Skip to content

Instantly share code, notes, and snippets.

@valorad
Last active August 27, 2023 18:06
Show Gist options
  • Save valorad/833666b8aa211c6f35d15e50ac8afd31 to your computer and use it in GitHub Desktop.
Save valorad/833666b8aa211c6f35d15e50ac8afd31 to your computer and use it in GitHub Desktop.
SSH Private key set-ups on Linux and on Windows

Linux

ssh-keygen -t ed25519

cat ~/.ssh/id_ed25519.pub > ~/.ssh/authorized_keys
chmod 700 ~/.ssh
chmod 400 ~/.ssh/authorized_keys
chmod 400 ~/.ssh/id_ed25519

Note: for better security, consider removing your private key on server once done.

Windows

With GUI

  1. Go to Settings -> Apps -> Optional Features, install OpenSSH Server
  2. Open Services, find and open the entry OpenSSH SSH Server
  • Change Startup Type to "Automatic"
  • Start service, then stop it right after
  1. Generate and configure ed25519 pairs
ssh-keygen -t ed25519
cp ~/.ssh/id_ed25519.pub C:\ProgramData\ssh\administrators_authorized_keys
  1. Fix Permission for administrators_authorized_keys:
  • Disable inheritance
  • Only system full control and admin full control, delete the rest.
  1. Restart OpenSSH Service

Server Core (No GUI):

  1. Run the following command in Admin Powershell to check if server is installed
Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'
  • If not, make sure Windows Update is enabled, then install by:
    Add-WindowsCapability -Online -Name OpenSSH.Server
  1. Start the sshd service
Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic'
  1. Configure firewall
Get-NetFirewallRule -Name *ssh*
  • If the firewall does not exist, create one
    New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
  1. Generate ssh key pair
ssh-keygen -t ed25519
cp ~/.ssh/id_ed25519.pub C:\ProgramData\ssh\administrators_authorized_keys
  1. Fix Permission for administrators_authorized_keys
  • Check current permissions

    $path = 'C:\ProgramData\ssh\administrators_authorized_keys'
    $acl = Get-ACL -Path $path
    $acl | fl
  • Disable folder inheritance

    # the first $True shows if the folder is protected, the second $True specifies if the current NTFS permissions have to be copied
    $acl.SetAccessRuleProtection($True, $True)
    Set-Acl -Path $path -AclObject $acl
  • Remove the NTFS permission to access a folder for a user

    $acl = Get-Acl $path
    $rules = $acl.Access | where IsInherited -eq $false
    $targetrule = $rules | where IdentityReference -eq "NT AUTHORITY\Authenticated Users"
    $acl.RemoveAccessRule($targetrule)
    $acl | Set-Acl -Path $path
  • Check result

    Get-ACL -Path $path | fl
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment