Windows 10 version 1809 and Windows Server 2019 can both install OpenSSH as a supported feature using both PowerShell or the GUI.
Of course there are some quirks. The first is that while most users would expect to have their
C:\Users\%u\.ssh\authorized_keys, this isn’t the case for users in the Administrators group, including Domain Admins. For these users, the default
sshd_config expects all admins to share an
authorized_keys file called
administrators_authorized_keys found in
C:\ProgramData\ssh\. The rationale is explained here (and other places I’m sure). This causes unexpected behaviour in configuring Windows for OpenSSH management. Fixing this is easy. Simply edit
C:\ProgramData\ssh\sshd_config and comment out the following lines:
Match Group administrators AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
Once those lines are commented and you’ve restarted the OpenSSH server, your keys will work. I recommend you read the above link, however, to ensure that you’re familiar with why the decision was made in the default configuration. It’s related to UAC.
There’s one more thing though, and that’s the permissions of the
.ssh folder and the
authorized_keys file in it. You must set them precisely as follows:
SYSTEM and the user must have full permissions, with no other entries in the ACL. Just two entries for both the containing .ssh folder and all contents. That’s it! Now you’ve got passwordless OpenSSH on Windows.