Step 1 — User key generation
To use key-based authentication, you first need to generate some public/private key pairs for your client. From PowerShell or cmd, use ssh-keygen to generate some key files.
cd ~\.ssh\
ssh-keygen
This should display something like the following (where “username” is replaced by your user name)
Generating public/private ed25519 key pair.
Enter file in which to save the key (C:\Users\<username>\.ssh\id_ed25519):
You can hit Enter to accept the default, or specify a path where you’d like your keys to be generated. At this point, you’ll be prompted to use a passphrase to encrypt your private key files. The passphrase works with the key file to provide 2-factor authentication. For this example, we are leaving the passphrase empty.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\username\.ssh\id_ed25519.
Your public key has been saved in C:\Users\username\.ssh\id_ed25519.pub.
The key fingerprint is:
SHA256:OIzc1yE7joL2Bzy8!gS0j8eGK7bYaH1FmF3sDuMeSj8 username@server@LOCAL-HOSTNAME
The key's randomart image is:
+--[ED25519 256]--+
| . |
| o |
| . + + . |
| o B * = . |
| o= B S . |
| .=B O o |
| + =+% o |
| *oo.O.E |
|+.o+=o. . |
+----[SHA256]-----+
Now you have a public/private ED25519 key pair (the .pub files are public keys and the rest are private keys):
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/28/2018 11:09 AM 1679 id_ed25519
-a---- 9/28/2018 11:09 AM 414 id_ed25519.pub
Remember that private key files are the equivalent of a password should be protected the same way you protect your password. To help with that, use ssh-agent to securely store the private keys within a Windows security context, associated with your Windows login. To do that, start the ssh-agent service as Administrator and use ssh-add to store the private key.
# Make sure you're running as an Administrator
Start-Service ssh-agent
# This should return a status of Running
Get-Service ssh-agent
# Now load your key files into ssh-agent
ssh-add ~\.ssh\id_ed25519
After completing these steps, whenever a private key is needed for authentication from this client, ssh-agent will automatically retrieve the local private key and pass it to your SSH client.
Note: It is strongly recommended that you back up your private key to a secure location, then delete it from the local system, after adding it to ssh-agent. The private key cannot be retrieved from the agent. If you lose access to the private key, you would have to create a new key pair and update the public key on all systems you interact with.
Step 2 — Deploying the public key
To use the user key that was created above, the public key needs to be placed on the server into a text file called authorized_keys under users\username\.ssh\. The OpenSSH tools include scp, which is a secure file-transfer utility, to help with this.
To move the contents of your public key (~.ssh\id_ed25519.pub) into a text file called authorized_keys in ~.ssh\ on your server/host.
This example uses the Repair-AuthorizedKeyPermissions function in the OpenSSHUtils module which was previously installed on the host in the instructions above.
# Make sure that the .ssh directory exists in your server's home folder
ssh user1@domain1@contoso.com mkdir C:\users\user1\.ssh\
# Use scp to copy the public key file generated previously to authorized_keys on your server
scp C:\Users\user1\.ssh\id_ed25519.pub user1@domain1@contoso.com:C:\Users\user1\.ssh\authorized_keys
# Appropriately ACL the authorized_keys file on your server
ssh --% user1@domain1@contoso.com powershell -c $ConfirmPreference = 'None'; Repair-AuthorizedKeyPermission C:\Users\user1\.ssh\authorized_keys
These steps complete the configuration required to use key-based authentication with SSH on Windows. After this, the you can continue on to Enabling SSH Key Authentication.