General SSH checklist
-
Make sure gateway can reach ssh server on
port 22
-
Check
authorized_keys
file for the correct public key -
Check permissions for
ssh folder(700)
andauthorized_keys file(600)
-
Look at ssh server log for auth errors
grep 'sshd' /var/log/auth.log
-
Check openssl version. 8.2+ does not support ssh-rsa any longer
-
Check sshd_config file for
AuthenticationMethods
line, comment out for default to allow any auth -
Check sshd_config file for
AuthorizedPrincipalsFile
line and if it’s configured to use the incorrect user.
Enable SSH Client and Server for Windows Server (Use with Powershell or WinSCP)
-
Open a Powershell in Administrator Mode
-
Run the following command to see if the openssh client and server are installed
Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'
-
Install OpenSSH Client if not installed
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
-
Install OpenSSH Server if not installed
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
-
Start the sshd service:
Start-Service sshd
-
Set the service to start automatically:
Set-Service -Name sshd -StartupType 'Automatic'
-
sshd-agent service is disabled by default, set it to start automatically before starting it:
Set-Service -Name sshd -StartupType 'Automatic'
-
Start the sshd-agent service:
Start-Service ‘ssh-agent’
-
Edit the following 3 lines in the
%PROGRAMDATA%/ssh/sshd_config
StrictModes no
PasswordAuthentication no
PubkeyAuthentication yes
-
Add a new file with no txt extension at
%PROGRAMDATA%/ssh/administrators_authorized_keys
-
Generate an ssh pubkey resource in strongDM Admin UI
-
Copy public key into the administrators_authorized_keys file
-
Open Services and restart the
OpenSSHServer
service -
Run healthcheck on the new ssh resource
You can connect to SSH via Powershell or WinSCP. If using WinSCP, set the following configuration while selecting SFTP or SCP as the file protocol: