valorad/openssh-setup.md

Last active August 27, 2023 18:06

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/valorad/833666b8aa211c6f35d15e50ac8afd31.js"></script>
Save valorad/833666b8aa211c6f35d15e50ac8afd31 to your computer and use it in GitHub Desktop.

Download ZIP

SSH Private key set-ups on Linux and on Windows

Raw

openssh-setup.md

Linux

ssh-keygen -t ed25519

cat ~/.ssh/id_ed25519.pub > ~/.ssh/authorized_keys
chmod 700 ~/.ssh
chmod 400 ~/.ssh/authorized_keys
chmod 400 ~/.ssh/id_ed25519

Note: for better security, consider removing your private key on server once done.

Windows

With GUI

Go to Settings -> Apps -> Optional Features, install OpenSSH Server
Open Services, find and open the entry OpenSSH SSH Server

Change Startup Type to "Automatic"
Start service, then stop it right after

Generate and configure ed25519 pairs

ssh-keygen -t ed25519
cp ~/.ssh/id_ed25519.pub C:\ProgramData\ssh\administrators_authorized_keys

Fix Permission for administrators_authorized_keys:

Disable inheritance
Only system full control and admin full control, delete the rest.

Restart OpenSSH Service

Server Core (No GUI):

Run the following command in Admin Powershell to check if server is installed

Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'

If not, make sure Windows Update is enabled, then install by:
```
Add-WindowsCapability -Online -Name OpenSSH.Server
```

Start the sshd service

Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic'

Configure firewall

Get-NetFirewallRule -Name *ssh*

If the firewall does not exist, create one

New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

Generate ssh key pair

ssh-keygen -t ed25519
cp ~/.ssh/id_ed25519.pub C:\ProgramData\ssh\administrators_authorized_keys

Fix Permission for administrators_authorized_keys

Check current permissions

$path = 'C:\ProgramData\ssh\administrators_authorized_keys'
$acl = Get-ACL -Path $path
$acl | fl

Disable folder inheritance

# the first $True shows if the folder is protected, the second $True specifies if the current NTFS permissions have to be copied
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -Path $path -AclObject $acl

Remove the NTFS permission to access a folder for a user

$acl = Get-Acl $path
$rules = $acl.Access | where IsInherited -eq $false
$targetrule = $rules | where IdentityReference -eq "NT AUTHORITY\Authenticated Users"
$acl.RemoveAccessRule($targetrule)
$acl | Set-Acl -Path $path

Check result
```
Get-ACL -Path $path | fl
```

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment