Further extend Microsoft’s implementation of OpenSSH in Windows 10 by generating your own secure keys.
The use of OpenSSH is ubiquitous with secured access to client devices over a network. The purpose of SSH is straight-forward: To securely encapsulate the management traffic between two end-points, in this case using the server-client model for authentication.
While SSH may be enabled to work over clients, which are joined to the same domain, say using Active Directory credentials, this is not possible when attempting to communicate to devices such as network switches or routers, which are not natively part of any domain infrastructure. Instead, these devices and Linux-based clients use a public/private key pair to verify the user attempting to connect to the client and perform authentication before providing remote access.
SEE: Information security policy (Tech Pro Research)
In this article, we will use this use case as it is often considered to be a more secure method of obtaining access, which lends itself seamlessly to Windows and non-Windows devices alike. By generating and managing SSH key pairs, IT will be able to remotely connect to clients in a secure manner while ensuring confidentiality and non-repudiation for each user, using a unique key pair tied to the individual’s Windows login account for secure storage.
Install the OpenSSH module for PowerShell
1. Log in to the Windows computer with an admin-level account and launch PowerShell with admin privileges.
2. Enter the following cmdlet to install the OpenSSH module. If this is the first time the module has been installed on the device, you may be prompted to download and install some additional tools. Type “Y” to allow the tools to be installed.
Install-Module -Force OpenSSHUtils
3. Next, enter the cmdlet to start the ssh-agent service for securely storing privately generated SSH keys.
4. Last, enter the cmdlet to start the sshd service, which will generate the first pair of host keys automatically.
Note: By default, the OpenSSH Server app in not installed, so it must first be installed. Also, the ssh-agent service is set to Disabled and must be changed before the cmdlets above will work. Host keys are stored at the %HOMEDRIVE%ProgramDatassh directory.
SEE: PowerShell scripting: Seven tips to reduce errors (free PDF) (TechRepublic)
Generate user key pair
1. In PowerShell, change directories to the path above where the SSH keys are stored, then enter the cmdlet below to being generating the key pair.
2. In order to generate a unique set of key pairs and store them, you will be prompted to provide a directory where the key pair will be stored, or you may press enter to choose the default location provided.
3. Next, you’ll be prompted to choose a passphrase to encrypt the key pair with. While providing a passphrase is optional, it is highly advised to enter one as it serves the secondary purpose of acting as a form of two-factor authentication when utilizing the key pair to establish remote connections.
4. Once the process is completed, two files will be generated alongside the SHA256 fingerprint, and the key’s random art image will be displayed on-screen and should look like this (Figure A):
Copying the public key securely
The OpenSSH tools include the SCP and SFTP utilities to make transferring keys completely secure. In order to properly configure a Windows client for authenticating via SSH keys, the public key (.PUB) file must be transferred to the client device’s .ssh directory and stored in the authorized_keys text file.
1. Begin the process by executing the following command in PowerShell to create the .ssh directory within the user’s profile folder.
ssh email@example.com mkdir C:Usersusername.ssh
2. Using the SCP utility, enter the following command to securely copy the public key from the server to the client device.
scp C:Usersusername.sshid_rsa.pub firstname.lastname@example.org:C:Usersusername.sshauthorized_keys
3. Lastly, modify the ACL on the authorized_keys file on the server by entering the following command.
ssh —% email@example.com powershell -c $ConfirmPreference = ‘None’; Repair-AuthorizedKeyPermission C:Usersusername.sshauthorized_keys