How does SSH key authentication work

OpenSSH key management

  • 2 minutes to read

Most authentication in Windows environments uses a username and password pair. This works particularly well on systems that share a common domain. When working across domains, such as between local systems and systems hosted in the cloud, this can lead to security gaps and vulnerability to brute force attacks.

In comparison, Linux environments often use public and private key pairs for authentication that do not require easy-to-guess passwords. OpenSSH includes tools to support these authentication methods including the following:

  • ssh-keygen to generate secure keys
  • ssh-agent and ssh-add to securely store private keys
  • scp and sftp to securely copy public keys the first time you use a server

This document provides an overview of how to use these tools on Windows for key authentication with SSH. If you are unfamiliar with SSH key management, we strongly recommend that you review NIST document IR 7966, entitled Security of Interactive and Automated Access Management Using Secure Shell (SSH) (SSH)) to read.

Key pair information

Key pairs refer to the public and private key files used by certain authentication protocols.

SSH public key authentication uses asymmetric cryptographic algorithms to generate two key files (private and public). The private key files correspond to a password and should be well protected under all circumstances. When someone gets your private key, that person can log into any SSH server you have access to. The public key is stored on the SSH server and, if necessary, released without the private key being compromised.

When using key authentication with an SSH server, the SSH server and the SSH client compare the public keys for the specified user name with the private key. If the server-side public key cannot be verified against the client-side private key, authentication will fail.

Multi-factor authentication can be implemented with key pairs by requiring that a passphrase be provided when the key pair is generated (see Key Generation below). During authentication, the user will be prompted for this passphrase. This is used together with the private key on the SSH client to authenticate the user.

Generation of the host key

Public keys have certain ACL requirements that only allow administrators and the system to access Windows. The following measures serve to simplify:

  • The OpenSSHUtils PowerShell module was created to properly set the key ACLs. It must be installed on the server.
  • The first time you use SSHD, the key pair for the host is generated automatically. When ssh-agent is running, the keys are automatically added to local storage.

From an elevated PowerShell prompt, run the following commands to simplify authentication with the SSH server:

Since no user is assigned to the SSHD service, the host keys are saved under "\ ProgramData \ ssh".

Generation of the user key

You must first generate some public and private key pairs for the client to use key-based authentication. Use ssh-keygen in PowerShell or cmd to generate some key files.

You should then see something like the following ("Username" is replaced by your username):

You can press ENTER to accept the default or specify a path where you want the keys to be generated. At this point you will be asked to use a passphrase to encrypt the private key files. Two-step authentication can be provided with the passphrase together with the key file. In this example, the passphrase is left blank.

Now you have an ED25519 key pair of public and private keys (the PUB files are public keys and the rest are private keys):

Note that the private key files match the password and must therefore be protected in the same way as your password. Use ssh-agent to store the private keys within a secure Windows security context associated with your Windows login name. To do this, start the "ssh-agent" service as an administrator and use "ssh-add" to save the private key.

After following these steps, ssh-agent will always automatically retrieve the private key and pass it to your SSH client whenever a private key is required to authenticate that client.


It is highly recommended that you keep the private key in a safe location and delete it from the local system, after this You added it to ssh-agent. The agent cannot obtain the private key. If you no longer have access to the private key, you would need to create a new keypair and update the public key on all systems with which you interact.

Providing the public key

The public key must be on the server in a text file called authorized_keys placed under users \ username \ .ssh \ to use the key created above. The OpenSSH tool includes scp, a secure utility for file transfer.

In this way you move the contents of your public key (~ .ssh \ into a text file called “authorized_keys” in “~ .ssh \” on your server / host.

This example uses the Repair-AuthorizedKeyPermissions function in the OpenSSHUtils module that was installed on the host as described in the instructions above.

These steps complete the configuration required to use key-based authentication with SSH on Windows. After that, the user can connect to the SSHD host from any client that has the private key.