Generating SSH Keys on Windows Systems

Step 1 — User key generation

To use key-based authentication, you first need to generate some public/private key pairs for your client. From PowerShell or cmd, use ssh-keygen to generate some key files.

cd ~\.ssh\
ssh-keygen

This should display something like the following (where “username” is replaced by your user name)

Generating public/private ed25519 key pair.
Enter file in which to save the key (C:\Users\<username>\.ssh\id_ed25519):

You can hit Enter to accept the default, or specify a path where you’d like your keys to be generated. At this point, you’ll be prompted to use a passphrase to encrypt your private key files. The passphrase works with the key file to provide 2-factor authentication. For this example, we are leaving the passphrase empty.

Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\username\.ssh\id_ed25519.
Your public key has been saved in C:\Users\username\.ssh\id_ed25519.pub.
The key fingerprint is:
SHA256:OIzc1yE7joL2Bzy8!gS0j8eGK7bYaH1FmF3sDuMeSj8 username@server@LOCAL-HOSTNAME

The key's randomart image is:
+--[ED25519 256]--+
| . |
| o |
| . + + . |
| o B * = . |
| o= B S . |
| .=B O o |
| + =+% o |
| *oo.O.E |
|+.o+=o. . |
+----[SHA256]-----+

Now you have a public/private ED25519 key pair (the .pub files are public keys and the rest are private keys):

Mode                LastWriteTime         Length Name
---- ------------- ------ ----
-a---- 9/28/2018 11:09 AM 1679 id_ed25519
-a---- 9/28/2018 11:09 AM 414 id_ed25519.pub

Remember that private key files are the equivalent of a password should be protected the same way you protect your password. To help with that, use ssh-agent to securely store the private keys within a Windows security context, associated with your Windows login. To do that, start the ssh-agent service as Administrator and use ssh-add to store the private key.

# Make sure you're running as an Administrator
Start-Service ssh-agent

# This should return a status of Running
Get-Service ssh-agent

# Now load your key files into ssh-agent
ssh-add ~\.ssh\id_ed25519

After completing these steps, whenever a private key is needed for authentication from this client, ssh-agent will automatically retrieve the local private key and pass it to your SSH client.

Note: It is strongly recommended that you back up your private key to a secure location, then delete it from the local system, after adding it to ssh-agent. The private key cannot be retrieved from the agent. If you lose access to the private key, you would have to create a new key pair and update the public key on all systems you interact with.

Step 2 — Deploying the public key

To use the user key that was created above, the public key needs to be placed on the server into a text file called authorized_keys under users\username\.ssh\. The OpenSSH tools include scp, which is a secure file-transfer utility, to help with this.

To move the contents of your public key (~.ssh\id_ed25519.pub) into a text file called authorized_keys in ~.ssh\ on your server/host.

This example uses the Repair-AuthorizedKeyPermissions function in the OpenSSHUtils module which was previously installed on the host in the instructions above.

# Make sure that the .ssh directory exists in your server's home folder
ssh user1@domain1@contoso.com mkdir C:\users\user1\.ssh\

# Use scp to copy the public key file generated previously to authorized_keys on your server
scp C:\Users\user1\.ssh\id_ed25519.pub user1@domain1@contoso.com:C:\Users\user1\.ssh\authorized_keys

# Appropriately ACL the authorized_keys file on your server
ssh --% user1@domain1@contoso.com powershell -c $ConfirmPreference = 'None'; Repair-AuthorizedKeyPermission C:\Users\user1\.ssh\authorized_keys

These steps complete the configuration required to use key-based authentication with SSH on Windows. After this, the you can continue on to Enabling SSH Key Authentication.