Certificate Authentication - billdinger/Win32-OpenSSH GitHub Wiki

Setup SSHD server for certificate based user authentication

Note: This method will not work for users who are administrators of the machine. See below for how to setup administrator authentication.

  • Generate CA keys (just like any other keys)
    • ssh-keygen -t rsa -f ca_userkeys
  • Register above key as trusted CA for sshd. Add following entry in sshd_config
    • TrustedUserCAKeys ca_userkeys.pub
    • Path above is relative to sshd binaries directory. Absolute path is recommended to avoid confusion
  • Prior to v7.7.0.0, check out #1055 for considerations while working with domain accounts.

At this point, server can accept any user certificates signed using ca_userkeys and there is no need to explicitly map user keys in authorized_keys

Signing user keys

  • sign user keys using ssh-keygen
    • ssh-keygen.exe -s ca_userkeys -I cert_identity -V -1w:+54w5d -n username id_rsa.pub
    • username should match the user to be authenticated

Setup SSHD Server for Administrator certificate based authentication.

If you need to setup certificate based authentication for a user with admin privleges you will need to follow the procedures below as administrators have extra security built into the login process. Specifically, the sshd_config file has a setting to force the server to look for administrators certificates in a particular file located in the %ProgramData%\ssh\. This is designed to prevent other users adding their own certificates to a file and getting administrator access to the machine. You can change the location of this file, or its name, by updating the sshd_config file and restarting the SSH service.

  • Generate yourself a userkey using ssh-keygen. The command below would create a RSA key file in the current working directory called user_key with a key size of 4096 bytes.
    • ssh-keygen -t rsa -b 4096 -f user_key
  • On the remote server create a file called %ProgramData%\ssh\administrators_authorized_keys. For example, using powershell you can do New-Item -Path $env:programdata\ssh\administrators_authorized_keysinside a elevated powershell window.
  • Copy and past the public key generated to the remote server into that file. In the example above that'd be the user_key.pub.
    • Note: If you have multiple users or keys add them into the file separated by a new line one after another.
  • After all keys have been set you need to set the file to use UTF-8 encoding. You can do this by either opening up the file inside notepad and choosing file -> save as and then under encoding selecting UTF-8 or run the following powershell commands iinside a elevated powershell window.
    copy-item .\administrators_authorized_keys .\administrators_authorized_keys_utf8
    $content = Get-Content .\administrators_authorized_keys_utf8
    $content | Set-Content -Encoding utf8 -path administrators_authorized_keys
    rm .\administrators_authorized_keys_utf8
  • Set the permissions of the administrators_authorized_keys file. For security purposes only SYSTEM and Administrators should have access to this file. Run the following commands from an elevated command prompt.
    icacls %ProgramData%\ssh\administrators_authorized_keys /remove "NT AUTHORITY\Authenticated Users"
    icacls %ProgramData%\ssh\administrators_authorized_keys /inheritance:r
  • Restart the sshd server from an elevated powershell window Restart-Service -Name sshd -Force