Windows SSH server refuses key based authentication from client

As of Windows 10 v1809, the default config (found in %ProgramData%/ssh/sshd_config) defines a separate AuthorizedKeysFile for administrator users:

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

This means any user who is in the special Windows Administrators group (SID S-1-5-32-544) will not look at the %UserProfile%/.ssh/authorized_keys file but will rather look at %ProgramData%/ssh/administrators_authorized_keys.

You have a few options:

• Use a non-administrator user, or
• Comment out those two lines from the bottom of sshd_config, which will then revert back to the default per-user AuthorizedKeysFile, or
• Add your keys to the (global!) administrators_authorized_keys file

My recommendation is to use a non-admin user if possible, or modify the config otherwise. A global key that is accepted for any account in the Administrators group sounds like unnecessary complexity.¹

---

¹ In a default config it is always possible to impersonate any other user from an admin user, since an admin user generally implies full root-level control in Windows. That might be their rationale for this default. But of course it makes configuration of a multi-user system rather confusing, where some (non-admin) users have their own authorized keys in a standard location while other (admin) users must share a single nonstandard authorized key list.

I believe there are no security benefits to such a configuration, apart from making it obvious that all admins can impersonate each other.

A future release may create user-specific folders under %ProgramData/ssh.

This is somewhat explored here: https://github.com/PowerShell/Win32-OpenSSH/issues/1324

Try to put more details here, if anyone has installed a built-in openssh server in Windows 10 (build 1809 or later, or Server 2016), whether or not following Microsoft's documents: Installation, Configuration and Key management. Seems they're pretty old or sort of incomplete and need updating.

After installation of this service, start it, you should connect it from your localhost via ssh username@localhost, assuming your Windows login name is username. But we want key based authentications and we must fail only according to Microsoft documents listed above:

1. We can't rely on Repair-AuthorizedKeyPermission to fix authorized_keys's permission, since we can't install OpenSSHUtils module for now. Reason here, seems the signature is outdated.
2. As @Bob indicated, we have to comment something in sshd_config if we don't setup key pair for Administrators.

If you just want use a single user's key based authentication, we just have to do as follows (Administrator privilege is required, all based on default built-in openssh server installation):

1. Since we can't install OpenSSHUtils module, we set the permissions manually. Check authorized_keys's ownership and permissions:

PS C:\>(get-acl .\users\username\.ssh\authorized_keys).owner
username
PS C:\>icacls .\users\username\.ssh\authorized_keys
ssh_host_dsa_key   BUILTIN\Administrators:(F)
                   username:(F) 
                   otheruser1:(IR)
                   otheruser2:(R)

2. Set correct ownership and permissions for authorized_keys:

PS C:\>icacls .\users\username\.ssh\authorized_keys /inheritance:r
PS C:\>icacls .\users\username\.ssh\authorized_keys /remove otheruser2

3. Search for and comment group matching policy in sshd_config:

#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

4. (Optional) Enable key based authentication. Search for and change the text to:

PubkeyAuthentication yes

5. (Optional) Disable password based authentication. Search for and change the text to:

PasswordAuthentication no

6. Copy and paste the user's public key into authorized_keys who you want to connect as.
7. Restart sshd service. Now you should connect to this host with key authentications.

Consult following links for more detailed contents (this answer comes from):

• Installing and Configuring OpenSSH on Windows Server 2019

• Security protection of various files in Win32 OpenSSH

OpenSSH on Windows 10 requires additional configuration to recognize authorized_keys:

1. Save your authorized_keys into the file C:\ProgramData\ssh\administrators_authorized_keys with no extension
2. Use the below PowerShell script to set the correct permissions on the file

    $acl = Get-Acl C:\ProgramData\ssh\administrators_authorized_keys
    $acl.SetAccessRuleProtection($true, $false)
    $administratorsRule = New-Object system.security.accesscontrol.filesystemaccessrule("Administrators","FullControl","Allow")
    $systemRule = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","Allow")
    $acl.SetAccessRule($administratorsRule)
    $acl.SetAccessRule($systemRule)
    $acl | Set-Acl

If you don't do this, and instead only place the file in the .ssh folder for the user, you'll either get prompted for your password (instead of using the key file), or your connection will fail with "Too many authentication attempts".

References:

• https://www.concurrency.com/blog/may-2019/key-based-authentication-for-openssh-on-windows