How Do You Set Up Passwordless SSH to a Windows Server?

0 Comments

Problem scenario
Are are asking yourself "why am I being prompted for a password when my SSH keys were set up correctly?"  When the contents of the .pub file (the public key) are placed into the authorized_keys file (in the /home/jdoe/.ssh/ folder of a client machine), the user should be able to SSH over to the server with no password -- unless the SSH key was generated with a passphrase.  Assuming the SSH key was generated with an ssh-keygen command and no corresponding passphrase was entered at the time of creation, the login should happen with no password.  However, a password may be required if the authorized_keys file has excessively high privileges (e.g., chmod 777 authorized_keys or the file appears as having these settings "-rwxrwxrwx").  When an administrator is setting up SSH keys between two servers, he may find that being root makes his job easy.  When the users try to SSH without passwords, they may get prompted to enter a password.  An administrator may think to open up the authorized_keys file's permissions (as the users don't have as high of privileges).  Granting the user read, write and execute writes will not fix the problem.  Setting the permissions of the authorized_keys file to 400 (e.g., chmod 400 authorized_keys) will allow the file to provide passwordless authentication for the users.

For OpenSSH on Windows, the same principle applies.  Too permissive of permissions for an authorized_keys file or its parent .ssh folder will make the user enter his/her password. 

Solution
To avoid a prompt, do the following on a Windows server with OpenSSH:

1.  Right click the authorized_keys file (usually in C:\Users\jdoe\.ssh\) and go to Properties.

2.  Go to the Security tab.  Go to Advanced.

3.  Click "Disabled inheritance."

4.  A pop up menu with two options will appear.  Click the option for "Convert ..."

5.  Click a User and Group other than "Administrators"

6.  Click Remove

7.  Continue until you have removed everything but "Administrators"

8.  Move up in the directory so you can right click the .ssh folder.

9.  Go to the Security tab.  Go to Advanced.

10.  Click "Disabled inheritance."

11.  A pop up menu with two options will appear.  Click the option for "Convert ..."

12.  Click a User and Group other than "Administrators"

13.  Click Remove

14.  Continue until you have removed everything but "Administrators"

For a book on OpenSSH, you may want to try this one.

Leave a comment

Your email address will not be published. Required fields are marked *