YubiKey support in OpenSSH for Windows 11

Since Win32-OpenSSH version 8.9.1.0p1-Beta there is decent support for FIDO/U2F hardware authenticators. This means we can use a YubiKey with Windows 11 and Windows 10, w00h00! In this post, I’ll show you how to install Microsoft OpenSSH client in Windows 11 and Windows 10, and how to configure your YubiKey. If you follow this guide and all goes well, you no longer need additional tools like Git Bash, openssh-sk-winhello or MremoteNG / MobaXterm.

For my environment, I’ll be using a Yubico YubiKey 5C NFC with only touch/tap. See How to configure SSH with YubiKey Security Keys U2F Authentication on Ubuntu and/or Securing OpenSSH keys with hardware-based authentication (FIDO2) if you want to learn more about One Time Pads (OTP).

Install Microsoft OpenSSH client in Windows 11

Installing the OpenSSH client is pretty straightforward, but there are some caveats you need to be aware of. For example, earlier installed versions of OpenSSH.

This is about installing OpenSSH client (ssh.exe), if you are wondering how to install OpenSSH Server (sshd.exe) in Windows, see Install OpenSSH in Windows Server.

First make sure no earlier versions of OpenSSH are installed on your system, for example when you used Dism, Add-WindowsCapability or installed OpenSSH manually. If a version is installed, remove it first or it’ll conflict.

Second, download the OpenSSH-Win64-v8.9.1.0.msi Windows Installer file from https://github.com/PowerShell/Win32-OpenSSH/releases. Note you must have at least version V8.9.1.0p1-Beta. You can install this .msi file in two ways:

1. double clicking the Windows Installer file from within Windows Explorer
2. msiexec from the (cmd / PowerShell) command line

The latter has our preference, additional steps are required if you install ssh by double clicking the installer file. If you have installed by double clicking, see Configure Path Environment section for more steps.

The OpenSSH .msi Windows Installer file can install both ssh Server and Client (the default), and only Server or only Client. We want that last one, and the command line option is ADDLOCAL=Client. By default, msiexec.exe doesn’t add the installation path to your system’s $env:path environment variable. For this, add ADD_PATH=1 to the command.

This makes the full command to install OpenSSH Client on your system:

Start-Process `
  -NoNewWindow msiexec.exe `
  -ArgumentList "/i <full_path_to>\OpenSSH-Win64-v8.9.1.0.msi ADDLOCAL=Client ADD_PATH=1" `
  -Wait

OpenSSH is a perfect tool for your Windows 11 and WSL 2 DevOps environment.

Configure Path Environment for OpenSSH

This is only required if you have double clicked the installation .msi file.

If you don’t want to type out the full path to the ssh.exe executable file (C:\Program Files\OpenSSH\ssh.exe) constantly, add the directory to your System or User PATH environment variable. On multi-user systems, modifying the System PATH environment is recommended.

System PATH environment

As Administrator:

[Environment]::SetEnvironmentVariable( `
  "Path", [Environment]::GetEnvironmentVariable( `
    "Path",[System.EnvironmentVariableTarget]::Machine `
  ) + ';' + ${Env:ProgramFiles} + '\OpenSSH', `
  [System.EnvironmentVariableTarget]::Machine `
)

User PATH environment

As an user you can execute:

[Environment]::SetEnvironmentVariable( `
  "Path", [Environment]::GetEnvironmentVariable( `
    "Path",[System.EnvironmentVariableTarget]::User `
  ) + ';' + ${Env:ProgramFiles} + '\OpenSSH', `
  [System.EnvironmentVariableTarget]::User `
)

As you can see, these are complicated commands and therefor it’s best/easier to just install using msiexec.exe.

Reboot

You must reboot or logout/login in order to have the new path environment variable available. I prefer to simply reboot. Continue with creating a key pair after rebooting and logging back in.

Remove OpenSSH using DISM – Bonus

If an older version of OpenSSH is installed, you can use DISM (Deployment Image Servicing and Management) or its Remove-WindowsCapability cmdlet, to remove OpenSSH Client. Use one of the following commands:

dism.exe /online /Remove-Capability /CapabilityName:OpenSSH.Client~~~~0.0.1.0

Remove-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

About Remove-WindowsCapability:

Uninstalls a Windows capability package from an image.

Replace “Client” with “Server” to remove a previous installed OpenSSH Server:

dism.exe /online /Remove-Capability /CapabilityName:OpenSSH.Server~~~~0.0.1.0

Remove-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

After successful removal you can directly start with a new installation.

Generate an OpenSSH Security Key (SK) key pair

Now it’s (finally) time to generate your Security Key (sk) key pairs. Of course you have more than one YubiKey, so you always have a back-up.

Here’s how:

1. Enter one YubiKey into your USB-C drive. You’ll notice the ‘Y’ logo to light up and start flickering for a second.
2. Execute the following command in PowerShell (or cmd.exe), replacing the placeholders ‘username’ and ‘yubikeynumber’ with their respective values. For convenience, I name my keys containing the YubiKey number and creation date.

ssh-keygen.exe  -t ecdsa-sk  -C "username-$((Get-Date).ToString('MM-dd-yyyy'))-yubikeynumber"  -f .ssh/id_ecdsa_sk-yubikeynumber

Follow the on-screen instructions and touch your YubiKey when requested.

3. Switch YubiKey and execute this step again.
4. Done

You’re all done.

Ssh config file tweaks

Some tweaks to the stock ssh configuration file are required to ease sessions and authentication. Create or open up the .ssh\config file in notepad.exe:

notepad.exe "${env:USERPROFILE}\.ssh\config"

Create the following section for your host:

Host bastionhost.example.com
  HostbasedKeyTypes sk-ecdsa-sha2-nistp256@openssh.com,sk-ssh-ed25519@openssh.com
  
  # Instead of HostbaseKeyTypes directive, you can also point to a ssh identity file:
  # IdentityFile c:/users/username/.ssh/id_ecdsa_sk-012345678
  # IdentityFile c:/users/username/.ssh/id_ecdsa_sk-012345679
  
  Compression yes
  User username
  ForwardAgent yes

Now when you type bastionhost.example.com into your PowerShell command-prompt, WinHello automatically opens a pop-up and asks you to touch your YubiKey.

Did you like this post?

Please take a second to support Sysadmins of the North and donate!

Donate

Your generosity helps pay for the ongoing costs associated with running this website like coffee, hosting services, library mirrors, domain renewals, time for article research, and coffee, just to name a few.

Conclusion

Microsoft Win32-OpenSSH finally supports FIDO / U2F devices such as a YubiKey! 🙂 This means you no longer have to rely on Git Bash alone (which is a great product btw), or Reza Tavakoli OpenSSH helper openssh-sk-winhello. Now you can have one tool, with one ssh version instead of two or sometimes even three. In this post you learned how to install Microsoft OpenSSH Client properly in Windows 11 and Windows 10 to support FIDO/U2F security keys like a YubiKey.

Later I’ll add instructions to this post how to share OpenSSH keys with WSL2, create a dedicated WSL OpenSSH config and how to use that specific WSL 2 OpenSSH config file for git usage. Making your Windows 11 workstation a fully fledged development station (DevOps)!