SSH Keys

SSH Keys are an integral part of authentication for many systems such as Linux servers or GitHub. Support for SSH keys has improved on Windows 11 and it’s far more integrated.

Generate public and private keys on Windows 11

To generate an SSH key on Windows 11, you can use a command-line tool called “ssh-keygen” that comes bundled with the OpenSSH client. Here are the arguments to generate an SSH key on Windows 11 in a PowerShell session.

ArgumentDescription
-tSpecifies the type of key to generate. The supported types are rsa, dsa, ecdsa, and ed25519. For example, to generate an RSA key, you can use -t rsa.
-bSpecifies the number of bits in the key. The default is 2048, but you can specify a larger or smaller number depending on your needs. For example, to generate a 4096-bit key, you can use -b 4096
-CComment to include in the key. This can be helpful for identifying the key later on. For example, to include the comment “My personal key” in the key, you can use -C "My personal key"
-fFilename of the key file. By default, the key files are named id_rsa and id_rsa.pub, but you can specify a different filename if you prefer. For example, to name the key file “mykey”, you can use -f server00.
-NPassphrase to use with the key. This adds an extra layer of security, since anyone who wants to use the key will need to know the passphrase. For example, to use the passphrase “mypassword”, you can use -N mypassword.
-qQuiet mode, which suppresses all warnings and messages. This can be helpful if you’re running ssh-keygen in a script or automated process.
-PNew passphrase for an existing key. This can be helpful if you want to change the passphrase for a key that you’ve already generated.

This example sets the keys as rsa with a bit length of 4096 and saves the keys to the .ssh folder in the current users home directory with a file name of server00 so we know which key pair is for which target system. The command after the creation shows changing directory into the .ssh folder and listing the contents showing the newly created server00 private key and the server00.pub public key.

PS ~> ssh-keygen -t rsa -b 4096 -f .ssh\server00 -C "Key pair for server00"
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in .ssh\server00.
Your public key has been saved in .ssh\server00.pub.
The key fingerprint is:
SHA256:Fa+DqrE9ZQnltbFpcYdEptIUL4QIwQ5m4kk Key pair for server00
The key's randomart image is:
+---[RSA 4096]----+
| E.B+*oo .=++.   |
|+.*.* o o++*o .  |
|.+o  o o..=Bo.   |
| .    . .+=o     |
|       .Soo      |
|       .+  .     |
|    . .o         |
|     =.          |
|    o ..         |
+----[SHA256]-----+

PS ~> cd .\.ssh\
PS ~\.ssh> ls

    Directory: C:\Users\username\.ssh

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a---          02/04/2023    12.04           1675 id_rsa
-a---          26/04/2023    11.15           3159 known_hosts
-a---          26/04/2023    12.08           3389 server00
-a---          26/04/2023    12.08            748 server00.pub

PS ~\.ssh>

Put the public key on a Linux server

Now you have a public key on the Windows 11 workstation it can be put onto targets systems so you can use it to logon without a password. This example puts the public key onto a Linux server.

The Linux server may not have the authorized_keys file on the system yet. This file holds the public keys. So logon to the target Linux server and run the following commands to create the file.

mkdir .ssh
cd .ssh
touch authorized_keys
chmod 700 ~/.ssh/
chmod 600 ~/.ssh/authorized_keys

From the Windows 11 workstation you can run a single command to essentially paste the public key data into the authoried_keys file on the target server.

type $env:USERPROFILE\.ssh\server00.pub | ssh webadmin@192.168.1.10 "cat >> .ssh/authorized_keys"

Logon to the Linux server

To logon using the key pair run the following command.

Keep in mind that as this example uses bespoke public and private key file names of server00 you need to specify that in the SSH command. If you were using the default ìd_rsa keys then you could just run ssh webadmin@192.168.1.10.

ssh -i .ssh/server00 webadmin@192.168.1.10

References

Setup SSH with Windows 11

Last modified July 21, 2024: update (e2ae86c)