From 5af934a6c65f632be108f1e6f01f3088f0308467 Mon Sep 17 00:00:00 2001 From: majorlinux Date: Tue, 7 Apr 2026 22:01:36 -0400 Subject: [PATCH] wiki: update SSH docs with bash.exe default shell fix and Windows admin key auth - ssh-config-key-management: add Windows OpenSSH admin user key auth section (administrators_authorized_keys, BOM-free writing, ACL requirements) - windows-openssh-wsl-default-shell: add bash.exe as recommended fix (Option 1), demote PowerShell to Option 2, add shell-not-found diagnostic tip - windows-sshd-stops-after-reboot: fix stale wsl.exe reference to bash.exe - index/README: update Recently Updated table and article descriptions Co-Authored-By: Claude Opus 4.6 (1M context) --- .../networking/ssh-config-key-management.md | 55 ++++++++++++++++++- ...sl-default-shell-breaks-remote-commands.md | 50 ++++++++++++----- .../windows-sshd-stops-after-reboot.md | 13 +++-- README.md | 7 ++- index.md | 8 ++- 5 files changed, 108 insertions(+), 25 deletions(-) diff --git a/01-linux/networking/ssh-config-key-management.md b/01-linux/networking/ssh-config-key-management.md index e4c0166..5962611 100644 --- a/01-linux/networking/ssh-config-key-management.md +++ b/01-linux/networking/ssh-config-key-management.md @@ -1,11 +1,16 @@ --- -title: "SSH Config and Key Management" +title: SSH Config and Key Management domain: linux category: networking -tags: [ssh, keys, security, linux, remote-access] +tags: + - ssh + - keys + - security + - linux + - remote-access status: published created: 2026-03-08 -updated: 2026-03-08 +updated: 2026-04-07T21:55 --- # SSH Config and Key Management @@ -129,6 +134,50 @@ If key auth isn't working and the config looks right, permissions are the first - **`ServerAliveInterval` in your config** keeps connections from timing out on idle sessions. Saves you from the annoyance of reconnecting after stepping away. - **Never put private keys in cloud storage, Git repos, or Docker images.** It happens more than you'd think. +## Windows OpenSSH: Admin User Key Auth + +Windows OpenSSH has a separate key file for users in the `Administrators` group. Regular `~/.ssh/authorized_keys` is **ignored** for admin users unless the `Match Group administrators` block in `sshd_config` is disabled. + +### Where keys go + +| User type | Key file | +|---|---| +| Regular user | `C:\Users\\.ssh\authorized_keys` | +| Admin user | `C:\ProgramData\ssh\administrators_authorized_keys` | + +### Setup (elevated PowerShell) + +1. **Enable the Match block** in `C:\ProgramData\ssh\sshd_config` — both lines must be uncommented: + ``` + Match Group administrators + AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys + ``` + +2. **Write the key file without BOM** — PowerShell 5 defaults to UTF-16LE or UTF-8 with BOM, both of which OpenSSH silently rejects: + ```powershell + [System.IO.File]::WriteAllText( + "C:\ProgramData\ssh\administrators_authorized_keys", + "ssh-ed25519 AAAA... user@hostname`n", + [System.Text.UTF8Encoding]::new($false) + ) + ``` + +3. **Lock down permissions** — OpenSSH requires strict ACLs: + ```powershell + icacls "C:\ProgramData\ssh\administrators_authorized_keys" /inheritance:r /grant "SYSTEM:(F)" /grant "Administrators:(F)" + ``` + +4. **Restart sshd:** + ```powershell + Restart-Service sshd + ``` + +### Troubleshooting + +- If key auth silently fails, check `Get-WinEvent -LogName OpenSSH/Operational -MaxEvents 10` +- Common cause: BOM in the key file or `sshd_config` — PowerShell file-writing commands are the usual culprit +- If the log says `User not allowed because shell does not exist`, the `DefaultShell` registry path is wrong — see [WSL default shell troubleshooting](../../05-troubleshooting/networking/windows-openssh-wsl-default-shell-breaks-remote-commands.md) + ## See Also - [linux-server-hardening-checklist](../../02-selfhosting/security/linux-server-hardening-checklist.md) diff --git a/05-troubleshooting/networking/windows-openssh-wsl-default-shell-breaks-remote-commands.md b/05-troubleshooting/networking/windows-openssh-wsl-default-shell-breaks-remote-commands.md index 7c2a819..4ca9a85 100644 --- a/05-troubleshooting/networking/windows-openssh-wsl-default-shell-breaks-remote-commands.md +++ b/05-troubleshooting/networking/windows-openssh-wsl-default-shell-breaks-remote-commands.md @@ -2,10 +2,16 @@ title: "Windows OpenSSH: WSL as Default Shell Breaks Remote Commands" domain: troubleshooting category: networking -tags: [windows, openssh, wsl, ssh, majorrig, powershell] +tags: + - windows + - openssh + - wsl + - ssh + - majorrig + - powershell status: published created: 2026-04-03 -updated: 2026-04-03 +updated: 2026-04-07T21:55 --- # Windows OpenSSH: WSL as Default Shell Breaks Remote Commands @@ -31,37 +37,55 @@ Windows OpenSSH's default shell is set to `C:\Windows\System32\wsl.exe`. When SS But `wsl.exe` does not accept the `-c` flag. It expects `-e` for command execution, or no flags for an interactive session. Since OpenSSH hardcodes `-c`, every remote command fails. -## Fix +## Fix — Option 1: Use `bash.exe` (Recommended) -Change the default shell to PowerShell. Run this in an **elevated PowerShell** on the Windows host: +`bash.exe` is a WSL shim that **does** accept the `-c` flag. This gives you a Linux-first SSH experience where both interactive sessions and remote commands work natively. ```powershell -New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force +# Find the actual path to bash.exe (it varies by install) +Get-Command bash.exe | Select-Object Source + +# Set it as the default shell (elevated PowerShell) +Set-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Users\\AppData\Local\Microsoft\WindowsApps\bash.exe" Restart-Service sshd ``` -If you need to run this from within WSL (e.g., over an interactive SSH session): +> **Note:** `bash.exe` may not be at `C:\Windows\System32\bash.exe` on all installs. Always verify the path with `Get-Command` first — the Windows Store WSL install places it under `AppData\Local\Microsoft\WindowsApps\`. -```bash -powershell.exe -Command "Start-Process powershell -Verb RunAs -ArgumentList '-Command New-ItemProperty -Path HKLM:\\SOFTWARE\\OpenSSH -Name DefaultShell -Value C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -PropertyType String -Force; Restart-Service sshd'" +### After the fix (bash.exe) + +- Interactive SSH sessions land directly in your WSL distro +- Remote SSH commands execute in WSL's bash — Linux commands work natively +- `ssh user@host "uname -s"` returns `Linux` + +## Fix — Option 2: Revert to PowerShell + +If you need Windows-native command execution over SSH (e.g., for Windows-targeted Ansible or remote PowerShell administration), set the default shell back to PowerShell: + +```powershell +Set-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" +Restart-Service sshd ``` -## After the Fix +### After the fix (PowerShell) -- Remote SSH commands now execute via PowerShell +- Remote SSH commands execute via PowerShell - To run Linux commands, prefix with `wsl`: ```bash ssh user@host "wsl bash -c 'cd /mnt/d/project && git pull'" ``` -- Interactive SSH sessions land in PowerShell (use `wsl` to enter Linux) +- Interactive SSH sessions land in PowerShell (type `wsl` to enter Linux) - `ssh-copy-id` still won't work for WSL's `authorized_keys` — Windows OpenSSH reads from `C:\Users\\.ssh\authorized_keys`, not the WSL home directory ## Key Notes -- This registry key is the **only** supported way to change the OpenSSH default shell on Windows +- This registry key (`HKLM:\SOFTWARE\OpenSSH\DefaultShell`) is the **only** supported way to change the OpenSSH default shell on Windows - The change persists across reboots and Windows Updates -- If you previously set the default shell to `wsl.exe` to get a Linux-first SSH experience, be aware that it permanently breaks all remote command execution +- `wsl.exe` does **not** support `-c` — never use it as the default shell +- `bash.exe` **does** support `-c` — use it for a Linux-first SSH experience +- The path to `bash.exe` varies by install method — always verify with `Get-Command bash.exe` - Tools like Ansible, `scp`, `rsync`, and `ssh-copy-id` all depend on `-c` working +- If the shell path in the registry doesn't exist on disk, sshd will reject the user entirely with `User not allowed because shell does not exist` — check `Get-WinEvent -LogName OpenSSH/Operational` to diagnose ## Related diff --git a/05-troubleshooting/networking/windows-sshd-stops-after-reboot.md b/05-troubleshooting/networking/windows-sshd-stops-after-reboot.md index 91b0314..63d449f 100644 --- a/05-troubleshooting/networking/windows-sshd-stops-after-reboot.md +++ b/05-troubleshooting/networking/windows-sshd-stops-after-reboot.md @@ -1,11 +1,16 @@ --- -title: "Windows OpenSSH Server (sshd) Stops After Reboot" +title: Windows OpenSSH Server (sshd) Stops After Reboot domain: troubleshooting category: networking -tags: [windows, openssh, sshd, reboot, majorrig] +tags: + - windows + - openssh + - sshd + - reboot + - majorrig status: published created: 2026-04-02 -updated: 2026-04-02 +updated: 2026-04-07T21:58 --- # Windows OpenSSH Server (sshd) Stops After Reboot @@ -58,7 +63,7 @@ The Windows OpenSSH Server is installed as a Windows Feature (`Add-WindowsCapabi - **This is a Windows-side issue** — WSL2 itself is unaffected. The service must be started and configured from Windows, not from within WSL2. - **Elevated PowerShell required** — `Start-Service` and `Set-Service` for sshd will return "Access is denied" if run without Administrator privileges. - **Port 2222 was retired (2026-03-25)** — the bypass port 2222 on MajorRig is no longer in use. The entire fleet now uses port 22 uniformly after the Tailscale SSH auth fix. Only port 22 needs to be verified when troubleshooting sshd. -- **Default shell still works once fixed** — MajorRig's sshd is configured to use `C:\Windows\System32\wsl.exe` as the default shell, dropping SSH sessions directly into WSL2/Bash. This config is preserved across service restarts. +- **Default shell still works once fixed** — MajorRig's sshd is configured to use `bash.exe` (WSL shim) as the default shell, dropping SSH sessions directly into WSL2/Bash. This config is preserved across service restarts. See [WSL default shell troubleshooting](windows-openssh-wsl-default-shell-breaks-remote-commands.md) for why `bash.exe` is used instead of `wsl.exe`. --- diff --git a/README.md b/README.md index 09b9611..0a6ffea 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ --- created: 2026-04-06T09:52 -updated: 2026-04-07T10:48 +updated: 2026-04-07T21:59 --- # MajorLinux Tech Wiki — Index @@ -30,7 +30,7 @@ updated: 2026-04-07T10:48 - [Managing Linux Services with systemd](01-linux/process-management/managing-linux-services-systemd-ansible.md) — systemctl, journalctl, writing service files, Ansible service management ### Networking -- [SSH Config & Key Management](01-linux/networking/ssh-config-key-management.md) — key generation, ssh-copy-id, ~/.ssh/config, managing multiple keys +- [SSH Config & Key Management](01-linux/networking/ssh-config-key-management.md) — key generation, ssh-copy-id, ~/.ssh/config, managing multiple keys, Windows OpenSSH admin key auth ### Package Management - [Package Management Reference](01-linux/packages/package-management-reference.md) — apt, dnf, pacman side-by-side reference, Flatpak/Snap @@ -159,6 +159,9 @@ updated: 2026-04-07T10:48 | Date | Article | Domain | |---|---|---| +| 2026-04-07 | [SSH Config & Key Management](01-linux/networking/ssh-config-key-management.md) | Linux | +| 2026-04-07 | [Windows OpenSSH: WSL Default Shell Breaks Remote Commands](05-troubleshooting/networking/windows-openssh-wsl-default-shell-breaks-remote-commands.md) | Troubleshooting | +| 2026-04-07 | [Windows OpenSSH Server (sshd) Stops After Reboot](05-troubleshooting/networking/windows-sshd-stops-after-reboot.md) | Troubleshooting | | 2026-04-02 | [Fail2ban Custom Jail: WordPress Login Brute Force](02-selfhosting/security/fail2ban-wordpress-login-jail.md) | Self-Hosting | | 2026-04-02 | [Mastodon Instance Tuning](02-selfhosting/services/mastodon-instance-tuning.md) | Self-Hosting | | 2026-04-02 | [mdadm — Rebuilding a RAID Array After Reinstall](01-linux/storage/mdadm-raid-rebuild.md) | Linux | diff --git a/index.md b/index.md index 3ea6202..0c8614b 100644 --- a/index.md +++ b/index.md @@ -1,6 +1,6 @@ --- created: 2026-04-06T09:52 -updated: 2026-04-07T10:50 +updated: 2026-04-07T21:59 --- # MajorLinux Tech Wiki — Index @@ -31,7 +31,7 @@ updated: 2026-04-07T10:50 - [Managing Linux Services with systemd](01-linux/process-management/managing-linux-services-systemd-ansible.md) — systemctl, journalctl, writing service files, Ansible service management ### Networking -- [SSH Config & Key Management](01-linux/networking/ssh-config-key-management.md) — key generation, ssh-copy-id, ~/.ssh/config, managing multiple keys +- [SSH Config & Key Management](01-linux/networking/ssh-config-key-management.md) — key generation, ssh-copy-id, ~/.ssh/config, managing multiple keys, Windows OpenSSH admin key auth ### Package Management - [Package Management Reference](01-linux/packages/package-management-reference.md) — apt, dnf, pacman side-by-side reference, Flatpak/Snap @@ -163,7 +163,9 @@ updated: 2026-04-07T10:50 | Date | Article | Domain | |---|---|---| -| 2026-04-03 | [Windows OpenSSH: WSL Default Shell Breaks Remote Commands](05-troubleshooting/networking/windows-openssh-wsl-default-shell-breaks-remote-commands.md) | Troubleshooting | +| 2026-04-07 | [SSH Config & Key Management](01-linux/networking/ssh-config-key-management.md) | Linux | +| 2026-04-07 | [Windows OpenSSH: WSL Default Shell Breaks Remote Commands](05-troubleshooting/networking/windows-openssh-wsl-default-shell-breaks-remote-commands.md) | Troubleshooting | +| 2026-04-07 | [Windows OpenSSH Server (sshd) Stops After Reboot](05-troubleshooting/networking/windows-sshd-stops-after-reboot.md) | Troubleshooting | | 2026-04-03 | [Ansible: ansible.cfg Ignored on WSL2 Windows Mounts](05-troubleshooting/ansible-wsl2-world-writable-mount-ignores-cfg.md) | Troubleshooting | | 2026-04-02 | [Fail2ban Custom Jail: WordPress Login Brute Force](02-selfhosting/security/fail2ban-wordpress-login-jail.md) | Self-Hosting | | 2026-04-02 | [Mastodon Instance Tuning](02-selfhosting/services/mastodon-instance-tuning.md) | Self-Hosting |