY\SYSTEM:(F) Successfully processed 1 files; Failed processing 0 filesAt one point along the way, the
icaclscommand complained thatssh_host_rsa_key: Access is denied.And we did more:
takeown /F ssh_host_rsa_key takeown /F ssh_host_ecdsa_key takeown /F ssh_host_ed25519_keyReset permissions:
icacls ssh_host_rsa_key /reset icacls ssh_host_ecdsa_key /reset icacls ssh_host_ed25519_key /resetRemove inheritance:
icacls ssh_host_rsa_key /inheritance:r icacls ssh_host_ecdsa_key /inheritance:r icacls ssh_host_ed25519_key /inheritance:rGrant Only SYSTEM and Administrators Full Control:
icacls ssh_host_rsa_key /grant "SYSTEM:F" icacls ssh_host_rsa_key /grant "Administrators:F" icacls ssh_host_ecdsa_key /grant "SYSTEM:F" icacls ssh_host_ecdsa_key /grant "Administrators:F" icacls ssh_host_ed25519_key /grant "SYSTEM:F" icacls ssh_host_ed25519_key /grant "Administrators:F"Now,
sshd.exe -dddno longer complained in Command Prompt. But the OpenSSH service would not start anymore.I was frustrated enough at that point. I removed the OpenSSH feature from Windows. I found an OpenSSH Preview package with version 9.8.3.0. I tried that.
The OpenSSH Server service process would NOT start.
Uninstalled that. Put the regular OpsnSSH feature back in.
The OpenSSH Server service process would NOT start.
I gave up! Even Copilot is confused. I am going to try StackOverflow, SuperUser, or some other community.
[EDIT] 2025-09-28 -- Posted it to Superuser.
-
SSH is a secure shell, a remote access tool that Linux/UNIX users have been using for years and years. Many projects have attempted to get SSH onto Windows over the years, with various level of success. So I was thrilled when Microsoft finally seems to embrace it and made it a feature of Windows 10 and then 11.
Windows is such a confused and confusing beast for so long! One has to marvel at its monstrosity!
Back to OpenSSH on Windows. I recently got myself a Windows 11 mini PC. I normally just use Remote Desktop with it. But I want to use it for coding so I would like to get SSH working with a key instead of using password.
I thought that would be easy!
And I would be wrong!
Windows is dead set to deny connection using an SSH key!
It accepts my password. But when I put this in
sshd_config:PasswordAuthentication noIt simply responds with
Permission denied (publickey).I asked Microsoft Copilot about the error. It suggested that I should make sure that my public key is in the
C:\Users\<target-username>\.ssh\authorized_keysfile and make sure that it has proper permissions:icacls "$env:USERPROFILE\.ssh\authorized_keys" /inheritance:r icacls "$env:USERPROFILE\.ssh\authorized_keys" /grant "$env:USERNAME:F"We went back and forth about
icaclsworking differently in a PowerShell window vs. Command, verifying that the permissions were right, stopping and restartingsshdservice numerous times, etc.. Nothing worked! On the client (Linux) side,ssh -vvvshowed that various keys were presented to the server, none were accepted.Copilot suggested creating a new pair of keys and
ssh-copy-idthe new public key to the remote host and test with that specifically. Didn't work!Copilot suggested to debug with an interactive
sshd.exe -dddrun in Windows. That got me some complaints about UNPROTECTED PRIVATE KEY FILE!. Now that seems to indicate thatsshdmay also have the same issue reading private host keys when starting as a service.Copilot thought so, too. It said that this is the breakthrough we needed.
It told me to open up the Command Prompt as Administrator and ran these commands:
cd C:\ProgramData\ssh :: Remove inheritance icacls ssh_host_rsa_key /inheritance:r icacls ssh_host_ecdsa_key /inheritance:r icacls ssh_host_ed25519_key /inheritance:r :: Remove all existing permissions icacls ssh_host_rsa_key /remove:g Everyone icacls ssh_host_ecdsa_key /remove:g Everyone icacls ssh_host_ed25519_key /remove:g Everyone :: Grant SYSTEM and Administrators full control icacls ssh_host_rsa_key /grant SYSTEM:F icacls ssh_host_rsa_key /grant Administrators:F icacls ssh_host_ecdsa_key /grant SYSTEM:F icacls ssh_host_ecdsa_key /grant Administrators:F icacls ssh_host_ed25519_key /grant SYSTEM:F icacls ssh_host_ed25519_key /grant Administrators:FBut
sshdstill complained about UNPROTECTED PRIVATE KEY FILE!.Copilot gave more suggestions:
cd C:\ProgramData\ssh :: Remove all existing permissions icacls ssh_host_rsa_key /reset icacls ssh_host_ecdsa_key /reset icacls ssh_host_ed25519_key /reset :: Remove inheritance icacls ssh_host_rsa_key /inheritance:r icacls ssh_host_ecdsa_key /inheritance:r icacls ssh_host_ed25519_key /inheritance:r :: Grant SYSTEM full control icacls ssh_host_rsa_key /grant SYSTEM:F icacls ssh_host_ecdsa_key /grant SYSTEM:F icacls ssh_host_ed25519_key /grant SYSTEM:F :: Grant Administrators full control icacls ssh_host_rsa_key /grant Administrators:F icacls ssh_host_ecdsa_key /grant Administrators:F icacls ssh_host_ed25519_key /grant Administrators:FWe verified permissions:
icacls ssh_host_rsa_key ssh_host_rsa_key BUILTIN\Administrators:(F) NT AUTHORITY\SYSTEM:(F) Successfully processed 1 files; Failed processing 0 filesAt one point along the way, the
icaclscommand complained thatssh_host_rsa_key: Access is denied.And we did more:
takeown /F ssh_host_rsa_key takeown /F ssh_host_ecdsa_key takeown /F ssh_host_ed25519_keyReset permissions:
icacls ssh_host_rsa_key /reset icacls ssh_host_ecdsa_key /reset icacls ssh_host_ed25519_key /resetRemove inheritance:
icacls ssh_host_rsa_key /inheritance:r icacls ssh_host_ecdsa_key /inheritance:r icacls ssh_host_ed25519_key /inheritance:rGrant Only SYSTEM and Administrators Full Control:
icacls ssh_host_rsa_key /grant "SYSTEM:F" icacls ssh_host_rsa_key /grant "Administrators:F" icacls ssh_host_ecdsa_key /grant "SYSTEM:F" icacls ssh_host_ecdsa_key /grant "Administrators:F" icacls ssh_host_ed25519_key /grant "SYSTEM:F" icacls ssh_host_ed25519_key /grant "Administrators:F"Now,
sshd.exe -dddno longer complained in Command Prompt. But the OpenSSH service would not start anymore.I was frustrated enough at that point. I removed the OpenSSH feature from Windows. I found an OpenSSH Preview package with version 9.8.3.0. I tried that.
The OpenSSH Server service process would NOT start.
Uninstalled that. Put the regular OpsnSSH feature back in.
The OpenSSH Server service process would NOT start.
I gave up! Even Copilot is confused. I am going to try StackOverflow, SuperUser, or some other community.
[EDIT] 2025-09-28 -- Posted it to Superuser.
One of the frustrating thing about OpenSSH on Windows is that all the logs are in Windows Event Logs, and there's not much it does log about what is going on, even though Copilot had me change the log level in
sshd_config:LogLevel DEBUG3Will try to get more out of the logs later.
-
It seems that I cannot even add the OpenSSH Client feature using the Windows Settings app.
It tries. Then it just says Couldn't add.
Adding OpenSSH Server seems to work -- It says Added.
Get-WindowsCapability -Online | ? Name -like 'OpenSSH*' Name : OpenSSH.Client~~~~0.0.1.0 State : NotPresent Name : OpenSSH.Server~~~~0.0.1.0 State : InstalledHowever, there is no OpenSSH Server service in the Services app.
Sigh!
-
It seems that I cannot even add the OpenSSH Client feature using the Windows Settings app.
It tries. Then it just says Couldn't add.
Adding OpenSSH Server seems to work -- It says Added.
Get-WindowsCapability -Online | ? Name -like 'OpenSSH*' Name : OpenSSH.Client~~~~0.0.1.0 State : NotPresent Name : OpenSSH.Server~~~~0.0.1.0 State : InstalledHowever, there is no OpenSSH Server service in the Services app.
Sigh!
Try again!
Removing it first:
> Remove-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 Path : Online : True RestartNeeded : FalseChecking:
> Get-WindowsCapability -Online | ? Name -like 'OpenSSH*' Name : OpenSSH.Client~~~~0.0.1.0 State : NotPresent Name : OpenSSH.Server~~~~0.0.1.0 State : NotPresentInstall again:
> Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 Add-WindowsCapability : The operation could not be completed due to pending operations. At line:1 char:1 + Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Add-WindowsCapability], COMException + FullyQualifiedErrorId : Microsoft.Dism.Commands.AddWindowsCapabilityCommandReally?
When in doubt, reboot!?
Rebooted. Try again! Same message!!
Trying to post a question in Microsoft Windows Community. I got a stern warning:
