I've followed Scott Hanselman's instructions found this blog post to setup an open-ssh server
in summary I've done the following:
# in WSL2 - install openssh-server
sudo apt install openssh-server
# in WSL2 - check ssh version
ssh -V # -> OpenSSH_8.2p1 Ubuntu-4ubuntu0.4, OpenSSL 1.1.1f 31 Mar 2020
# in WSL2 - generate new host keys
ssh-keygen -t ras -b 4096 -f /etc/ssh/ssh_host_rsa_key
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
The private keys have permissions set to 600
, and the public keys are 644
My sshd_config
for your reference
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
Port 2222
#AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
# @amin: Removed second one AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
On WSL2 we don't have systemd
so I start SSH with service ssh start
Now if I open up Powershell
and ssh into my WSL2 using ssh -p 2222 myuser@wsl2ip
I face no problems logging in with my password.
Next I copy over my windows public key from Win into WSL2 by running
type $env:USERPROFILE\.ssh\id_rsa.pub | ssh -p 2222 myUser@wsl2 "cat >> .ssh/authorized_keys"
and the contents there look like
ssh-rsa AAAAB3N************O1s= myWinUser@DESKTOP-AE*****
and the permissions in my WSL2 ~/.ssh
look like
-rw------- 1 575 Jan 17 14:32 authorized_keys
-rw------- 1 97 Aug 30 11:17 config
-r-------- 1 411 Dec 2 2020 id_ed25519
-rw------- 1 100 Dec 2 2020 id_ed25519.pub
-rw------- 1 3389 Jan 17 2021 id_rsa
-rw-r--r-- 1 749 Jan 17 2021 id_rsa.pub
-rw-r--r-- 1 4866 Oct 7 16:19 known_hosts
, and turn off PasswordAuthentication
by setting it to no
in WSL2's sshd_config
Anytime I try to login with my ssh key I get
myuser@wsl2ip: Permission denied (publickey)
The same thing happens if I repeat the same process with RSA
, RSA4096
, or ED25519
keys.
What gives?
sshd_config
. Your key must have the proper permissions. Why did you generate a RSA and ED25519 key which one do you intend to use? Strongly suggest starting over and using the instructions listed here. Are you trying to make your WSL2 instance an OpenSSH Server? Why? Windows has that feature built-insshd_config
I've also mentioned the key permissions. To answer your other questions: 1. I mostly did them here to kinda "prove" that I have a clean setup and eliminate a piece of the puzzle 2. I do actually have SSH working directly into Win as you've mentioned, and am aware I could just runbash.exe
but (I know I'm being a baby lol) I want to have these two worlds accessed separately. as for which key I'd like to use, to be honest either is fine, I was trying to provide more options I supposesshd
in debug mode. You will see why the key is rejected. Also, do you know aboutssh-copy-id
? Chances are, your home dir,.ssh
dir orauthorized_keys
file have invalid permissions. Please provide the output ofls -al ~/.ssh
.ssh-copy-id
is basically what I meant. Although it didn't seem like Win hasssh-copy-id
so instead I ran something liketype $env:USERPROFILE\.ssh\id_rsa.pub | ssh -p 2222 myUser@WLSip "cat >> .ssh/authorized_keys"
I'll edit my post to include the ssh directoryls