wiki: update SSH docs with bash.exe default shell fix and Windows admin key auth

- ssh-config-key-management: add Windows OpenSSH admin user key auth section (administrators_authorized_keys, BOM-free writing, ACL requirements) - windows-openssh-wsl-default-shell: add bash.exe as recommended fix (Option 1), demote PowerShell to Option 2, add shell-not-found diagnostic tip - windows-sshd-stops-after-reboot: fix stale wsl.exe reference to bash.exe - index/README: update Recently Updated table and article descriptions Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-07 22:01:36 -04:00
parent 84a1893e80
commit 5af934a6c6
5 changed files with 108 additions and 25 deletions
--- a/01-linux/networking/ssh-config-key-management.md
+++ b/01-linux/networking/ssh-config-key-management.md
@@ -1,11 +1,16 @@
 ---
-title: "SSH Config and Key Management"
+title: SSH Config and Key Management
 domain: linux
 category: networking
-tags: [ssh, keys, security, linux, remote-access]
+tags:
+  - ssh
+  - keys
+  - security
+  - linux
+  - remote-access
 status: published
 created: 2026-03-08
-updated: 2026-03-08
+updated: 2026-04-07T21:55
 ---

 # SSH Config and Key Management
@@ -129,6 +134,50 @@ If key auth isn't working and the config looks right, permissions are the first
 - **`ServerAliveInterval` in your config** keeps connections from timing out on idle sessions. Saves you from the annoyance of reconnecting after stepping away.
 - **Never put private keys in cloud storage, Git repos, or Docker images.** It happens more than you'd think.

+## Windows OpenSSH: Admin User Key Auth
+
+Windows OpenSSH has a separate key file for users in the `Administrators` group. Regular `~/.ssh/authorized_keys` is **ignored** for admin users unless the `Match Group administrators` block in `sshd_config` is disabled.
+
+### Where keys go
+
+| User type | Key file |
+|---|---|
+| Regular user | `C:\Users\<user>\.ssh\authorized_keys` |
+| Admin user | `C:\ProgramData\ssh\administrators_authorized_keys` |
+
+### Setup (elevated PowerShell)
+
+1. **Enable the Match block** in `C:\ProgramData\ssh\sshd_config` — both lines must be uncommented:
+   ```
+   Match Group administrators
+          AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
+   ```
+
+2. **Write the key file without BOM** — PowerShell 5 defaults to UTF-16LE or UTF-8 with BOM, both of which OpenSSH silently rejects:
+   ```powershell
+   [System.IO.File]::WriteAllText(
+       "C:\ProgramData\ssh\administrators_authorized_keys",
+       "ssh-ed25519 AAAA... user@hostname`n",
+       [System.Text.UTF8Encoding]::new($false)
+   )
+   ```
+
+3. **Lock down permissions** — OpenSSH requires strict ACLs:
+   ```powershell
+   icacls "C:\ProgramData\ssh\administrators_authorized_keys" /inheritance:r /grant "SYSTEM:(F)" /grant "Administrators:(F)"
+   ```
+
+4. **Restart sshd:**
+   ```powershell
+   Restart-Service sshd
+   ```
+
+### Troubleshooting
+
+- If key auth silently fails, check `Get-WinEvent -LogName OpenSSH/Operational -MaxEvents 10`
+- Common cause: BOM in the key file or `sshd_config` — PowerShell file-writing commands are the usual culprit
+- If the log says `User not allowed because shell does not exist`, the `DefaultShell` registry path is wrong — see [WSL default shell troubleshooting](../../05-troubleshooting/networking/windows-openssh-wsl-default-shell-breaks-remote-commands.md)
+
 ## See Also

 - [linux-server-hardening-checklist](../../02-selfhosting/security/linux-server-hardening-checklist.md)