The default sshd_config will check an alternative authorized_keys file for users in the Administrators group. You will need to create this x:\ProgramData\sshadministrators_authorized_keys file and set permissions appropriately (see for example https://docs.microsoft.com/en-us/windows/iot-core/connect-your-device/ssh )
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
I just realized that this document is for Windows Server - I was using it to configure the Windows 10 Pro OpenSSH server optional feature, so my comment may or may not be applicable.
ssh user1@[email protected] mkdir C:\users\user1.ssh\
scp C:\Users\user1.ssh\id_ed25519.pub user1@[email protected]:C:\Users\user1.sshauthorized_keys
ssh --% user1@[email protected] powershell -c $ConfirmPreference = 'None';
In my build of Windows Server 2019 (17763), I am unable to log in using the Administrator account unless if I comment out these two lines in the C:\ProgramData\ssh\sshd_config file:
Match Group administrators
AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
You might also need to restart the OpenSSH server by executing Restart-Service sshd in Powershell after editing the file.
I attempted to create a duplicate of C:\Users\Administrator\.ssh\authorized_keys under C:\ProgramData\ssh\administrators_authorized_keys but this did not work for me.
@cniekerk , thanks for adding adding good documentation.
I tried Get-Service -Name "MyService" and it worked well. Than I have tried Get-Service | ... and it failed with permissions. So I need more rights and tried to follow steps - no results on first try. Will try again.
@dzmitry-lahoda In order to do that you will probably need to run Powershell as administrator (right click -> Run as administrator) or use the runas command to escalate privileges.
@cniekerk , I run local as administrator and connect via ssh to remote as Administrator user (user is admin with all rights and UAC disabled when RDP). Ssh connection is not admin rights. I have tried steps with administrators_authorized_keys but no luck yet.
@dzmitry-lahoda I have no idea if this will work (don't have a test setup to try it myself right now) but perhaps you could try this?
runas /user:administrator "powershell Restart-Service sshd"
I have put my key into administrators_authorized_keys, i did delete key from authorized_keys, allowed Match Group administrators group and did restart of sshd service on server. Tried on ssh from admin pwsh on client and got refusal to connect by credentials. I will try again with steps and recheck. The idea is next - I need my ssh session into remote to be admin to work with services, but I did no achieve that yet. My ssh connection is not admin now. I do not want to use windows password into remote each time I want to be admin. May be I can make service work to be lower security work instead of being admin.
@dzmitry-lahoda I do agree with you that this is not convenient but this is also very similar to how things work on *nix systems (login as root not allowed, always login as regular user and use sudo to escalate privileges as necessary). I think what Microsoft is trying to do here is in line with what is considered to be best practices.
If you're having issues or working on fixing documentation or scripts, check out https://stackoverflow.com/q/16212816/771768
Most helpful comment
In my build of Windows Server 2019 (17763), I am unable to log in using the Administrator account unless if I comment out these two lines in the
C:\ProgramData\ssh\sshd_configfile:You might also need to restart the OpenSSH server by executing
Restart-Service sshdin Powershell after editing the file.I attempted to create a duplicate of
C:\Users\Administrator\.ssh\authorized_keysunderC:\ProgramData\ssh\administrators_authorized_keysbut this did not work for me.