9Rivers.BBS
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    OpenSSH on Windows

    Scheduled Pinned Locked Moved 聊技术
    tech talk
    4 Posts 1 Posters 238 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ww9riversW Offline
      ww9rivers
      last edited by ww9rivers

      SSH is a secure shell, a remote access tool that Linux/UNIX users have been using for years and years. Many projects have attempted to get SSH onto Windows over the years, with various level of success. So I was thrilled when Microsoft finally seems to embrace it and made it a feature of Windows 10 and then 11.

      Windows is such a confused and confusing beast for so long! One has to marvel at its monstrosity!

      Back to OpenSSH on Windows. I recently got myself a Windows 11 mini PC. I normally just use Remote Desktop with it. But I want to use it for coding so I would like to get SSH working with a key instead of using password.

      I thought that would be easy!

      And I would be wrong!

      Windows is dead set to deny connection using an SSH key!

      It accepts my password. But when I put this in sshd_config:

      PasswordAuthentication no

      It simply responds with Permission denied (publickey).

      I asked Microsoft Copilot about the error. It suggested that I should make sure that my public key is in the C:\Users\<target-username>\.ssh\authorized_keys file and make sure that it has proper permissions:

      icacls "$env:USERPROFILE\.ssh\authorized_keys" /inheritance:r
icacls "$env:USERPROFILE\.ssh\authorized_keys" /grant "$env:USERNAME:F"

      We went back and forth about icacls working differently in a PowerShell window vs. Command, verifying that the permissions were right, stopping and restarting sshd service numerous times, etc.. Nothing worked! On the client (Linux) side, ssh -vvv showed that various keys were presented to the server, none were accepted.

      Copilot suggested creating a new pair of keys and ssh-copy-id the new public key to the remote host and test with that specifically. Didn't work!

      Copilot suggested to debug with an interactive sshd.exe -ddd run in Windows. That got me some complaints about UNPROTECTED PRIVATE KEY FILE!. Now that seems to indicate that sshd may also have the same issue reading private host keys when starting as a service.

      Copilot thought so, too. It said that this is the breakthrough we needed.

      It told me to open up the Command Prompt as Administrator and ran these commands:

      cd C:\ProgramData\ssh

:: Remove inheritance
icacls ssh_host_rsa_key /inheritance:r
icacls ssh_host_ecdsa_key /inheritance:r
icacls ssh_host_ed25519_key /inheritance:r

:: Remove all existing permissions
icacls ssh_host_rsa_key /remove:g Everyone
icacls ssh_host_ecdsa_key /remove:g Everyone
icacls ssh_host_ed25519_key /remove:g Everyone

:: Grant SYSTEM and Administrators full control
icacls ssh_host_rsa_key /grant SYSTEM:F
icacls ssh_host_rsa_key /grant Administrators:F

icacls ssh_host_ecdsa_key /grant SYSTEM:F
icacls ssh_host_ecdsa_key /grant Administrators:F

icacls ssh_host_ed25519_key /grant SYSTEM:F
icacls ssh_host_ed25519_key /grant Administrators:F

      But sshd still complained about UNPROTECTED PRIVATE KEY FILE!.

      Copilot gave more suggestions:

      cd C:\ProgramData\ssh

:: Remove all existing permissions
icacls ssh_host_rsa_key /reset
icacls ssh_host_ecdsa_key /reset
icacls ssh_host_ed25519_key /reset

:: Remove inheritance
icacls ssh_host_rsa_key /inheritance:r
icacls ssh_host_ecdsa_key /inheritance:r
icacls ssh_host_ed25519_key /inheritance:r

:: Grant SYSTEM full control
icacls ssh_host_rsa_key /grant SYSTEM:F
icacls ssh_host_ecdsa_key /grant SYSTEM:F
icacls ssh_host_ed25519_key /grant SYSTEM:F

:: Grant Administrators full control
icacls ssh_host_rsa_key /grant Administrators:F
icacls ssh_host_ecdsa_key /grant Administrators:F
icacls ssh_host_ed25519_key /grant Administrators:F

      We verified permissions:

      icacls ssh_host_rsa_key
ssh_host_rsa_key BUILTIN\Administrators:(F)
                 NT AUTHORITY\SYSTEM:(F)

Successfully processed 1 files; Failed processing 0 files

      At one point along the way, the icacls command complained that ssh_host_rsa_key: Access is denied.

      And we did more:

      takeown /F ssh_host_rsa_key
takeown /F ssh_host_ecdsa_key
takeown /F ssh_host_ed25519_key

      Reset permissions:

      icacls ssh_host_rsa_key /reset
icacls ssh_host_ecdsa_key /reset
icacls ssh_host_ed25519_key /reset

      Remove inheritance:

      icacls ssh_host_rsa_key /inheritance:r
icacls ssh_host_ecdsa_key /inheritance:r
icacls ssh_host_ed25519_key /inheritance:r

      Grant Only SYSTEM and Administrators Full Control:

      icacls ssh_host_rsa_key /grant "SYSTEM:F"
icacls ssh_host_rsa_key /grant "Administrators:F"

icacls ssh_host_ecdsa_key /grant "SYSTEM:F"
icacls ssh_host_ecdsa_key /grant "Administrators:F"

icacls ssh_host_ed25519_key /grant "SYSTEM:F"
icacls ssh_host_ed25519_key /grant "Administrators:F"

      Now, sshd.exe -ddd no longer complained in Command Prompt. But the OpenSSH service would not start anymore.

      I was frustrated enough at that point. I removed the OpenSSH feature from Windows. I found an OpenSSH Preview package with version 9.8.3.0. I tried that.

      The OpenSSH Server service process would NOT start.

      Uninstalled that. Put the regular OpsnSSH feature back in.

      The OpenSSH Server service process would NOT start.

      I gave up! Even Copilot is confused. I am going to try StackOverflow, SuperUser, or some other community.

      [EDIT] 2025-09-28 -- Posted it to Superuser.

      ww9riversW 1 Reply Last reply Reply Quote 0
      • ww9riversW Offline
        ww9rivers @ww9rivers
        last edited by

        One of the frustrating thing about OpenSSH on Windows is that all the logs are in Windows Event Logs, and there's not much it does log about what is going on, even though Copilot had me change the log level in sshd_config:

        LogLevel DEBUG3

        Will try to get more out of the logs later.

        1 Reply Last reply Reply Quote 0
        • ww9riversW Offline
          ww9rivers
          last edited by

          It seems that I cannot even add the OpenSSH Client feature using the Windows Settings app.

          It tries. Then it just says Couldn't add.

          Adding OpenSSH Server seems to work -- It says Added.

          Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'

Name  : OpenSSH.Client~~~~0.0.1.0
State : NotPresent

Name  : OpenSSH.Server~~~~0.0.1.0
State : Installed

          However, there is no OpenSSH Server service in the Services app.

          Sigh!

          ww9riversW 1 Reply Last reply Reply Quote 0
          • ww9riversW Offline
            ww9rivers @ww9rivers
            last edited by

            Try again!

            Removing it first:

            > Remove-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Path          :
Online        : True
RestartNeeded : False

            Checking:

            > Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'

Name  : OpenSSH.Client~~~~0.0.1.0
State : NotPresent

Name  : OpenSSH.Server~~~~0.0.1.0
State : NotPresent

            Install again:

            > Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Add-WindowsCapability : The operation could not be completed due to pending operations.
At line:1 char:1
+ Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Add-WindowsCapability], COMException
    + FullyQualifiedErrorId : Microsoft.Dism.Commands.AddWindowsCapabilityCommand

            Really?

            When in doubt, reboot!?

            Rebooted. Try again! Same message!!

            Trying to post a question in Microsoft Windows Community. I got a stern warning:

            Violation of Code of Conduct

            1 Reply Last reply Reply Quote 0
            • First post
              Last post