Windows 10: Trouble Setting Up SSH Key-Based Authentication from Windows to Linux Server

Hello, I am attempting to set up SSH key-based authentication to log into a Linux server from my Windows 10 machine. While I am able to login using a password, my goal is to enable public key login to avoid using a password each time.Linux SideThe public key has been added to the ~/.ssh/authorized_keys file on the server.Permissions and ownership:chmod 700 ~/.sshchmod 600 ~/.ssh/authorized_keyscat /etc/ssh/sshd_config : # This is the sshd server system-wide configuration file. See # sshd_config5 for more information.

:)

 

Win10XPE : How to enable SSH Server with Public Key Authentication

Since this is the thread that got me started on OpenSSH in Win10XPE I thought it appropriate to post here, thanks for the push. I have a working OpenSSH_XPE.Script and I need some testers. Please PM me.

 

Win10XPE : How to enable SSH Server with Public Key Authentication

Hello TenForums Friends, I've been thinking about enabling SSH Server on WinPE for quite some time. I was pleasently surprised to see a thriving community for Win10XPE on this forum. So I took this opportunity to explore further. Normally for a full fledged modern Windows 10, I would just enable the SSH Server feature. However, I could not do so for Win10XPE. Nor I could find any plugin. Maybe I didn't search hard enough. So I decided to give it a try myself. Let me see how far I can go, that was my approach. I am pleased to say that I could enable the SSH Server and successfully connect from a remote client using public key authentication. I would like to share my experience and detailed instructions. If you are a developer or a hobbyist who likes tinkering around, this one is definitely for you. Of course, this is a funtime code and shouldn't be viewed as a professional production software. For brevity, I call SSH Server feature as sshd. I used XPE version 2022-01-07 with Win10 Pro 20H2 x64 source for installing sshd. My host is Win10 Enterprise 22H2 x64. So, here it goes : 0. Prerequisites and convention :0.1 sshd runs on the top of an existing and functioning Win10XPE. I assume you are already familier with building and using it. Preferably use WinBuilder version released on 2022-01-07 and sourced in 64-bit Windows10 version 20H2. 0.2 I also assume you are familier with SSH and public key authentication technique. You will need a pair of public and private keys generated. Type ed25519 is supported. The command on ssh-client windows is : ssh-keygen.exe -t ed25519 -f id_ed25519_win10xpe This will create two files id_ed25519_win10xpe.pub : This is the public key file. We will need it in step 3.2 below. id_ed25519_win10xpe : This is the private key file. Keep it with you. Do not share this file. We use this file in step 7 below. 0.3 Convention : %basedir% : This is the directory on building host where Win10XPE.exe is located. This is a buildtime host variable. %WinDir% : This is a runtime Win10XPE Environment Variable. Usually it is 'X:\Windows'. %programdata% : This is a runtime Win10XPE Environment Variable. Usually it is 'X:\ProgramData'. 1. Registry additions :1.1 Create firewall rules file : Create a text file fw-rules-ssh.script. Paste from the source below : // fw rules sshd RegHiveLoad,Tmp_System,%RegSystem% RegWrite,HKLM,0x1,Tmp_System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules,sshd-udpm,"v2.30|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=22|App=#$pWinDir#$p\system32\OpenSSH\sshd.exe|Name=OpenSSH Server (sshd) udp|Desc=Inbound UDP rule for OpenSSH SSH Server (sshd) over port 22.|EmbedCtxt=OpenSSH Server|" RegWrite,HKLM,0x1,Tmp_System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules,sshd-tcpm,"v2.30|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=22|App=#$pWinDir#$p\system32\OpenSSH\sshd.exe|Name=OpenSSH Server (sshd) tcp|Desc=Inbound TCP rule for OpenSSH SSH Server (sshd) over port 22.|EmbedCtxt=OpenSSH Server|" RegHiveUnLoad,Tmp_System 1.2 Add the created file : Now go to WinBuilder, open " Win10XPE --> Additions " panel and tick the 'run this script after' option and choose the above created file fw-rules-ssh.script. Press the little blue arrow button next to the select dialogue button so as to play the selected script. Please see the pic below :

2. Resources gathering :2.1 OpenSSH package : Download OpenSSH zip file from : https://github.com/PowerShell/Win32-...nSSH-Win64.zip The webpage is : GitHub - PowerShell/Win32-OpenSSH: Win32 port of OpenSSH The zip file has only 1 top level folder named : OpenSSH-Win64. Extract this folder alongwith its contents to %basedir%\Custom\x64\AdditionalFiles\Windows\System32 . Rename the folder to OpenSSH. 2.2 Pecmd files : Create a folder pecmd-files in %basedir%\Custom\x64\AdditionalFiles\Windows\System32\OpenSSH. Create two files in the newly created folder. Paste the files's contents from : file 1 : acl-ssh-tree.txt source below : ssh D(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU) ssh\administrators_authorized_keys DAI(A;;FA;;;SY)(A;;FA;;;BA)(A;;FR;;;LS) ssh\sshd.pid DA;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;AU) ssh\sshd_config DA;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;AU) ssh\ssh_host_dsa_key D(A;;FA;;;BA)(A;;FA;;;SY) ssh\ssh_host_dsa_key.pub D(A;;FA;;;BA)(A;;FA;;;SY) ssh\ssh_host_ecdsa_key D(A;;FA;;;BA)(A;;FA;;;SY) ssh\ssh_host_ecdsa_key.pub D(A;;FA;;;BA)(A;;FA;;;SY) ssh\ssh_host_ed25519_key D(A;;FA;;;BA)(A;;FA;;;SY) ssh\ssh_host_ed25519_key.pub D(A;;FA;;;BA)(A;;FA;;;SY) ssh\ssh_host_rsa_key D(A;;FA;;;BA)(A;;FA;;;SY) ssh\ssh_host_rsa_key.pub D(A;;FA;;;BA)(A;;FA;;;SY) file 2 : pecmd-sshd.bat source below : @Echo off mkdir.exe %programdata%\ssh\logs\ ( %WinDir%\system32\sc.exe create sshd binPath= "%WinDir%\system32\OpenSSH\sshd.exe" start= auto DisplayName= "OpenSSH Server for WinPE" obj= .\administrator password= "" %WinDir%\system32\ntrights.exe -u administrator +r SeServiceLogonRight %WinDir%\system32\OpenSSH\ssh-keygen.exe -A %WinDir%\system32\icacls.exe %programdata% /restore %WinDir%\system32\OpenSSH\pecmd-files\acl-ssh-tree.txt /c %WinDir%\system32\net.exe start sshd ) 1>> %programdata%\ssh\logs\pecmd-sshd.log 2>&1 2.3 ntrights : Download ntrights.zip from here : https://www.tenforums.com/attachment...a-ntrights.zip Extract ntrights.exe from above zip file and save it to : %basedir%\Custom\x64\AdditionalFiles\Windows\System32 3. Configure OpenSSH files and folders :3.1 Open %basedir%\Custom\x64\AdditionalFiles\Windows\System32\OpenSSH\sshd_config_default in a text editor such as notepad and save it as %basedir%\Custom\x64\AdditionalFiles\ProgramData\ssh\sshd_config . After saving continue editing the same file. Please note that any line starting with # is a comment. Locate the Logging section and add these two lines : SyslogFacility LOCAL0 LogLevel DEBUG3 These log options will generate a verbose log useful for debugging ( if needed ). You may leave the old lines commented. Similarly add this line to Authentication section : AuthorizedKeysFile %programdata%\ssh\authorized_keys You need to comment out the old line. Now save and close the sshd_config file editing. 3.2 Now in a text editor (such as notepad ) open a new blank file named : %basedir%\Custom\x64\AdditionalFiles\ProgramData\ssh\administrators_authorized_keys Paste the public key file id_ed25519_win10xpe.pub contents ( from step 0.2 ) into the new file, save it and close the editor. 4. Amend pecmd.ini : Please open file %basedir%\Custom\Pecmdini\pecmd.ini in a text editor such as notepad. Please locate the line : CALL NetInit After this add the following line : %WinDir%\system32\OpenSSH\pecmd-files\pecmd-sshd.bat Save and close the file. 5. Now all resources are in place. You may build the Win10XPE_x64.ISO by clicking the BigBlueButton. 6. When the build is complete, you may run the Win10XPE. Use a virtual machine or deploy it to a real machine. Boot the Win10XPE. Do not switch to administrator account. During the logon processes sshd will start automatically. You can check that in next step below. 7. Grab a remote ssh-client. Make sure you have the private key created in step 0.2 above available over there. Open a command prompt and type : ssh.exe administrator@<ip address or hostname of the Win10XPE> -i id_ed25519_win10xpe Now you are in Win10XPE's shell at X:\Windows Enjoy ! Disclaimers : 1. This is a funcode exercise. Please do not use it as a production software. 2. ntrights.exe is an obsolete tool. But it works. 3. Security implications : There could be some. I do not know. Please use this facility at your risk. Credits : 1. www.tenforums.com : I owe a ton of thanks to TenForums website for obvious reasons. I am using their forum to write this article. 2. Theoven.org : That's how I became interested in building WinPEs. 3. ChrisR : a.k.a. The Legend. His colossal efforts and acute insights made Win10XPE project live and running. The 'Quick Start Guide' he wrote is an extremely useful resource. 4. Kyhi : He is enthusiastically maintaining the project here : Win10XPE - Build Your Own Rescue Media [2] His tips are indispensible. 5. I am thankful to Win10XPE community members such as APT38, Megahertz, SIW2, doudiii and many more for building a thriving community. That really triggered my sustained interest. 6. Last but not the least, it's me. Yes, I take all the credit for putting all the credits together ! ;-) Hope you enjoyed my ride. Let me know your views. Thank you! -Gamma

 

How to : use scp to append public key from linux(client) to windows (server with openssh running) in C:\PROGRAMDATA\ssh\administrators_authorized_keys OR $USERPROFILE:\.ssh\authorized_keys

I am trying to copy a client key from Linux(Ubuntu) to Windows server as an administrator user.
so far i am able to achieve this by using following steps(1-4):
> Note: I am using bash in linux and powershell 7.3.4 in windows as an administrator.
1. Copy the public key from linux client to windows server:
`scp ~/.ssh/public_key.pub windowsUser@windowsMachine:__PROGRAMDATA__/ssh/`
2. ssh into windows server and check if there is `administrators_authorized_keys` file present in `C:\PROGRAMDATA\SSH\`
If not, Create:
`New-Item -Force -Path c:\PROGRAMDATA\ssh\administrators_authorized_keys`
3. Set Permissions for administrators_authorized_keys file:
`icacls C:\PROGRAMDATA\ssh\administrators_authorized_keys /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F"`
4. Append public_key.pub content into administrator_authorized_keys.
`Get-Content C:\ProgramData\ssh\public_key.pub | Add-Content C:\ProgramData\ssh\administrators_authorized_keys`

Now that the `administrators_authorized_keys` file has been created and configured, i am trying to have a different linux client to append its public key to this windows server (with `administrators_authorized_keys` configured) using `scp` in ONE-LINE.
I have tried something like this:
`scp Linux2Win_key.pub Admin@WindowsServer:__ProgramData__/ssh/ ; Get-Content C:\ProgramData\ssh\Linux2Win_key.pub | Add-Content C:\ProgramData\ssh\administrators_authorized_keys`
Public key file is copied but NOT appended to the `administrator_authorized_keys` file. Got an Error:
`-bash: Add-Content: command not found`
`-bash: Get-Content: command not found`
Then i tried this :
`scp Linux2Win_key.pub Admin@WindowsServer:__ProgramData__/ssh/ ; cat __ProgramData__/ssh/Linux2Win_key.pub >> __ProgramData__/ssh/administrators_authorized_keys`
Similar result, Public key file is copied but NOT appended to the `administrator_authorized_keys` file. Got an Error:
`-bash: __ProgramData__/ssh/administrators_authorized_keys: No such file or directory`

Thoughts:
It looks like scp can only copy files and ssh-copy-id don't work in windows despite openssh can be enable and ssh can be used in windows.

If you know any better way (rather than doing manually) to append public key to `authorized_keys` or `administrators_authorized_keys` in windows, please share. Thanks