How to install ssh on windows

SSH-server based on the OpenSSH package is part of the operating system in all modern versions of Windows. In this article, we’ll show you how to install and configure the OpenSSH server on Windows 10/11 and Windows Server 2022/2019 and connect to it remotely via a secure SSH connection (just like in Linux 🙂).

How to Install OpenSSH Server on Windows?

The OpenSSH Server package is a part of all modern versions of Windows 10 (starting with 1803), Windows 11, and Windows Server 2022/2019 as a Feature on Demand (FoD). To install the OpenSSH server, open the elevated PowerShell prompt and run the command:

Get-WindowsCapability -Online | Where-Object Name -like ‘OpenSSH.Server*’ | Add-WindowsCapability –Online

Or using DISM:

dism /Online /Add-Capability /CapabilityName:OpenSSH.Server~~~~0.0.1.0

If your computer is directly connected to the Internet, the OpenSSH.Server package will be downloaded and installed on Windows.

You can also install OpenSSH on Windows 10/11 through the modern Settings panel (Settings -> Apps and features -> Optional features -> Add a feature). Find Open SSH Server in the list and click Install.

On computers in disconnected (offline) environments, you can install the OpenSSH Server from the Feature on Demand ISO image (available in your account on the Microsoft websites: MSDN or my.visualstudio.com). Download the ISO and extract its contents to the E:FOD folder (you can only extract the file OpenSSH-Server-Package~31bf3856ad364e35~amd64~~.cab) and install the Windows feature from the local repository:

Add-WindowsCapability -Name OpenSSH.Server~~~~0.0.1.0 -Online -Source E:FOD

An MSI installer for OpenSSH for Windows is also available in the official Microsoft repository on GitHub (https://github.com/PowerShell/Win32-OpenSSH/releases/). For example, for Windows 10 x64, you need to download and install the OpenSSH-Win64-v8.9.1.0.msi package. The following PowerShell command will download the MSI file and install the OpenSSH client and server on your computer:

Invoke-WebRequest https://github.com/PowerShell/Win32-OpenSSH/releases/download/v8.9.1.0p1-Beta/OpenSSH-Win64-v8.9.1.0.msi -OutFile $HOMEDownloadsOpenSSH-Win64-v8.9.1.0.msi -UseBasicParsing
msiexec /i $HOMEDownloadsOpenSSH-Win64-v8.9.1.0.msi

You can install an OpenSSH server in previous Windows versions as well (Windows 8.1, Windows Server 2016/2012R2/2012). Check the example on how to install and configure Win32-OpenSSH in the article “How to Configure SFTP Server (SSH FTP) on Windows?”.

To make sure the OpenSSH server has been installed, run the command:

Get-WindowsCapability -Online | ? Name -like 'OpenSSH.Ser*'

State : Installed

Configuring SSH Server on Windows

After installing the OpenSSH server on Windows, two services are added:

• ssh-agent (OpenSSH Authentication Agent) – can be used to manage private keys if you have configured SSH key authentication;
• sshd (OpenSSH SSH Server).

You need to change the startup type of the sshd service to automatic and start the service using PowerShell:

Set-Service -Name sshd -StartupType 'Automatic'
Start-Service sshd

Use the netstat command to make sure that the SSH server is running and waiting for the connections on TCP port 22:
netstat -na| find ":22"

Make sure that Windows Defender Firewall allows inbound connections to Windows through TCP port 22:
Get-NetFirewallRule -Name *OpenSSH-Server* |select Name, DisplayName, Description, Enabled

Name DisplayName Description Enabled
---- ----------- ----------- -------
OpenSSH-Server-In-TCP OpenSSH SSH Server (sshd) Inbound rule for OpenSSH SSH Server (sshd) True

If the rule is disabled (Enabled=False) or missing, you can create a new inbound rule using the New-NetFirewallRule cmdlet:

New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

By default, key OpenSSH components are located in these folders:

• OpenSSH Server executables: C:WindowsSystem32OpenSSH(sshd.exe, ssh.exe, ssh-keygen.exe, sftp.exe, etc.)
• The sshd_config file (created after the first service start of the service): C:ProgramDatassh
• The authorized_keys file and keys can be stored in the user profile folder: %USERPROFILE%.ssh

Sshd_config: OpenSSH Server Configuration File

You can change your OpenSSH server settings in the config file: %programdata%sshsshd_config. This is a plain text file with a set of directives. You can use any text editor for editing:

start-process notepad C:Programdatasshsshd_config

For example, to deny SSH connection for a specific domain user account (or all users in the specified domain), add these directives to the end of the file:

DenyUsers woshubadmin@192.168.1.10
DenyUsers corp*

To allow SSH connection to the specific domain security group only:

AllowGroups woshubsshadmins

You can allow access to a local user group:

AllowGroups sshadmins

By default, all Windows users can connect to OpenSSH. Directives in the sshd_config files are processed in the following order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.

You can deny SSH login for the accounts with administrator privileges. In this case, if you need to perform any privileged actions in your SSH session, you will have to use runas.

DenyGroups Administrators

The following directives allow you to access Windows using SSH private keys or a password.

PubkeyAuthentication yes
PasswordAuthentication yes

You can change the default TCP/22 port on which OpenSSH Server connections are accepted in the sshd_config configuration file using the Port directive.

How to Connect to a Remote Windows Computer via SSH?

Now you can try to connect to your Windows 10 computer using the SSH client (I’m using putty in this example).

GSSAPIAuthentication yes

The first time you connect, you will be prompted to add the host to the list of known SSH hosts (C:Usersyour_user.sshknown_hosts).

Click Yes, and login under your Windows user account.

If the SSH connection is successful, you will see the cmd.exe shell prompt.

admin@win10pc C:Usersadmin>

You can run different commands, scripts, and apps in the SSH command prompt.

I prefer working in the PowerShell console. To start it, run:

powershell.exe

In order to change the default cmd.exe shell in OpenSSH to PowerShell, make changes to the registry using the following PowerShell command:

New-ItemProperty -Path "HKLM:SOFTWAREOpenSSH" -Name DefaultShell -Value "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" -PropertyType String –Force

Restart your SSH connection and make sure that PowerShell is now used as a default SSH shell (this is indicated by the prompt PS C:Usersadmin>).

The PowerShell prompt has been started in my SSH session, where the usual functions work: tab autocomplete, PSReadLine syntax highlighting, command history, etc. If the current user is a member of the local administrators’ group, all session commands are executed elevated even if UAC is enabled.

OpenSSH server on Windows can be used in various SSH tunneling scenarios.

Checking SSH Connection Logs in Windows

By default in Windows SSH server connection logs are written not to text files, but to a separate event log via Event Tracing for Windows (ETW). Open the Event Viewer console (eventvwr.msc ) and navigate to Application and services logs -> OpenSSH -> Operational.

If you successfully connect to the SSH server using a password, an event will appear in the log:

EventID: 4
sshd: Accepted password for root from 192.168.1.53 port 65749 ssh2

If SSH key authentication was performed, you will see the following event:

sshd: Accepted publickey for locadm from 192.168.1.53 port 61426 
ssh2: ED25519 SHA256:FEHDEC/G42FS23209C2KMb4335923pigN31s3qMK322lGibD

If you want the SSH connection logs to be written to a local text file, you need to enable the following parameters in the sshd_config file:

SyslogFacility LOCAL0
LogLevel INFO

Restart the sshd service and make sure that the SSH server logs are now written to a plain text file C:ProgramDatasshlogssshd.log

— Advertisement —

Hello, how are you? In the previous article, we saw how to enable Telnet in Windows Server. This protocol is very useful, but it has a serious security breach. For that reason, we recommend using the SSH connection. It is a remote administration protocol that allows users to control and modify their remote servers over the Internet. To do this, it uses an authentication mechanism. The protocol works by authenticating a remote user and transferring inputs from the client to the host. It then retransmits the output back to the client. But most importantly, the communication is delivered encrypted so the security is much higher than Telnet. In view of the above, let’s see how to install an SSH client and server in Windows 10.

Prerequisite

In order to enjoy all the benefits of this protocol, it is necessary to have a Windows version equal to or greater than 1803.

Installing the SSH client

First, let’s verify the SSH client installation. With this intention, enter in Windows Settings pressing the combination Win+I. Once there, select Apps

Then click on Optional features.

In the next window, you will see all the optional functions. Then scroll down to find the OpenSSH Client. In this case, the client is already installed, so there is nothing else to do. In case it is not, just click on the install button.

Add SSH server in Windows 10

From the previous screen please click on Add a feature:

Now scroll down and select OpenSSH Server. Press install and wait a few seconds while the function is installed. Once the action is executed, please restart the computer to confirm the changes.

Configure OpenSSH Server to start with Windows.

From now on the client and the SSH server are installed. For the SSH server to be activated every time we start Windows we will have to do the following. Press the Win+R combination and run services.msc

Then scroll down and select OpenSSH SSH Server and OpenSSH Authentication Agent:

Now what we are going to do is to activate them so that they start every time you start Windows. With that intention double-click on OpenSSH Authentication Agent and in the startup type select Automatic. Then press Apply and finally accept.

We will repeat this procedure with the OpenSHH SSH Server Service

As we did in the previous step, restart the computer to set the changes. With these steps, we will be able to install the server and the SSH client in Windows 10.

Testing the SSH client and server

After restarting the computer, it is necessary to verify if the SSH services are active. To do this, open a PowerShell as administrator by pressing the Win+X combination.

Then execute the following command:

 Get-Service -Name *ssh* 

If all goes well, you will see the next result in the PowerShell, showing the two services running:

Configuring the Windows firewall

In order to have access to our computer through SSH we have to configure the Windows Firewall. To do this we open a PowerShell as administrator and execute the following command:

.netsh advfirewall firewall add rule name="SSHD Port" dir=in action=allow protocol=TCP localport=22 

It then tests whether the SSH server is listening on port 22. For this purpose, from a PowerShell with administrator privileges runs the following command:

.netstat -bano | .more.com

Connect to an SSH server from Windows.

From now on we can connect remotely to an SSH server. To execute it, it is necessary to know 3 parameters:

• User name
• Server IP Address
• Know the port where the SSH server is listening. In this case, the port is 22.
• User password

Once this data is known, open a PowerShell and run the following command:

 ssh -p 22 [email protected]

Then add the password to access the remote computer. And you will have access via PowerShell to the SSH server.

Conclusion

Finally, we have seen how to install an SSH client and server in Windows 10. This way we will be able to remotely manage any device that uses this protocol. Additionally, security is increased because the communication between host and client is encrypted. In this way, our data remains safe from possible attackers. This is all for the moments, before saying goodbye I want to invite you to see our post about Telnet in Windows Server.

Using SSH on Windows 10 used to be a pain that required third-party software such as PuTTy. In 2018, though, Microsoft enabled native SSH commands via an OpenSSH Windows integration.

If you’re unfamiliar with SSH, it stands for Secure Shell, a protocol typically used for connecting to Linux servers. The command-line SSH tool lets you log into your server and run commands remotely to perform any required task.

The Integrated OpenSSH for Windows Client

The OpenSSH client for Windows is installed by default on Windows Server 2019 and Windows 10 build 1809 and later. However, if SSH commands aren’t working for you, it’s because you need to enable them in your Windows features. We’re going to walk you through enabling SSH on Windows 10 via this method, then show you how to use it. Let’s get started:

How to Install the SSH Client on Windows 10

How to Open a Port in Firewall or Enable the Telnet Client

Now you know how to install SSH on Windows. However, if you’re still having issues, you may need to follow our tutorial on how to open or close a port in Windows 10 Firewall to add an exception for your SSH port.

Finally, if your server uses the older Telnet protocol, you may want to follow our tutorial on how to enable the Telnet client in Windows 10 instead.

The Secure Shell (SSH) protocol and the OpenSSH project have been around for decades on Linux. But OpenSSH on Windows hasn’t been embraced in the Windows world until recently. As such, a Windows Server doesn’t typically come pre-built and ready to go and requires some setup.

Not a reader? Watch this related video tutorial!

Not seeing the video? Make sure your ad blocker is disabled.

In this tutorial, you’re going to learn how to SSH into your Windows Server just as easily as Linux. You’ll learn how to get OpenSSH installed (or updated) on Windows, add appropriate firewall rules, and configure public key, password, and certificate-based authentication.

Prerequisites

To effectively follow the examples and demos in this article, you’ll need to meet these requirements below.

• A Windows Server machine – This article will use Windows Server 2019 Datacenter. The server this tutorial will use will have a user account called june and will connect to the server at the IP address of 40.117.77.227 with a hostname of ataWindows.
• A local computer with PowerShell 7.1 installed. PowerShell 7.1 is available in Windows, Linux, and macOS. The examples in this article use PowerShell 7.1 in Windows 10.

Downloading OpenSSH

Unlike Linux servers, Windows servers do not have an out-of-the-box SSH server running. But Microsoft has released an open-source port of OpenSSH for Windows. With this release, you can now set up an SSH server on a Windows machine.

To get started, you’ll first need to download OpenSSH. To do so, follow the steps below:

1. Connect to the desktop on a Windows Server using Remote Desktop (RDP) or your preferred desktop manager client.

2. On your Windows Server desktop, open an elevated Windows PowerShell console.

3. Next, copy the code below, paste it in the PowerShell window, and press Enter. This script will download the latest OpenSSH release, which as of this writing, is v8.1.0.0p1-Beta to the current working directory.

If you like to save the PowerShell code to download OpenSSH, you can also open a code editor like Windows PowerShell ISE or Visual Studio Code and save it in there.

## Set network connection protocol to TLS 1.2
## Define the OpenSSH latest release url
 $url = 'https://github.com/PowerShell/Win32-OpenSSH/releases/latest/'
## Create a web request to retrieve the latest release download link
 $request = [System.Net.WebRequest]::Create($url)
 $request.AllowAutoRedirect=$false
 $response=$request.GetResponse()
 $source = $([String]$response.GetResponseHeader("Location")).Replace('tag','download') + '/OpenSSH-Win64.zip'
## Download the latest OpenSSH for Windows package to the current working directory
 $webClient = [System.Net.WebClient]::new()
 $webClient.DownloadFile($source, (Get-Location).Path + 'OpenSSH-Win64.zip')

4. The OpenSSH-Win64.zip file should now be in your current working directory. Verify this by running the command below.

As you can see below, the OpenSSH-Win64.zip file exists in the directory.

Installing OpenSSH

After you’ve downloaded OpenSSH-Win64.zip, the next step is to install OpenSSH on the server. There’s no installation wizard in case you’re expecting it.

1. While still in the same PowerShell session, copy the code below and run it in PowerShell. This code extracts the OpenSSH-Win64.zip file contents to C:Program FilesOpenSSH.

# Extract the ZIP to a temporary location
 Expand-Archive -Path .OpenSSH-Win64.zip -DestinationPath ($env:temp) -Force
# Move the extracted ZIP contents from the temporary location to C:Program FilesOpenSSH
 Move-Item "$($env:temp)OpenSSH-Win64" -Destination "C:Program FilesOpenSSH" -Force
# Unblock the files in C:Program FilesOpenSSH
 Get-ChildItem -Path "C:Program FilesOpenSSH" | Unblock-File

2. After extracting the ZIP file, run the command below in PowerShell to execute the script C:Program FilesOpenSSHinstall-sshd.ps1. This script installs the OpenSSH SSH Server service (sshd) and OpenSSH Authentication Agent service (sshd-agent).

& 'C:Program FilesOpenSSHinstall-sshd.ps1'

You can see the expected result below.

To ensure that the SSH server starts automatically, run the command below in PowerShell.

## changes the sshd service's startup type from manual to automatic.
 Set-Service sshd -StartupType Automatic
## starts the sshd service.
 Start-Service sshd

Adding a Windows Firewall Rule to Allow SSH Traffic

This procedure is applicable only if your Windows Server is using the Windows Firewall. For servers using third-party firewalls, refer to your firewall documentation on how to allow port 22.

Installing OpenSSH does not automatically create a firewall exception rule to allow SSH traffic. Therefore, your next task is to create the firewall rule manually.

One of the easiest ways to create a new Windows Firewall rule is with PowerShell and the New-NetFirewallRule cmdlet. The command below creates a firewall rule called Allow SSH that allows all inbound TCP traffic destined to port 22.

Copy the command below and run it in PowerShell.

New-NetFirewallRule -Name sshd -DisplayName 'Allow SSH' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

The below screenshot shows the expected output in PowerShell after creating the firewall rule.

Connecting with SSH using Password Authentication

At this point, you’ve installed OpenSSH on Windows and performed the initial server configuration. The next step is to test whether connecting via SSH actually works.

To test your newly configured SSH server, let’s now run the ssh command on your local computer.

The same steps in this section also apply when connecting to a Linux SSH server.

1. From your local computer this time, open PowerShell.

2. Next, run the command below to start the SSH login process. Make sure to change the username and the remote host of your Windows Server.

3. Since you’re connecting for the first time to the server, you will see a prompt saying that the authenticity of the host can’t be established. The message means that your computer does not recognize the remote host yet. Type yes and press Enter to continue.

4. When prompted for the password, type in your account password and press enter.

5. After logging in, as you can see in the screenshot below, you’ll arrive at the remote host’s command prompt. Suppose you want to confirm that you’ve entered the session on the remote host. To do so, type hostname, and press Enter. The command should return the remote computer name.

Changing the Default Shell for OpenSSH to PowerShell

When you first logged in to your Windows SSH server, you’ll notice that the default shell or command interpreter is CMD. Having CMD as the default SSH shell is fine, but if you prefer to use PowerShell as the default shell instead, follow these steps.

To change the default OpenSSH shell from CMD to PowerShell:

First, open an elevated PowerShell window on your Windows Server, if you don’t have one open already.

Next, create a new registry string value called DefaultShell in the registry key HKLM:SOFTWAREOpenSSH. Set the DefaultShell string data to the Windows PowerShell path C:WindowsSystem32WindowsPowerShellv1.0powershell.exe.

New-ItemProperty -Path "HKLM:SOFTWAREOpenSSH" -Name DefaultShell -Value "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" -PropertyType String -Force

The screenshot below shows the expected result of the command.

Configuring Public Key Authentication

In the previous sections, you connected with a username and password. this works but a more secure way to authenticate with an SSH server is by using a key pair.

In a nutshell, a key pair consists of two keys called the public key and private key, which constitute a set of security credentials to prove your identity.

The public key is stored on the server, while the private key stays on the local computer. You must treat a private key like your password. If the private key is compromised, anyone can use it to gain access to your SSH server.

Public keys have to be on the server. But where? For OpenSSH on Windows, the SSH server reads the public keys from the C:ProgramDatasshadministrators_authorized_keys file. But this file does not exist by default. You must create one first.

Follow these steps below to create the administrators_authorized_keys file and set its proper access control list (ACL).

On the Windows Server:

1. Open an elevated Windows PowerShell console if not already.

2. Copy the command below and run it in PowerShell. This command creates the administrators_authorized_keys file using the New-Item cmdlet.

New-Item -Type File -Path C:ProgramDatasshadministrators_authorized_keys

You should see a result similar to the screenshot below.

3. Next, get the ACL currently assigned to the ssh_host_dsa_key file and copy that ACL to the administrators_authorized_keys file. To do so, run the command below.

get-acl C:ProgramDatasshssh_host_dsa_key | set-acl C:ProgramDatasshadministrators_authorized_keys

The OpenSSH service requires that only the Administrators group and the SYSTEM account have access to the administrators_authorized_keys file. And copying the ACL of ssh_host_dsa_key to administrators_authorized_keys makes sense because the ACL is already set.

4. Now open up Windows Explorer.

5. Navigate to the C:ProgramDatassh folder.

6. Right-click on the administrators_authorized_keys file and click Properties.

7. On the properties page, click on the Security Tab and click Advanced.

8. Then, confirm if the permissions are as shown like in the image below.

Generating a New SSH Key Pair

To generate a new SSH key pair, use the ssh-keygen command, which is part of the OpenSSH client tools built-in to Windows 10 (and above) and most Linux operating systems.

The example shown in this section works on both Windows and Linux computers.

On your local computer, in a PowerShell console:

1. Navigate to your home folder’s .ssh directory by running the command below.

2. Next, type in the command ssh-keygen and press Enter. When asked to enter a file location to save the key you’re generating, keep the default location and press Enter. Doing so allows your SSH client to find your SSH keys when authenticating automatically.

In Windows, the default key file is C:Users<username>.sshid_rsa.

3. At the next prompt, leave the passphrase blank. At this point, you do not have to use a passphrase for testing.

Adding a passphrase to your private key significantly increases its security. A passphrase acts as a second-factor authentication (2FA) to your private key.

You’ll notice that the command created two files; id_rsa (private key) and id_rsa.pub (public key).

Deploying the Public Key to the Windows SSH Server

Now that you’ve generated your private-public key pair, your next step is to copy the public key to the C:ProgramDatasshadministrators_authorized_keys file on the SSH server.

On your local computer, in a PowerShell console:

1. Copy the code below and run it in PowerShell. Make sure to change the username and IP address first. You can refer to the comment above each command to know what each command does.

# Read the public key
 $public_key = Get-Content ~/.ssh/id_rsa.pub
# Append the public key to the administrators_authorized_keys on the server using ssh.
 ssh [email protected] "'$($public_key)' | Out-File C:ProgramDatasshadministrators_authorized_keys -Encoding UTF8 -Append"

2. Enter your password when prompted, and ssh will proceed to copy the public key. You will see a similar result, as shown below.

Connecting with SSH using Public Key Authentication

Now that you’ve copied your public key to your SSH server, you no longer need to use a password to authenticate. As you can see below, ssh did not prompt for a password.

Configuring Certificate Authentication

Like public key authentication, certificate authentication is passwordless or passphrase-protected. To enable certificate login, follow the same procedure of generating a key pair sans deploying the public key to the SSH server.

You do not need to map the public key to the authorized_keys or administrators_authorized_keys files on the SSH server. Instead, the public key is signed using a certificate authority (CA) key.

Creating the Certificate Authority (CA) Key

Generating the CA keys for signing is similar to generating a user key pair that you did earlier in this article. Only this time, you’ll need to specify a filename for the new CA keys. To do so, on your Windows Server in a PowerShell console:

Execute the ssh-keygen command as shown below. This command creates the CA key in C:ProgramDatasshca_userkeys, but feel free to use a different file name. Using a different filename will not affect the CA key functionality.

When asked for a passphrase, leave the passphrase empty and press Enter.

ssh-keygen -f C:ProgramDatasshca_userkeys

You can see below that the command created two files. ca_userkeys, which is the private key, and ca_userkeys.pub, which is the public key.

Now that you’ve generated the CA keys, tell the SSH server to trust the CA and where to find the CA key. To do this, add a new line TrustedUserCAKeys path/to/ca_userkeys.pub to the C:ProgramDatasshsshd_config file on the server.

Run the commands below to append the configuration item in the file sshd_config.

# If the SSH server is Windows
 echo TrustedUserCAKeys C:ProgramDatasshca_userkeys.pub>> C:ProgramDatasshsshd_config

Signing the User’s Public Key

At this point, you’ve generated the CA keys and configured the SSH server to trust the CA public key file. What’s left now is to sign your user public key.

On your local computer, in a PowerShell console:

1. Copy the id_rsa.pub file to your home drive on the SSH server using the SCP command. Make sure to change the username and IP address to the correct values.

2. Log in to your Windows Server using ssh. Once logged in, run ssh-keygen to sign the user’s public key. You’ll notice that the command below used several parameters. Let’s break them down.

• -s C:ProgramDatasshca_userkeys – specify the CA key’s location for signing the public key. In this example, the CA key is the one you generated.
• -I id_username – specify the ID you want to assign to the signed user public key. Change the id_username value to any name you want.
• -V +4w – this parameter specifies the validity period for the signed key. In this example, +4w means that the signed user key will be valid for four weeks. You can change this value to your preferred validity period.
• -n username – this is the username of whom will own the signed public key.
• <path to id_rsa.pub> – this is the user public key’s location to sign (Windows).

ssh-keygen -s C:ProgramDatasshca_userkeys -I id_username -V +4w -n username ~/id_rsa.pub

After you run the command in your SSH session, you should get a similar output, as shown below. As you can see, the command generated a new file called id_rsa-cert.pub, which is the signed user certificate.

3. Now, navigate back to your local computer PowerShell session and copy the id_rsa-cert.pub file from the server to your local computer. Change the username and IP address to the correct values first before running the command.

After the copy completes, you’ll find the signed user certificate in your home folder, as shown below.

Connecting with SSH using Certificate Authentication

You’ve configured certificate authentication, and now you have your user certificate. You should now test if you can connect the SSH server with certificate authentication.

The command to connect to SSH with a certificate is the same as using a password or public key. But, if you enabled public key authentication previously, disable it first. Otherwise, ssh will keep using your key pair instead of your certificate.

To disable your key-pair, remove your public key from the administrators_authorized_keys file. To do so, follow these steps.

Note that the succeeding commands will empty the whole administrators_authorized_keys file, effectively removing all mapped public keys. If you don’t want to clear all mapped public keys, use a text editor to remove selected public keys from each file manually.

While SSHed into the Windows Server:

1. Run the below code in PowerShell to empty the administrators_authorized_keys file.

# Clear the administrators_authorized_keys file
 $NULL > C:ProgramDatasshadministrators_authorized_keys
# Confirm that the administrators_authorized_keys is empty
 Get-Content C:ProgramDatasshadministrators_authorized_keys

2. At this point, the authorized_keys and administrators_authorized_keys files are empty, as you can see in the screenshot below.

3. Type exit and press Enter to disconnect from your SSH session. You’ll be back to your PowerShell session.

4. After removing the public keys, your next ssh login attempt will use certificate authentication. The login experience will be the same as public key authentication.

Conclusion

You’ve now set up an OpenSSH Windows Server from scratch all the way to exploring and setting up various authentication means. You can now connect to your Windows Servers exactly how you would with Linux!