n0rd's solution is on the money but there's an added complication for users that are also in the administrator's group. If you're looking for a solution to a situation involving the following conditions:
- You want to use public keys on a per-user basis (or you don't want to use the
administrators_authorized_keys
file).
- And you don't want to use PasswordAuthentication.
- And some of the users also belong to the admin group.
The issue I ran across is that when I tried n0rd's solution it didn't work for users under the conditions above. After some tinkering, I found a solution that works consistently for me. Follow n0rd's solution and just change the following
In the ssh_config
make sure the following settings are set:
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
PubkeyAuthentication yes
Also, make sure to comment out the Match Group Administrators setting:
#Match Group administrators
# AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
Make sure to include the client's public key in the servers C:\Users\username\.ssh\authorized_keys
file.
Finally, to help match the user to the account I found it helpful to be more specific with the user data on the client. Instead of using the plain username, I used the username along with the domain of the user on the server. In my case, my client's C:\Users\UserName\.ssh\config
file looked like this:
Host my_short_name
HostName my.serveraddress.net
User serversname\username
IdentityFile .ssh\id_rsa
In this case, my Windows 10 server would be called serversname (under device name). By specifying the user in this way I could avoid password authentication.
As an added bonus, this worked very well with a default shell of PowerShell 7. Even my default PowerShell profile worked over ssh and I got full support for posh-git and oh-my-posh. However, I found that the default method suggested for making PowerShell the default shell environment, (by editing the ssh_conf
to include 'Subsystem powershell c:/progra~1/powershell/7/pwsh.exe -sshs -NoLogo') did not work for me. Instead, on the server use the command in an elevated PowerShell window:
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "c:/progra~1/powershell/7/pwsh.exe" -PropertyType String -Force
This just creates a registry entry. You can always pop in the registry to remove it later if you want.