Windows OpenSSH 免密登录配置记录目标让本机 Windows 通过 SSH 免密登录远端 Windows 主机。本次目标主机ssh XXXX100.111.103.111. 确认网络和 SSH 服务可达先确认 Tailscale 中目标机器在线tailscale status|Select-String-Pattern100\.111\.103\.11|036-XXXX|XXXX确认结果显示目标为 Windows 主机且在线100.111.103.11 036-XXXX windows active然后用禁止密码的方式测试当前是否已经支持公钥登录ssh-o BatchModeyes-o PasswordAuthenticationno-o ConnectTimeout8 XXXX100.111.103.11whoami; hostname如果返回Permission denied (publickey,password,keyboard-interactive).说明网络和 SSH 服务没问题但远端还没有接受当前本机公钥。2. 确认本机公钥本机使用的公钥文件C:\Users\23670\.ssh\id_rsa.pub查看公钥指纹ssh-keygen-lf$env:USERPROFILE\.ssh\id_rsa.pub本次使用的指纹3072 SHA256:eodo4aAZ1itnrF8kBmEersYFUNvbssvTI7QpCQ5R4c vscode-Linux (RSA)3. 判断远端账号是否为管理员用密码临时登录一次远端检查远端用户信息powershell-NoProfile-ExecutionPolicy Bypass-Command$u$env:USERNAME;$profileDir$env:USERPROFILE;$isAdmin([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator);$cfgC:\ProgramData\ssh\sshd_config;$matchAdmins$false; if (Test-Path$cfg) {$matchAdmins Select-String -Path$cfg-Pattern ^\s*Match\sGroup\sadministrators -Quiet }; Write-Output (USERNAME $u); Write-Output (USERPROFILE $profileDir); Write-Output (IS_ADMIN $isAdmin); Write-Output (MATCH_ADMINS $matchAdmins); Write-Output (WHOAMI (whoami));本次远端结果USERNAMEXXXX USERPROFILEC:\Users\XXXX IS_ADMINTrue MATCH_ADMINSTrue WHOAMIdesktop-ktb9jj1\XXXX这说明XXXX是 Windows 管理员账号并且 OpenSSH 配置了Match Group administrators这种情况下Windows OpenSSH 通常不读取C:\Users\XXXX\.ssh\authorized_keys而是读取管理员专用文件C:\ProgramData\ssh\administrators_authorized_keys4. 追加公钥到远端将本机id_rsa.pub的内容追加到远端C:\ProgramData\ssh\administrators_authorized_keys为了兼容后续配置变化也可以同时追加到C:\Users\XXXX\.ssh\authorized_keys注意只追加公钥内容不要上传私钥。5. 修复 Windows OpenSSH ACL 权限管理员专用公钥文件需要严格 ACL否则 OpenSSH 可能拒绝读取。在远端执行icacls C:\ProgramData\ssh\administrators_authorized_keys/inheritance:r/grant Administrators:F/grant SYSTEM:F用户目录下的备用authorized_keys可以这样设置icacls C:\Users\XXXX\.ssh/inheritance:r/grantXXXX:(OI)(CI)F/grantSYSTEM:(OI)(CI)F/grantAdministrators:(OI)(CI)Ficacls C:\Users\XXXX\.ssh\authorized_keys/inheritance:r/grantXXXX:F/grantSYSTEM:F/grantAdministrators:F必要时重启远端 SSH 服务Restart-Servicesshd6. 验证免密登录从本机执行ssh-o BatchModeyes-o PasswordAuthenticationno-o ConnectTimeout8 XXXX100.111.103.11cmd /c whoami hostname echo %USERPROFILE%本次验证结果desktop-ktb9jj1\XXXX DESKTOP-KTB9JJ1 C:\Users\XXXXBatchModeyes且PasswordAuthenticationno能成功说明已经是纯公钥免密登录。之后可以直接登录ssh XXXX100.111.103.11常见坑Windows 管理员账号要优先检查C:\ProgramData\ssh\administrators_authorized_keys。C:\Users\用户名\.ssh\authorized_keys对管理员账号不一定生效。ACL 权限不正确时即使公钥内容正确OpenSSH 也可能拒绝。免密登录用的是本机私钥加远端公钥不能把.pub当作私钥使用。验证时建议使用BatchModeyes和PasswordAuthenticationno这样可以确认没有偷偷退回密码登录。