I am having issues setting up OpenSSH for Windows, using public key authentication.
I have this working on my local desktop and can ssh with a key from Unix machines or other OpenSSH for Windows machines.
I have replicated the build onto a server, I can get password authentication working fine, but when I use the keys I get the following issue:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /cygdrive/c/sshusers/jsadmint2232/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
Connection closed by 127.0.0.1
So for the purposes of testing, I have been just trying to SSH to localhost, but even when tried remotely I get the same issue.
Even more strange, is that when I have both password and public key enabled in sshd_config, it will only attempt to use keys and then bomb out with the above message and won't even try to use password.
Here are the steps I have taken:
Install OpenSSH for Windows
mkgroup -l >>..\etc\group (added local groups)
mkgroup -d >>..\etc\group (added domain groups)
mkpasswd -L -u openssh >>..\passwd (added my local user)
mkpasswd -D -u jsadmint2232 >>..\passwd (added my domain user)
Edited the homedir in file passwd to point to c:\sshusers%USER% - where %USER% is the user name
Enabled password authentication, disabled key authentication
Created SSH keys for both jsadmint2232 / OpenSSH and ensured that the files were created in home directories
Added authorized_keys files into .ssh directories for each user and added keys for incoming connecting users
net stop opensshd / net start opensshd
Test if password authentication works both locally and remotely
Updated sshd_config, to enabled key auth - restart opensshd
Test connection and get above error. Also, it doesn't even try password authentication.
Updated sshd_config, to disable password authentication completely - restart opensshd
Test connection and still get above error
It appears the server is killing the connection for some reason.
Following are setup steps for OpenSSH shipped with Windows 10 v.1803 (April 2018 update. See comments to this post, it might not work with 1809).
Server setup (elevated powershell):
Install OpenSSH server: Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0.
Start agent and sshd services: Start-Service ssh-agent; Start-Service sshd (this will generate host keys and default configuration automatically in $env:ProgramData\ssh).
[Optional] Install OpenSSHUtils powershell module: Install-Module -Force OpenSSHUtils
Client setup (non-elevated powershell):
Generate user key: cd $env:USERPROFILE\.ssh; ssh-keygen.exe, follow prompts, agree to the default suggested file location. This will create 2 files: id_rsa and id_rsa.pub;
[Optional] add key to authentication agent, so you don't have to enter password each time you use it: ssh-add .\id_rsa (or whatever file was generated);
Server setup continued (non-elevated powershell):
Log in as a user, for which public key auth to be used
cd $env:USERPROFILE; mkdir .ssh; cd .ssh; New-Item authorized_keys;
Paste the contents of the id_rsa.pub file from the client to the .ssh\authorized_keys file from the previous step.
Setup permissions properly (important!!!):
Run start . to open explorer with the current folder ($env:USERPROFILE\.ssh);
Right click authorized_keys, go to Properties -> Security -> Advanced
Click "Disable inheritance";
Choose "Convert inherited permissions into explicit permissions on this object" when prompted;
(really, really important) Remove all permissions on file except for the SYSTEM and yourself. There must be exactly two permission entries on the file. Some guides suggest running the Repair-AuthorizedKeyPermission $env:USERPROFILE\.ssh\authorized_keys - this will try to add the sshd user to the permission list and it will break the authentication, so, don't do that, or at least do not agree on adding the sshd user). Both SYSTEM and yourself should have full control over the file.
If your Windows build is 1809 or later, it is required to comment out the following lines in C:\ProgramData\ssh\sshd_config file. Then restart the sshd service.
# Match Group administrators
# AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
Client:
Run ssh <serverusername>#<serverhostname>. It should work at this point.
Tried that with Windows 10 as server and both itself and a Debian Linux as a client.
Use this sequence of commands in PowerShell to correct permission of administrators_authorized_keys
$acl = Get-Acl C:\ProgramData\ssh\administrators_authorized_keys
$acl.SetAccessRuleProtection($true, $false)
$administratorsRule = New-Object system.security.accesscontrol.filesystemaccessrule("Administrators","FullControl","Allow")
$systemRule = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","Allow")
$acl.SetAccessRule($administratorsRule)
$acl.SetAccessRule($systemRule)
$acl | Set-Acl
Only SYSTEM and Administrators group must be have permission in file without inherited.
One more tip, if you are stuck, is to run sshd in debug mode. I did this:
Stop the sshd service
Open a PowerShell console with administrator privileges
Type 'sshd -d'
Type login from my client machine
It turns out the key need to be in e.g. C:\ProgramData\ssh\administrators_authorized_keys instead of C:\Users\yourUsser.ssh\authorized_keys.
I have solved the issue...
It is related to the account that started the service - it was using the Local System account - this was stopping it accessing the public key and authorized_keys file.
Once I stopped the service and started as the user I was trying to connect into, it worked!
So basically, you need to start with a service account and then external users connect in as that user.
This is just my scripted version of #n0rds great answer.
Place this script in a directory w/ your private/public key/pair and run!
PowerShell.exe -ExecutionPolicy Bypass -File "C:\bypass\prompt\standard.ps1" 2>&1>$null
Add-WindowsCapability -Online -Name OpenSSH.Server
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH SSH Server' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 -Program "%WINDIR%\System32\OpenSSH\sshd.exe"
#Must Enable ssh-agent before starting
Set-Service -Name ssh-agent -StartupType Automatic
Set-Service -Name sshd -StartupType Automatic
Start-Service ssh-agent; Start-Service sshd
$sshdir="$env:USERPROFILE\.ssh"
mkdir $sshdir
copy .\id_rsa $sshdir\
cat $sshdir\id_rsa
copy .\*.pub $sshdir\authorized_keys
cat $sshdir\authorized_keys
ssh-add $sshdir\id_rsa
$sshd_config="C:\ProgramData\ssh\sshd_config"
(Get-Content $sshd_config) -replace '#PubkeyAuthentication', 'PubkeyAuthentication' | Out-File -encoding ASCII $sshd_config
(Get-Content $sshd_config) -replace 'AuthorizedKeysFile __PROGRAMDATA__', '#AuthorizedKeysFile __PROGRAMDATA__' | Out-File -encoding ASCII $sshd_config
(Get-Content $sshd_config) -replace 'Match Group administrators', '#Match Group administrators' | Out-File -encoding ASCII $sshd_config
cat C:\ProgramData\ssh\sshd_config
Restart-Service ssh-agent; Restart-Service sshd
Write-Host "Use this to Login/test Now"
write-host ssh $env:UserName#localhost
n0rd's solution is on the money but there's an added complication for users that are also in the administrator's group. If you're looking for a solution to a situation involving the following conditions:
You want to use public keys on a per-user basis (or you don't want to use the administrators_authorized_keys file).
And you don't want to use PasswordAuthentication.
And some of the users also belong to the admin group.
The issue I ran across is that when I tried n0rd's solution it didn't work for users under the conditions above. After some tinkering, I found a solution that works consistently for me. Follow n0rd's solution and just change the following
In the ssh_config make sure the following settings are set:
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
PubkeyAuthentication yes
Also, make sure to comment out the Match Group Administrators setting:
#Match Group administrators
# AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
Make sure to include the client's public key in the servers C:\Users\username\.ssh\authorized_keys file.
Finally, to help match the user to the account I found it helpful to be more specific with the user data on the client. Instead of using the plain username, I used the username along with the domain of the user on the server. In my case, my client's C:\Users\UserName\.ssh\config file looked like this:
Host my_short_name
HostName my.serveraddress.net
User serversname\username
IdentityFile .ssh\id_rsa
In this case, my Windows 10 server would be called serversname (under device name). By specifying the user in this way I could avoid password authentication.
As an added bonus, this worked very well with a default shell of PowerShell 7. Even my default PowerShell profile worked over ssh and I got full support for posh-git and oh-my-posh. However, I found that the default method suggested for making PowerShell the default shell environment, (by editing the ssh_conf to include 'Subsystem powershell c:/progra~1/powershell/7/pwsh.exe -sshs -NoLogo') did not work for me. Instead, on the server use the command in an elevated PowerShell window:
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "c:/progra~1/powershell/7/pwsh.exe" -PropertyType String -Force
This just creates a registry entry. You can always pop in the registry to remove it later if you want.
If you are using mls-software.com's version of OpenSSH here is another note.
If you install using the SSHD_SERVER account and privilege separation you will be able to use public key authentication (per http://www.mls-software.com/opensshd-pki.html). However if UAC is enable you will not be successful with the install. The user(s) will not be created properly and the service will not be created. Manually trying to get these items up after the fact is very difficult. Simply disabling UAC before installation will allow the installation process to properly create the user(s) and the service. After installation you can re-enable UAC.
When I created the SSHD_SERVER account manually authentication succeed when using password authentication but the client termination the connection with "/bin/bash: Operation not permitted". Authentication with public keys was closed by the server (original error posted by Cambolie).
I solved it by:
Installing in SSHD_SERVER + privilege separation mode. I also set privilege separation to "yes" in the config manually. This didn't work for me for a lot time, the user didn't get created. Then it worked, I don't know why. I only went to user accounts in control panel to check that UAC is off. I also had /var/empty with full access for everyone.
For C:\openssh\var\empty I've set "attributes get/set" permissions to Everyone and myself and "full" permissions to .\sshd_server. I also made it the owner.
I ran into a different situation.
First, debug as gWay said, with another terminal windows connecting to the server.
I gotread_keyfile_line: C:\\Users\\yieatn\\.ssh/authorized_keys line 1 exceeds size limit
recode the authorized_keys into utf-8
The reason is that I created authorized_keys with cat id_rsa >> authorized_keys and powershell in Chinese uses UTF-16 to create files.
I've thoroughly tested n0rd's solution on multiple Windows Pro 1809 and 2004 computers. I concur with most of his steps.
Server setup (elevated PowerShell): Agree with all.
Client setup (non-elevated PowerShell): Agree with all.
Server setup continued (non-elevated PowerShell): Steps 1,2,3: Agree
Server setup continued (non-elevated PowerShell): Step 4: Do NOT perform anything in step 4.
Server setup continued (non-elevated PowerShell): Step 5: Agree
Server setup continued (non-elevated PowerShell): Step 6: (added) Uncomment (remove #) from C:\ProgramData\ssh\sshd_config: #PasswordAuthentication yes
Server setup continued (non-elevated PowerShell): Step 7: (added) In Services, restart OpenSSH SSH Server.
I did not find any issues, with any file, regarding security, permissions or Unicode. They were all correct out of the box.
This is a very English language centric default Microsoft use.
The group match lines currently check for the ENGLISH language version string of the Administrators group called 'administrators' this FAILS on many other language installs of windows. On a German installation that line needs to be 'administratoren' instead. They better make it possible le to match group by SID instead. ( This is even more important in the DenyGroups matching feature - have not tested this yet - but if they check for strings instead of SID there then the denies are meaningless and easily circumvented by using a different windows language install )
( also see https://github.com/MicrosoftDocs/windowsserverdocs/issues/1911#issuecomment-771552030 )
I couldn't get it to work with my ed25519 client public key (ssh-keygen -t ed215519) but it does work with an rsa key ( ssh-keygen -t rsa).
No one has pointed out that the file ~/.ssh/authorization_keys must use DOS/Windows line endings. It won't work with Unix line endings. If you have tried everything and still not working, try this (I am using cygwin):
gawk -v ORS='\r\n' '1' authorized_keys > authorized_keys2
Check that the file has now DOS line endings:
hexdump -C authorization_keys2
Replace the original file:
mv authorized_keys2 authorized_keys
Related
What I mean:
If I...
run runas /netonly /user:computername\username cmd
enter the password for the local admin account "username"
then type psexec \\computername cmd
I now have a working shell and can run commands as the local admin user on the remote machine.
However, trying to run this without the runas... and instead with the username and password arguments of psexec returns an access denied error.
Example below:
psexec \\computername -u username -p password cmd
Access Denied
Note: Others seem to also have this issue. My refined questions:
Is this intended behavior?
Why even have the -u and -p?
I have also tried disabling the firewall on both my machine and the target machine, and adding the registry key listed here.
When you initiate a connection with PsExec.exe, it tries to use the credentials you are currently authenticated with to copy the PSEXESVC to the \\$machine\ADMIN$\System32 share VIA SMB, which enables the communication with your PsExec.exe and the $machine's service.
If your currently logged in user account does not have access to \\$machine\ADMIN$\System32 and the ability to install/start services, then this won't work.
I'm assuming if you have access with your user account that this would work.
Here is a very interesting article from 2004 on reverse-engineering of the original implementation. I am pretty sure it has changed in that time with Windows 7 & Windows 10.
I am looking to export Windows credentials to another Windows machine. So far in Windows, all I have is the GUI option to backup / restore, but no options in CMDKEY to backup / restore all Windows credentials. Is there a command line equivalent to the following?
First of all, from a security stand point, having an inbuilt command line utility to export security credentials can lead to them being compromised. Someone who gains unauthorized access to your machine remotely to run shell commands or install an program that executes to dump your credentials and then send them somewhere else can do that. That said, I have not come across any inbuilt tools to do that. BUT, that doesn't mean you can't.
cmdkey is a tool that you can use to manage credentials from the command line.
There is a PowerShell tool by Microsoft called PowerShell Credentials Manager that shows all your credentials. You can then pipe that to an output file.
https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde
Show all: CredMan.ps1 -ShowCred | Out-File **your-file**
Add New
.\CredMan.ps1 -AddCred -Target 'DemoTgt' -User 'DemoUser' -Pass 'DemoPass'
Remove .CredMan.ps1 -RemCred **cred name**
Read on some ways an attacker can compromise your system in blog post Dumping Windows Credentials.
I have an interesting dilemma with PuTTY PSFTP.
Set up...
Pageant .60
putty .60
Used command:
D:\psftp.exe -load myserver.domain.us.com -l User1 -b MyCommand Script
This loads PuTTY PSFTP, logs in using the user ID with the help of Pageant and then sends a file using commands in the script.
This works great while logged in as an Admin on the server.
It fails while logged in as a regular user on the server:
"psftp: no hostname specified;"blah blah blah.
Including -v reveals no further messages.
What possible delta could there be with permissions or other settings between a server Admin and regular user when it comes to PuTTY?
You load PuTTY stored site myserver.domain.us.com.
That is stored in Windows registry of the local account.
If you run the script using a different account, it won't see the site definition.
You have to define the session completely on command line. What you probably even attempted.
Remove the -load;
Add -ssh to make it clear you want to use SSH (but it's default anyway)
Add -hostkey=... with a fingerprint of the SSH host key (you need the latest version of PuTTY for the -hostkey switch, but you need to upgrade anyway, the version 0.60 is not secure).
D:\psftp.exe -ssh myserver.domain.us.com -hostkey=... -l User1 -b MyCommand Script
I'm attempting to clone a repo from my BitBucket account to my Windows 10 laptop (running GitBash). I've completed all of the steps necessary to connect (set up my SSH key, verified by successfully SSHing git#bitbucket.org, etc). However, whenever I attempt to clone a repo, the prompt continually hangs up after confirming that I want to cache Bitbucket's key.
User#Laptop MINGW64 /C/Repos
$ git clone git#bitbucket.org:mygbid/test.git
Cloning into 'test'...
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's rsa2 key fingerprint is:
ssh-rsa 2048 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
connection.
Store key in cache? (y/n) y
No files are cloned, and the result is an empty repo. Trying to initiate a git pull origin master from this repo also asks to cache the key, then hangs with no feedback. Despite not asking for the key to be cached when I do a test SSH, git operations always ask for the key every time before failing.
With no error messages to work with, I'm really at a loss as to what is wrong. I've tried multiple repos, including very small ones, with no success at all.
I had this problem when cloning a repo on Windows 10 too.
I got around it by using the Putty GUI to SSH to the server in question (in your case: bitbucket.org) then clicked 'Yes' when the prompt asks if you want to save the server key to the cache. Running the clone command again then worked for me!
Open Putty
Type in the Host Name (like bitbucket.org)
Click Open
Click yes in the popup to cache the host key
Close Putty
I managed to get it working by running plink directly, after pageant is running use the plink command directly - plink.exe -agent -v git#github.com then after this git works without hanging.
To do this from powershell open a powershell window and paste in the following:
echo y | & 'C:\Program Files (x86)\GitExtensions\PuTTY\plink.exe' -ssh git#github.com
echo y | & 'C:\Program Files (x86)\GitExtensions\PuTTY\plink.exe' -ssh git#gist.github.com
echo y | & 'C:\Program Files (x86)\GitExtensions\PuTTY\plink.exe' -ssh git#bitbucket.org
or with PuTTY standalone version:
echo y | & 'C:\Program Files (x86)\PuTTY\plink.exe' -ssh git#github.com
echo y | & 'C:\Program Files (x86)\PuTTY\plink.exe' -ssh git#gist.github.com
echo y | & 'C:\Program Files (x86)\PuTTY\plink.exe' -ssh git#bitbucket.org
Also worth knowing is that putty stores known hosts under a registry key:
HKEY_CURRENT_USER\SoftWare\SimonTatham\PuTTY\SshHostKeys
To shortcut the above you could put the following in a .reg file and run it:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\SshHostKeys]
"rsa2#22:github.com"="0x23,0xab603b8511a67679bdb540db3bd2034b004ae936d06be3d760f08fcbaadb4eb4edc3b3c791c70aae9a74c95869e4774421c2abea92e554305f38b5fd414b3208e574c337e320936518462c7652c98b31e16e7da6523bd200742a6444d83fcd5e1732d03673c7b7811555487b55f0c4494f3829ece60f94255a95cb9af537d7fc8c7fe49ef318474ef2920992052265b0a06ea66d4a167fd9f3a48a1a4a307ec1eaaa5149a969a6ac5d56a5ef627e517d81fb644f5b745c4f478ecd082a9492f744aad326f76c8c4dc9100bc6ab79461d2657cb6f06dec92e6b64a6562ff0e32084ea06ce0ea9d35a583bfb00bad38c9d19703c549892e5aa78dc95e250514069"
"rsa2#22:gist.github.com"="0x23,0xab603b8511a67679bdb540db3bd2034b004ae936d06be3d760f08fcbaadb4eb4edc3b3c791c70aae9a74c95869e4774421c2abea92e554305f38b5fd414b3208e574c337e320936518462c7652c98b31e16e7da6523bd200742a6444d83fcd5e1732d03673c7b7811555487b55f0c4494f3829ece60f94255a95cb9af537d7fc8c7fe49ef318474ef2920992052265b0a06ea66d4a167fd9f3a48a1a4a307ec1eaaa5149a969a6ac5d56a5ef627e517d81fb644f5b745c4f478ecd082a9492f744aad326f76c8c4dc9100bc6ab79461d2657cb6f06dec92e6b64a6562ff0e32084ea06ce0ea9d35a583bfb00bad38c9d19703c549892e5aa78dc95e250514069"
"rsa2#22:bitbucket.org"="0x23,0xb9b88df3578371a7eb80c78bcda14fb30da436f11ca932a5fd5a8b6adfcc681df7a59cb4cb7ac966d9eac11daa38ebdbc0a6582a210ed4ee95a8d101c4abc925e942ab47535d64f9a5b3b68035c2ea1e900d709a1e8ea938718f532f9805a190446b92bac3040126225ae9d8374bc2008f106979d631734c7453f78c70091f4783b288869cb3c1941a784cd9baad823be27333833dc1f488a45b85952be75cf0a64965662302e3915378dcd5cfcd3ec903d804a29dff2fdf19df5deba4534b09e4dea6e44f152e339b3c43be98ddadfc56533192e216a3d673f00b4aa9cc9e7870acd8b6adb7e0feb77f2292fc2dede94819def3eb1e785541a06ab31ccf725f"
putty-hosts.reg gist
To workaround this problem I configured GitBash to use plink with -batch option. The option disables all prompts - the plink will terminate without hanging and won't add any key fingerprint to cache.
To add -batch parameter to plink command executed by GitBash you can set a git config option:
git config --global core.sshCommand "plink -batch"
Or set GIT_SSH_COMMAND environment variable.
The output when you cloning a repo from unknown host will be similar to this:
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's rsa2 key fingerprint is:
ssh-rsa 2048 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
Connection abandoned.
fatal: Could not read from remote repository.
After this message you can add a key to cache with command:
echo y | plink git#bitbucket.org
REMARK: Please check if plink is in your PATH. Alternatively use UNIX-like path in the GitBash config option, e.g.:
/c/Program\ Files/PuTTY/plink.exe -batch
Even after performing the workaround mentioned in other answers, you may encounter an error like:
FATAL ERROR: Disconnected: No supported authentication methods available (server sent: publickey)
To solve both problems at once, change git bash to use SSH instead of PuTTY by adding the following to your ~/.profile file (C:\Users\<Username>\.profile). If you don't already have this file, then create a new file with this line.
GIT_SSH="/usr/bin/ssh.exe"
Then open a new git bash window and try your git clone or git pull again.
Note that this may require you to create an SSH key if you don't already have one. To do this, follow the instructions on the Bitbucket site.
See this SO question for related info.
In your git bash shell, check for existence of GIT_SSH:
echo $GIT<tab><tab>
If it exists and is set to putty, execute:
unset GIT_SSH
You'll probably want to put this into one of the git bash startup scripts.
This is NOT a universal solution. It worked in our particular case.
It sounds a bit silly, but after trying all of the above, I decided to reinstall Git Bash with default options and it worked.
If you use KiTTY (instead of PuTTY), it has -auto-store-sshkey argument.
So, you can set GIT_SSH_COMMAND (or git config --global core.sshCommand) to something like c:/KiTTY/klink.exe -auto-store-sshkey.
The output still contains information about new key and the question, but it doesn't wait for the answer:
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's ssh-ed25519 key fingerprint is:
ssh-ed25519 255 2e:65:6a:c8:cf:bf:b2:8b:9a:bd:6d:9f:11:5c:12:16
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
connection.
Store key in cache? (y/n)
Autostore key is on
Default SSH port to connect to is 7999
I'm following #335 Deploying to a VPS , and near the end of the episode, we need to run ssh-add to give server access to github repo.
The problem is how do I run it in windows? What need to install?
I know that to run ssh to access the remote server, I can use Putty. But this command needs to run locally, I do know how to use Putty to do this.
Original answer using git's start-ssh-agent
Make sure you have Git installed and have git's cmd folder in your PATH. For example, on my computer the path to git's cmd folder is C:\Program Files\Git\cmd
Make sure your id_rsa file is in the folder c:\users\yourusername\.ssh
Restart your command prompt if you haven't already, and then run start-ssh-agent. It will find your id_rsa and prompt you for the passphrase
Update 2019 - A better solution if you're using Windows 10: OpenSSH is available as part of Windows 10 which makes using SSH from cmd/powershell much easier in my opinion. It also doesn't rely on having git installed, unlike my previous solution.
Open Manage optional features from the start menu and make sure you have Open SSH Client in the list. If not, you should be able to add it.
Open Services from the start Menu
Scroll down to OpenSSH Authentication Agent > right click > properties
Change the Startup type from Disabled to any of the other 3 options. I have mine set to Automatic (Delayed Start)
Open cmd and type where ssh to confirm that the top listed path is in System32. Mine is installed at C:\Windows\System32\OpenSSH\ssh.exe. If it's not in the list you may need to close and reopen cmd.
Once you've followed these steps, ssh-agent, ssh-add and all other ssh commands should now work from cmd. To start the agent you can simply type ssh-agent.
Optional step/troubleshooting: If you use git, you should set the GIT_SSH environment variable to the output of where ssh which you ran before (e.g C:\Windows\System32\OpenSSH\ssh.exe). This is to stop inconsistencies between the version of ssh you're using (and your keys are added/generated with) and the version that git uses internally. This should prevent issues that are similar to this
Some nice things about this solution:
You won't need to start the ssh-agent every time you restart your computer
Identities that you've added (using ssh-add) will get automatically added after restarts. (It works for me, but you might possibly need a config file in your c:\Users\User\.ssh folder)
You don't need git!
You can register any rsa private key to the agent. The other solution will only pick up a key named id_rsa
One could install Git for Windows and subsequently run ssh-add:
Step 3: Add your key to the ssh-agent
To configure the ssh-agent program to use your SSH key:
If you have GitHub for Windows installed, you can use it to clone repositories and not deal with SSH keys. It also comes with the Git Bash tool, which is the preferred way of running git commands on Windows.
Ensure ssh-agent is enabled:
If you are using Git Bash, turn on ssh-agent:
# start the ssh-agent in the background
ssh-agent -s
# Agent pid 59566
If you are using another terminal prompt, such as msysgit, turn on ssh-agent:
# start the ssh-agent in the background
eval $(ssh-agent -s)
# Agent pid 59566
Add your SSH key to the ssh-agent:
ssh-add ~/.ssh/id_rsa
2021 Answer
Microsoft has improved ssh-key support in recent years. There is now a full featured "service" included with Windows. Windows Server Documentation (applies to other versions too).
Enable the ssh-agent service
Via Admin Powershell:
Set-Service ssh-agent -StartupType Automatic
Start-Service ssh-agent
Or via Services App:
Now ssh-add works
ssh-add path/to/.ssh/id_rsa
Socket path
Programs that need the path to the agent socket should use: \\.\pipe\openssh-ssh-agent.
If you are not using GitBash - you need to start your ssh-agent using this command
start-ssh-agent.cmd
If your ssh agent is not set up, you can open PowerShell as admin and set it to manual mode
Get-Service -Name ssh-agent | Set-Service -StartupType Manual
If you are trying to setup a key for using git with ssh, there's always an option to add a configuration for the identity file.
vi ~/.ssh/config
Host example.com
IdentityFile ~/.ssh/example_key
I have been in similar situation before. In Command prompt, you type 'start-ssh-agent' and voila! The ssh-agent will be started. Input the passphrase if it asked you.
In order to run ssh-add on Windows one could install git using choco install git. The ssh-add command is recognized once C:\Program Files\Git\usr\bin has been added as a PATH variable and the command prompt has been restarted:
C:\Users\user\Desktop\repository>ssh-add .ssh/id_rsa
Enter passphrase for .ssh/id_rsa:
Identity added: .ssh/id_rsa (.ssh/id_rsa)
C:\Users\user\Desktop\repository>
eval "$(ssh-agent -s)"
ssh-add C:/Users/Dell/.ssh/gitlab (your path)
git clone repo_link
The Git GUI for Windows has a window-based application that allows you to paste in locations for ssh keys and repo url etc:
https://gitforwindows.org/
The below solution solved my problem. Be sure to run your powershell in admin mode and perform the below operation:
Check the current status of ssh-agent: "Get-Service | select -property name,starttype" --> should be Disabled
Set the new type : "Set-Service -Name ssh-agent -StartupType Manual"
Start it: "Start-Service ssh-agent"
Add simply your key as before: "ssh-add" (Eg. ssh-add keyfile)
I found the solution here:
This works with plain cmd on win7 and win10 and cygwin ssh/git/github:
c:\> type ssh-agent-start-cmd.cmd
#echo off
# by github/moshahmed
if "%1" == "" (
echo "Usage: ssh-agent-cmd keyfile .. starts ssh-agent and load ~/.ssh/*keyfile*"
goto :eof
)
taskkill /f /im ssh-agent.exe
:: pskill ssh-agent 2> nul
for /f "tokens=1 delims=;" %%a in ('ssh-agent') do (
echo %%a | findstr /C:"SSH" 1>nul
if errorlevel 1 (
echo Ignore %%a
) else (
echo set %%a
set %%a
)
)
ssh-add ~/.ssh/*%1*
ssh-add -l
I just set up the SSH authentication with Github. Just can just use "Pageant" which is installed with Putty.
You'll need to add pageant to your Windows startup folder so that it starts when windows does (or start it each time before you need to authenticate)
This blog post does a nice job of explaining everything you need to do to configure Github on Windows with Putty and Pageant.
You should start ssh agent and generate ssh key with recommand command
ssh-keygen -t rsa -b 4096 -C "your email"