Using SSH Keys with Powershell



The IT Security Office recommends SSH servers be configured to accept SSH keys only (not passwords).



Client Setup (Use a Unique Key for Each Client)

SSH Key creation / generation algorithm choices:

  • DSA:  Not Recommended 
  • RSA with key size of at least 4096 bits: ssh-keygen -t rsa -b 4096 
  • ECDSA:  Not Recommended
  • ED25519:  ssh-keygen -t ed25519   


PS C:\Users\hokie> ssh-keygen -t ed25519
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\hokie\.ssh\id_ed25529): C:\Users\hokie\.ssh\id_ed25519                           
Created directory '/home/hokie/.ssh'.
Enter passphrase (empty for no passphrase): [should meet or exceed the VT password complexity rules]
Enter same passphrase again: 
Your identification has been saved in C:\Users\hokie\.ssh\id_ed25519.
Your public key has been saved in C:\Users\hokie\.ssh\
The key fingerprint is:
SHA256:HlbsdjZRTCRgdnIiXHcekCEtAuT3ggeee49apO3ueYg hokie@Client
The key's randomart image is:
+--[ED25519 256]--+
|     .oo..OoBB*  |
|     .  o=.Bo=.. |
|      o ..o.. .  |
|     . = +   .   |
|      + S + +    |
|       O + o .   |
|      o.=.       |
|      E+.+.      |
|      .+*..      |

Top of page

Install the Public Key on the Server and Test

Copy to the remote server as /home/hokie/.ssh/authorized_keys
Change the file permissions on authorized_keys to 400 (only the user can read) $ chmod 400 authorized_keys

PS C:\Users\hokie> ssh
Enter passphrase for key 'c:\Users\hokie\.ssh\id_25519':

Top of page

Jump Host Setup

Create a config file.

Use Notepad or WordPad to create C:\Users\hokie\.ssh\config:

# Public or accessible from off-campus

Host jump
User hokie
PubkeyAuthentication yes
IdentityFile C:\Users\hokie\.ssh\id_25519

# Internal host or campus-only access

Host internal
User hokie
ProxyJump jump

# Configure DynamicForward or SOCKS host to use with a web browser to proxy connections through the jump host.
# Manually configure the browser on the client to point to SOCKS host port 8080.

Host jumpproxy
   User hokie
   PubkeyAuthentication yes
 IdentityFile C:\Users\hokie\.ssh\id_25519
DynamicForward 8080

Connect to the internal host from the client.

ssh internal

Connect to the jump host to enable DynamicForward.

ssh jumpproxy

Top of page