Skip to content

Instantly share code, notes, and snippets.

@valorad

valorad/openssh-setup.md

Last active August 27, 2023 18:06
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save valorad/833666b8aa211c6f35d15e50ac8afd31 to your computer and use it in GitHub Desktop.
Save valorad/833666b8aa211c6f35d15e50ac8afd31 to your computer and use it in GitHub Desktop.
Download ZIP
SSH Private key set-ups on Linux and on Windows
Raw
openssh-setup.md

Linux

ssh-keygen -t ed25519

cat ~/.ssh/id_ed25519.pub > ~/.ssh/authorized_keys
chmod 700 ~/.ssh
chmod 400 ~/.ssh/authorized_keys
chmod 400 ~/.ssh/id_ed25519

Note: for better security, consider removing your private key on server once done.

Windows

With GUI

  1. Go to Settings -> Apps -> Optional Features, install OpenSSH Server
  2. Open Services, find and open the entry OpenSSH SSH Server
  • Change Startup Type to "Automatic"
  • Start service, then stop it right after
  1. Generate and configure ed25519 pairs
ssh-keygen -t ed25519
cp ~/.ssh/id_ed25519.pub C:\ProgramData\ssh\administrators_authorized_keys
  1. Fix Permission for administrators_authorized_keys:
  • Disable inheritance
  • Only system full control and admin full control, delete the rest.
  1. Restart OpenSSH Service

Server Core (No GUI):

  1. Run the following command in Admin Powershell to check if server is installed
Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'
  • If not, make sure Windows Update is enabled, then install by: 
    Add-WindowsCapability -Online -Name OpenSSH.Server
  1. Start the sshd service
Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic'
  1. Configure firewall
Get-NetFirewallRule -Name *ssh*
  • If the firewall does not exist, create one 
    New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
  1. Generate ssh key pair
ssh-keygen -t ed25519
cp ~/.ssh/id_ed25519.pub C:\ProgramData\ssh\administrators_authorized_keys
  1. Fix Permission for administrators_authorized_keys

  • Check current permissions

    $path = 'C:\ProgramData\ssh\administrators_authorized_keys'
$acl = Get-ACL -Path $path
$acl | fl

  • Disable folder inheritance

    # the first $True shows if the folder is protected, the second $True specifies if the current NTFS permissions have to be copied
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -Path $path -AclObject $acl

  • Remove the NTFS permission to access a folder for a user

    $acl = Get-Acl $path
$rules = $acl.Access | where IsInherited -eq $false
$targetrule = $rules | where IdentityReference -eq "NT AUTHORITY\Authenticated Users"
$acl.RemoveAccessRule($targetrule)
$acl | Set-Acl -Path $path

  • Check result

    Get-ACL -Path $path | fl
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment