# Set Up Public-key SSH on Windows

Setting up public-key SSH on Windows is much more tricky than on Linux (see here).

### Install OpenSSH for Windows

In the following instructions, the example machine hostname (SSH server) is frak16, with username oqa in the domain OBJY. Sometimes, another machine (client) is used to connect to this frak16 machine to test connection settings.

(1) Install OpenSSH for Windows to the SSH server, e.g., frak16, at the following location SSH_DIR=C:\space\oqa\OpenSSH. Use OpenSSH installer from here. Do NOT use OpenSSH for Windows from Sourceforge, which is outdated, even though many top links from Google search “OpenSSH windows” point to it. Select “Configure as Domain User” when installing.

(2) In the PATH environment variable, make sure that $(SSH_DIR)\bin folder comes before MKS and Cygwin’s bins folder, if applicable. We need to use OpenSSH version of chmod and chown. (3) Edit the file etc/passwd inside SSH_DIR (defined above). Make sure that the home directory for your username is present and in Cygwin notation, e.g., “/cygdrive/c/space/oqa” for user oqa. Make sure there is only one oqa user, like U-OBJY\oqa (domain user) for OBJY domain. Delete other oqa users such as local users if needed. (4) Edit $(SSH_DIR)\etc\banner.txt to include welcome message that you prefer, to make it less verbose and more informative. I would change it to include the current host name to indicate which host is currently connected.

(5a) (Optional but recommended) Run SSH server is debug mode to verify that settings are correct. Run the following command for a test run:

(5b) Use ssh from another host (as client) to test connection. You will have to enter username and password to connect to frak16 from this client.

If the client is Windows and using OpenSSH, make sure the client’s etc/ssh_config file in its OpenSSH installation folder is as follows:

(6) After making sure the SSH is installed and working properly on frak16, run the following in a Command prompt with Admin power to start SSH as a service:

Now, you can connect to this Windows machine frak16 using password authentication.

### Set up public-key SSH

(1) If the client is already set up, it should have its public key file. Copy content of that file to $(HOME_DIR)\.ssh\authorized_keys file on the SSH server (e.g., frak16). If you don’t have the public key file for the client, run ssh-keygen -t rsa on the client machine. The client machine’s public key file has the name like “id_rsa.pub”. (2) On the SSH server (e.g., frak16), edit $(SSH_DIR)\etc\sshd_config to enable PubkeyAuthentication. The following lines must be enabled:

(3) Recursively from $(HOME_DIR), use chown to set ownership to oqa and chmod to set all folders and files in $(HOME_DIR)\.ssh to read-only.

(4) Run SSH server in debug mode again to verify that public-key SSH settings are correct. Run this command “ssh oqa@frak16 ‘ipconfig’” from the client machine and verify that no password is required.

(5) Start SSH server permanently by running, in an elevated Command Prompt. As of 2015 Feb, I tried running SSH as a Windows service but it does not work reliably.

### Troubleshooting

Some of the most frequently encountered problems are discussed in this section.

#### Ownership of .ssh folder

You might encounter this problem when configuring public-key authentication. If you try to run the server in debug mode, you might see the following messages:

In this case, it’s an ownership problem on the SSH server. You can try another location for .ssh folder on the SSH server to see if it resolves the problem. In most cases, you can manually fix the above problem by using the following commands:

Note that chmod from OpenSSH must be used, instead of chmod from MKS or Cygwin. In addition, if there is a Local User oqa, remove that user so that chown will assign ownership to Domain User oqa.

#### Outdated SSH installer

If you see errors like this, you probably used OpenSSH installer from Sourceforge. That installer is outdated and buggy. Use the latest installer from here instead.

You might find the following error message when connecting to an SSH server running in debug mode.

If you installed Cygwin and/or MKS on your Windows SSH server, their SSH services (sshd for Cygwin and secshd for MKS) are probably using the port 22. Verify that by using the following command in Windows:

You can turn off SSH services from Cygwin and MKS by going to Computer > Manage > Go to Services > Stop the relevant service (Windows 7).

#### File transfer

If you installed putty on Windows, note that you CANNOT simply use pscp (that is included with putty installation) to transfer file to another Windows machine with OpenSSH.

You have to convert the OpenSSH’s generated private key to a Putty private key, as detailed here.

An alternative is to use scp that is included with the OpenSSH installation. Note that this might not work (you still have to enter your password):

Since OpenSSH for Windows is extracted from Cygwin, trying Cygwin-style command turns out to be a good idea. This command allows password-less file transfer:

Note that files transferred over scp may not be readable (mode 000), regardless of file mode on the sending host. Therefore, remember to chmod a+r on the receiving host after file transfer, especially in an automation script, or you’ll get errors related to file access/file not found.

#### Other troubleshooting tips

• You may miss adding/setting some environment variables, e.g., PATH. After editing environment variables, you may need to restart your SSHD on a new Command Prompt windows to have those new environment variables in effect.
• Remember to disable firewall on Windows machines.