Windows OpenSSH Installation with Teleport passwordless access

[stevenGravy]

This walks through an end to end setting up a Windows server OpenSSH integration with Teleport. This was setup on a Windows Server 2022 EC2 with the base AMI configuration to a 18.7.3 Teleport cluster. You should appropriately limit the traffic for the OpenSSH port 22 as you would with regular ssh and other windows services like RDP.

Largely there are just a couple key differences due to Windows file/services systems compared to Linux from https://goteleport.com/docs/enroll-resources/server-access/openssh/openssh-manual-install/.

The below commands are in PowerShell with administration rights.

Confirm OpenSSH installed on Windows

Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*' 

This is the typical setup where the OpenSSH server is not installed.

Name  : OpenSSH.Client~~~~0.0.1.0
State : Installed

Name  : OpenSSH.Server~~~~0.0.1.0
State : NotPresent

You will need to install the OpenSSH Server if it is not present.

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Confirm SSH available

 # Start the service
Start-Service sshd

# Set it to start automatically on boot
Set-Service -Name sshd -StartupType 'Automatic' 

Check if your firewall on Windows allows ssh access

 Get-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' | Select-Object Name, Enabled, Direction, Action 

otherwise you'd want to allow it

 New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' `
  -DisplayName 'OpenSSH Server (sshd)' `
  -Enabled True `
  -Direction Inbound `
  -Protocol TCP `
  -Action Allow `
  -LocalPort 22 

You should be able to invoke a ssh myuser@serverdns to that windows machine with your user's password.

Configuring OpenSSH node

Use https://goteleport.com/docs/enroll-resources/server-access/openssh/openssh-manual-install/#step-15-add-a-node-resource-to-your-teleport-cluster to setup the node in Teleport as a openssh node.

OpenSSH trusting Teleport CA for connections

 # Replace with your Proxy Service address
$PROXY = "example.teleport.com"

# Download the CA public key
$KEY = (Invoke-WebRequest -Uri "https://$PROXY/webapi/auth/export?type=openssh" -UseBasicParsing).Content
# Strip the "cert-authority " prefix
$KEY = $KEY -replace "cert-authority ", ""

# Write it to the ssh config directory
$KEY | Out-File -Encoding UTF8 -FilePath "C:\ProgramData\ssh\teleport_openssh_ca.pub" 

Update c:/programdata/ssh/sshd_config to include the public CA

TrustedUserCAKeys C:\ProgramData\ssh\teleport_openssh_ca.pub

Restart the SSH service

 Restart-Service sshd 

Install host certificate

Follow these steps https://goteleport.com/docs/enroll-resources/server-access/openssh/openssh-manual-install/#step-35-configure-host-authentication to get the host certificate key and certificate. Do not follow the linux steps on setting the file permissions and restarting the ssh service.

Transfer the files to c:\programdata\ssh directory. Make sure that you properly transfer the files and would not recommend using copy/paste of the text.

You can verify the cert's contents on the windows server with:

 ssh-keygen -L -f "C:\ProgramData\ssh\myhost-cert.pub" 

Update the sshd_config with the HostKey and HostCertificate.

HostKey C:\ProgramData\ssh\myhost
HostCertificate C:\ProgramData\ssh\myhost-cert.pub

The key file will need to have restricted access. These commands will apply that.

 # Remove all inherited permissions
icacls "C:\ProgramData\ssh\myhost" /inheritance:r

# Grant only SYSTEM and Administrators read access
icacls "C:\ProgramData\ssh\myhost" /grant "SYSTEM:(R)"
icacls "C:\ProgramData\ssh\myhost" /grant "BUILTIN\Administrators:(R)" 

Restart the SSH service

 Restart-Service sshd 

Connect to openssh node

Make sure your user has a login for a user that exists on the Windows system (like administrator). Connect via the web ui or cli to the ssh tsh ssh administrator@windows-node.

Optionally disable password authentication

Within the sshd_config you can set to not allow password auth with this setting.

PasswordAuthentication no

Then restart ssh

 Restart-Service sshd