Windows SSH with Public Key Authentication


PowerShell is a powerful scripting language that can automate tasks on Windows computers. This guide will show you how to use SSH from PowerShell to log into a connection without a password by using a key stored on your Windows 11 computer.


To use SSH from PowerShell, you will need:

  • Windows computer with PowerShell installed
  • SSH client installed on the Windows computer (Windows 10 or Windows 11)
  • SSH server installed on the Linux computer (Ubuntu or Debian)

Installing SSH client on Windows

The SSH client is not installed by default on Windows. To install it on Windows 10 or Windows 11, open PowerShell and run the following command:

Install-WindowsFeature OpenSSH-Client

Installing SSH server on Linux

To install the SSH server on Ubuntu or Debian, run the following command:

sudo apt install openssh-server

To configure the SSH server, edit the configuration file located at /etc/ssh/sshd_config.

nano /etc/ssh/sshd_config

In the SSH server configuration file, make any desired changes such as a different port number, permit root login, allow password authentication, allow pubkey authentication, etc. After you are done making your changes, save the file and then restart the SSH server service.

sudo systemctl restart sshd.service

Connecting to Linux server using a password

After the SSH server has been configured, you can connect your Windows computer to the Linux server using ssh with password authentication.

By default, ssh will use the same user name as your current Windows account. This might not be the same user as your Linux server. You can specify a different user with the optional parameter -l or username@remote_computer.

For example, in PowerShell, run one of the following commands:

ssh -l username
ssh username@

You can also use the optional parameter -p to define the SSH port (default is 22).

ssh username@ -p 22

When you are prompted for a password, enter the password for the user on the Linux server.

If this is the first time you are connecting to the SSH server, ssh will prompt you to verify the server’s fingerprint. Enter “yes” when prompted to confirm.

The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:.................................
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.

Creating a public key

Instead of using a passphrase, a keypair can be created and stored on your Windows computer for authentication when logging into the SSH server.

To create a key pair, launch PowerShell and run the ssh-keygen command with the -t parameter to specify the type of SSH key, such as the rsa type.

PS C:\Users\myuser> ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\myuser/.ssh/id_rsa): [enter]
Created directory 'C:\Users\myuser/.ssh'.
Enter passphrase (empty for no passphrase): [enter password]
Enter same passphrase again: [enter password]
Your identification has been saved in C:\Users\myuser/.ssh/id_rsa.
Your public key has been saved in C:\Users\myuser/.ssh/
The key fingerprint is:
SHA256:SvV[................] myuser@MY-COMPUTER
They key's randomart image is:
+--- [RSA 3072]----+
|     [......]     |
PS C:\Users\myuser>

A new folder named “.ssh” will be created in your user folder. Inside the .ssh folder, two files will be created with the filenames id_rsa and id_rsa.key.

The “id_rsa” file without any extension is the private key, which you should keep private. We recommend this file be password-protected when prompted while running the above ssh-keygen command.

The “” file is the public key of your key pair. It needs to be installed on the remote server where you want to login using SSH.

Configuring SSH Agent

An SSH Agent is a Windows program that runs in the background and loads your private key with the password into memory. This will allow you to use the ssh command without always having to enter the passphrase again.

You can check whether the service is already running or not:

PS C:\Users\myuser> Get-Service ssh-agent

Status   Name               DisplayName
------   ----               -----------
Stopped  ssh-agent          OpenSSH Authentication Agent

To enable and start the ssh-agent service, open another PowerShell window (run as Administrator), then enter the following commands:

PS C:\WINDOWS\system32> Get-Service ssh-agent | Set-Service -StartupType Manual
PS C:\WINDOWS\system32> Get-Service ssh-agent

Status   Name               DisplayName
------   ----               -----------
Stopped  ssh-agent          OpenSSH Authentication Agent

PS C:\WINDOWS\system32> Start-Service ssh-agent
PS C:\WINDOWS\system32> Get-Service ssh-agent

Status   Name               DisplayName
------   ----               -----------
Running  ssh-agent          OpenSSH Authentication Agent

SSH Agent should now be running.

Back in your first PowerShell window (as your own user, not as Administrator), use ssh-add to load your own private key into SSH Agent:

PS C:\Users\myuser> ssh-add .\.ssh\id_rsa
Enter passphrase for .\ssh\id_rsa: [enter password]
Identity added: .\ssh\id_rsa (myuser@MY-COMPUTER)

Installing public key on Linux server

Open your file with a text editor such as Notepad. You should see a long line of text representing the public key.

Copy and paste the contents of the file (the long line of text representing the public key) into the file ~/.ssh/authorized_keys located on the remote server.

You should now be able to connect your Windows computer to the Linux server using key pair authentication. You can use the same ssh command from the above section describing how to connect to the Linux server using a password. For example:

ssh username@ -p 22


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.