Windows ships with OpenSSH. Here’s how to update the version then use it with MFA option FIDO2 + hardware security keys such as YubiKey.
SSH is a core element of the OpenSSH project. Several Unix-like operating systems are supported. Microsoft Windows is also supported. This blog details using SSH on the Windows command-line, secured with multi factor authentication (MFA / 2FA).
- Open a PowerShell console as Admin.
- Install the latest version of OpenSSH for Windows .
- Generate a new key pair, with:
ssh-keygen -t ecdsa-sk.
- Copy the new .pub key to the remote server, with:
Get-Content $env:USERPROFILE\.ssh\id_ecdsa_sk.pub | ssh firstname.lastname@example.org 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys'(change email@example.com to your user/server).
- SSH to the server, with:
ssh firstname.lastname@example.org(change email@example.com to your user/server).
SSH is included in Windows as a
Windows Optional Feature, see the Microsoft Docs page for more information. As such it is updated as part of Windows Feature Updates. Currently such updates are released infrequently, only once or twice per year. The result being the version of SSH typically available in Windows is potentially several versions behind the latest available.
To find the version currently installed, use:
At the time of writing, this returns: “OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2”.
Ok, funny story… according Microsoft’s development repo , the latest stable release of OpenSSH for Windows, which they recommend, appears to be available as source code only, no installer, hosted (along with the source code for other platforms), at OpenSSH . No installer for the latest stable release, how weird is that? The Microsoft Wiki points to the most recent installation package as being for the latest beta version only. It appears the latest stable version is not available to install, only to build/compile yourself.
So, to install latest version available (the latest beta version):
- Uninstall the version of OpenSSH that was delivered with Windows, using this method .
- Download the latest 64bit MSI installer from here .
- Open a PowerShell prompt as an administrator.
- Follow these instructions to install the MSI and update the System Path.
- Restart Windows.
The SSH version should now have changed, so check it again, with:
At the time of writing, this is now: “OpenSSH_for_Windows_8.9p1, LibreSSL 3.4.3”.
Updating OpenSSH on the remote server may not be required, but it is recommended. The minimum version required for the method in this blog is: “OpenSSH 8.2p1”.
On Debian based systems:
1# establish current version 2ssh -V 3# update to latest version 4sudo apt update 5sudo apt install openssh-server 6# restart SSH service 7sudo systemctl restart ssh.service
OpenSSH supports a number of configurations for FIDO2. For more details and to determine which configuration best suits your needs, see the OpenSSH Manual Pages . See also the documentation for the specific hardware security key you are using, for example YubiCo .
If you have already set a FIDO2 PIN on your hardware security key, for example if you have used the security key with other FIDO2 services, then you can skip this step.
To set a FIDO2 PIN on your hardware security key, follow the instructions provided by the manufacturer. For example, if you are using a YubiKey, then use their Windows App, YubiKey Manager and follow the instaructions here .
ssh-keygen command to create a public/private key pair.
The type of key used in this example is “ecdsa-sk”. You could alternatively use “ed25519-sk”, if you hardware security key supports it.
A simple example would be:
1ssh-keygen -t ecdsa-sk
You might want to add to this and use the following optional parameters:
-Oto specify the application (SSH) and remote server name (in this example, “server21”), example:
-Cto specify a comment, example:
-C "Host:ThinkPadX1 Security Key:yubikeyusb"
1ssh-keygen -t ecdsa-sk -O application=ssh:server21 -C "Host:ThinkPadX1 Security Key:yubikeyusb"
Follow the on-screen instructions. As you are using a hardware security key, you will see a number of prompts generated by Windows Secuirty, guiding you through the process of when to enter the FIDO2 PIN and when to physically touch your key.
You are about to use your hardware security key:
Make & model will be shared:
Enter the FIDO2 PIN:
Touch the key to, prove you are physically present:
- follow the instructions in the terminal window
- enter a specific name for the key pair you are creating, or accept the default values
- enter a passphrase for the key pair you are creating, or leave blank
ssh-keygen command will generate a public/private key pair. The public key will be stored in the
.ssh/id_ecdsa.pub file, and the private key will be stored in the
To view the public key, use on eof these commands:
or, in a CMD prompt:
or even this Linux Bash style command will be accepted by PowerShell:
The public key you just created, ~/.ssh/id_ecdsa_sk.pub, must be copied to the remote server. The current version of OpenSSH for Windows does not support the
ssh-copy-id command. To copy the .pub key to the remote server, use:
Note, before using one of the examples below, replace
same@server21to the actual user and remote server you are using, for example
1Get-Content $env:USERPROFILE\.ssh\id_ecdsa_sk.pub | ssh sam@server21 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys'
or, in a CMD prompt:
1type $env:USERPROFILE\.ssh\id_ecdsa_sk.pub | ssh sam@server21 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys'
or this Bash style command will also be accepted by PowerShell:
1cat ~/.ssh/id_ecdsa_sk.pub | ssh sam@server21 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys'
Now you can SSH to the remote server, and you should be able to use the key pair you just created, authenticated with FIDO2.