Authorized Keys in Windows 10 OpenSSH

With Windows now supporting OpenSSH, I figured I could setup password-less login from my Linux server and pull my home backups automatically. Currently I push backups to my server using Windows Scheduler and it’s far from ideal as any adjustment to process requires my login to each machine separately.

First attempt to get it working relied on Microsoft’s documentation and, while it did allow for password login, got me nowhere when it comes to authentication keys. There are many comments at GitHub repository dealing with the same issue but it was impossible to tell what is working and what not - especially since quite a few advises were contradictory. Mind you, recommended commands might have been working at one time or another but my Windows 10 November update was resistant to everything I found there.

So I decided to go harder route and actually check logs as I try commands. I wanted procedure that will bring the least amount of changes (ideally none) to files already installed so I can deal with upgrades and I wanted to have all those steps scriptable so I can setup everything by simply running the file.

The issue with authorized keys lied in “Authenticated Users” being allowed access to administators_authorized_keys. Once that was removed from ACL, my passwordless login started working beautifully.

My final script looked something like this:

# Start as admin
If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {   
    $arguments = "& '" + $myinvocation.mycommand.definition + "'"
    Start-Process powershell -Verb runAs -ArgumentList $arguments
    Break
}

# Preferences
Set-ExecutionPolicy RemoteSigned
$ConfirmPreference = 'None'

# OpenSSH: Install
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Set-Service -Name sshd -Computer localhost -StartupType Automatic
Start-Service sshd

# OpenSSH: Setup
New-Item -Path $Env:ALLUSERSPROFILE\ssh -Name "administrators_authorized_keys" -ItemType "file" `
  -Value "^^key^^"
icacls "$Env:ALLUSERSPROFILE\ssh\administrators_authorized_keys" /inheritance:d
icacls "$Env:ALLUSERSPROFILE\ssh\administrators_authorized_keys" /remove `
    "NT AUTHORITY\Authenticated Users"
Restart-Service -Name sshd