Public key / certificate authentication not working in 1.0.0.0-beta

[pcgeek86]

I had public key authentication working with the 0.0.24.0 version of the OpenSSH daemon. After building a new system, and installing the 1.0.0.0-beta version, I can't get public key / certificate authentication working. How do I make this work?

This is the old document I followed: https://github.com/PowerShell/Win32-OpenSSH/wiki/Certificate-Authentication

[bagajjal]

I think you need to run ( .\FixHostFilePermissions.ps1 -Confirm:$false) which will fix host key, authorized key file permissions. Its mentioned in release notes under breaking changes.
Incase if it didn't work then please share the sshd.log (with DEBUG3 enabled) and ssh log (ssh -vvv user@ip)

[pcgeek86]

Thanks, working on the debug logs now. I already tried running the FixHostFilePermissions script, based on another issue I found. Let me see if I can fix this on my own, using the debug logs.

[pcgeek86]

Okay, I tried running that script again. I think it wasn't working, because I was trying to follow the wiki document that tells you to sign the public key, inside the authorized_keys file, using ssh-keygen. I don't believe this step is necessary, as I'm using my public key unsigned on the target server.

It's working with public key authentication now. Here's my ssh command:

ssh -vvv -i /Users/tsulli/mypemfile.pem -o PubkeyAuthentication=yes -o PasswordAuthentication=no Administrator@54.202.x.x

Obviously, I also had to make sure that the sshd_config file also had PubkeyAuthentication yes.

[ne0c0de]

Hi @pcgeek86

Did you solve your problem?

I'm also experiencing same problem. Unfortunately this if first time that i'm using OpenSSH so i've no idea it was working before.

Here's what i did:

on sshd_config file:

PubkeyAuthentication yes
AuthorizedKeysFile C:/Users/si/.ssh/authorized_keys

sshd service restarted.

When i try to login with ssh -vvv i see this result before connection lost:

debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: .ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred:
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,password,keyboard-interactive).

when i stop the sshd service and start it from powershell with debug command, it's directly closing itself when i want to login with private key. the debug result of sshd is like this:

C:\Program Files\OpenSSH> ./sshd.exe -ddd
debug2: load_server_config: filename PROGRAMDATA\ssh/sshd_config
debug2: load_server_config: done config len = 228
debug2: parse_server_config: config PROGRAMDATA\ssh/sshd_config len 228
debug3: PROGRAMDATA\ssh/sshd_config:34 setting PubkeyAuthentication yes
debug3: PROGRAMDATA\ssh/sshd_config:40 setting AuthorizedKeysFile C:/Users/si/.ssh/authorized_keys
debug3: PROGRAMDATA\ssh/sshd_config:57 setting AllowTcpForwarding yes
debug3: PROGRAMDATA\ssh/sshd_config:70 setting PermitTunnel yes
debug3: PROGRAMDATA\ssh/sshd_config:78 setting Subsystem sftp sftp-server.exe
debug1: sshd version OpenSSH_7.6, LibreSSL 2.5.3
debug1: private host key #0: ssh-rsa SHA256:Lvp0UxVMnrsJZUWdDhqhoaXCZ7RTZnjInzvxUjATgC4
debug1: private host key #1: ssh-dss SHA256:lms8s7J5meGxxBcKQx/azZbWHC4XXT29bRRT81NhvJU
debug1: private host key #2: ecdsa-sha2-nistp256 SHA256:abg7NKA44zP3FR1j5opBNc0iJ0BzpNl5euKccMK3BYg
debug1: private host key #3: ssh-ed25519 SHA256:zhaL6xmFWF3crxvYWKzD8+IyNOMRImdlBvfTa9fSjEI
debug1: rexec_argv[0]='C:\Program Files\OpenSSH\sshd.exe'
debug1: rexec_argv[1]='-ddd'
debug2: fd 3 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 3 IPV6_V6ONLY
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 228
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
Connection from 192.168.56.100 port 47426 on 192.168.56.1 port 22
debug1: Client protocol version 2.0; client software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH_6.6.1* compat 0x04000000
debug1: Local version string SSH-2.0-OpenSSH_7.6
debug2: fd 5 setting O_NONBLOCK
unable to generate token for user sshd
unable to generate token on 2nd attempt for user sshd
unable to get security token for user sshd
posix_spawn failed
debug3: send_rexec_state: entering fd = 4 config len 228
debug3: ssh_msg_send: type 0
debug3: write ERROR from cb(2):232, io:000002E7607FDE50
ssh_msg_send: write
send_rexec_state: ssh_msg_send failed
debug1: do_cleanup

i'm not sure that sshd service (that is already registered before) is reading same sshd_config file (which is located under C:\ProgramData\ssh

How can i resolve this problem?

[bagajjal]

@ne0c0de - You need to start the sshd debug mode in system context.

1. execute "psexec -i -s cmd"
2. on the new popup windows, issue "whoami" this should show "nt authority\system"
3. Now launch the sshd in debug mode ".\sshd.exe -ddd"