Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PubKey Auth not working #1306

Closed
schmitch opened this issue Dec 14, 2018 · 56 comments
Closed

PubKey Auth not working #1306

schmitch opened this issue Dec 14, 2018 · 56 comments

Comments

@schmitch
Copy link

schmitch commented Dec 14, 2018

"OpenSSH for Windows" version
((Get-Item (Get-Command sshd).Source).VersionInfo.FileVersion)
7.7.2.2

Server OperatingSystem
((Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows nt\CurrentVersion\" -Name ProductName).ProductName)
Windows Server 2019 Standard

Client OperatingSystem
macOS Mojave Version 10.14.1
ssh -V
OpenSSH_7.8p1, LibreSSL 2.7.3

What is failing
PubKey Authentication with ed25519

Expected output
Successful Login over PubKey

Actual output
Permission Denied

** Additional Data**
Currently I'm trying to achieve PubKey Authentication against a Windows Server 2019, however I could not get it to work.
I actually created a ed259919 key and put it into the correct folder C:\Users\Administrator\.ssh\authorized_keys.
However it just does not work.
What is even strange is the Windows Server Debug output (ProgramData?!):

PS C:\Users\Administrator\unzipped> sshd -d
debug1: sshd version OpenSSH_for_Windows_7.7, LibreSSL 2.6.5
debug1: private host key #0: ssh-rsa SHA256:PNoOxXBKB4SCOQougpsAZ9bUnku658ur9+wucTvsGSc
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:GKf1jbg/+ayrPx+MOCTeCSBgJze/9R7kVYdw4WcEMU8
debug1: private host key #2: ssh-ed25519 SHA256:q8Rqf9l/eUiPMx9YfVSd3mQKxm/2Detld2UgLmIPyLU
debug1: rexec_argv[0]='C:\\Windows\\System32\\OpenSSH\\sshd.exe'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
Connection from 192.168.179.152 port 61251 on 192.168.179.249 port 22
debug1: Client protocol version 2.0; client software version OpenSSH_7.8
debug1: match: OpenSSH_7.8 pat OpenSSH* compat 0x04000000
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug1: sshd version OpenSSH_for_Windows_7.7, LibreSSL 2.6.5
debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user Administrator service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: user C:\\Users\\Administrator matched group list administrators at line 84
debug1: userauth-request for user Administrator service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: userauth_pubkey: test pkalg ssh-ed25519 pkblob ED25519 SHA256:2nXx9fR4uOi8KRult6QjtZEvaTHIqH7i4cAv7qg3gSA [preauth]
debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys
debug1: Could not open authorized keys '__PROGRAMDATA__/ssh/administrators_authorized_keys': No such file or directory
Failed publickey for Administrator from 192.168.179.152 port 61251 ssh2: ED25519 SHA256:2nXx9fR4uOi8KRult6QjtZEvaTHIqH7i4cAv7qg3gSA
Connection closed by authenticating user Administrator 192.168.179.152 port 61251 [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug1: do_cleanup
debug1: Killing privsep child 1996

Client Verbose Output:

schmitch@tokio:~$ ssh -vvvv ci02
OpenSSH_7.8p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/schmitch/.ssh/config
debug1: /Users/schmitch/.ssh/config line 34: Applying options for ci02
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.179.249 is address
debug2: ssh_connect_direct
debug1: Connecting to 192.168.179.249 [192.168.179.249] port 22.
debug1: Connection established.
debug1: identity file /Users/schmitch/.ssh/windows type 3
debug1: identity file /Users/schmitch/.ssh/windows-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_for_Windows_7.7
debug1: match: OpenSSH_for_Windows_7.7 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.179.249:22 as 'Administrator'
debug3: hostkeys_foreach: reading file "/Users/schmitch/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/schmitch/.ssh/known_hosts:155
debug3: load_hostkeys: loaded 1 keys from 192.168.179.249
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:GKf1jbg/+ayrPx+MOCTeCSBgJze/9R7kVYdw4WcEMU8
debug3: hostkeys_foreach: reading file "/Users/schmitch/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/schmitch/.ssh/known_hosts:155
debug3: load_hostkeys: loaded 1 keys from 192.168.179.249
debug1: Host '192.168.179.249' is known and matches the ECDSA host key.
debug1: Found key in /Users/schmitch/.ssh/known_hosts:155
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /Users/schmitch/.ssh/windows (0x7fc576c07060), explicit
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred:
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: ED25519 SHA256:2nXx9fR4uOi8KRult6QjtZEvaTHIqH7i4cAv7qg3gSA /Users/schmitch/.ssh/windows
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Administrator@192.168.179.249: Permission denied (publickey,password,keyboard-interactive).

My PubKey lies at C:\Users\Administrator.ssh\authorized_keys

according to https://docs.microsoft.com/de-de/windows-server/administration/openssh/openssh_keymanagement

@schmitch
Copy link
Author

i.e. copy the pubkey to C:\ProgramData\ssh\administrator_authorized_keys does not resolve the problem either

@schmitch
Copy link
Author

schmitch commented Dec 14, 2018

I found that the SSH Config contained something like:

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

however even when commenting it out, it still does not work.

s3544 2018-12-14 15:06:37.650 debug2: fd 3 setting O_NONBLOCK
3544 2018-12-14 15:06:37.650 debug3: sock_set_v6only: set socket 3 IPV6_V6ONLY
3544 2018-12-14 15:06:37.650 debug1: Bind to port 22 on ::.
3544 2018-12-14 15:06:37.650 Server listening on :: port 22.
3544 2018-12-14 15:06:37.650 debug2: fd 4 setting O_NONBLOCK
3544 2018-12-14 15:06:37.650 debug1: Bind to port 22 on 0.0.0.0.
3544 2018-12-14 15:06:37.650 Server listening on 0.0.0.0 port 22.
3544 2018-12-14 15:06:40.670 debug3: fd 5 is not O_NONBLOCK
3544 2018-12-14 15:06:40.672 debug3: spawning "C:\\Windows\\System32\\OpenSSH\\sshd.exe" "-R"
3544 2018-12-14 15:06:40.675 debug3: send_rexec_state: entering fd = 8 config len 394
3544 2018-12-14 15:06:40.675 debug3: ssh_msg_send: type 0
3544 2018-12-14 15:06:40.675 debug3: send_rexec_state: done
2664 2018-12-14 15:06:40.721 debug1: inetd sockets after dupping: 3, 3
2664 2018-12-14 15:06:40.721 Connection from 192.168.179.152 port 65269 on 192.168.179.249 port 22
2664 2018-12-14 15:06:40.721 debug1: Client protocol version 2.0; client software version OpenSSH_7.8
2664 2018-12-14 15:06:40.721 debug1: match: OpenSSH_7.8 pat OpenSSH* compat 0x04000000
2664 2018-12-14 15:06:40.721 debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
2664 2018-12-14 15:06:40.722 debug2: fd 3 setting O_NONBLOCK
2664 2018-12-14 15:06:40.728 debug3: spawning "C:\\Windows\\System32\\OpenSSH\\sshd.exe" "-y"
2664 2018-12-14 15:06:40.730 debug2: Network child is on pid 2700
2664 2018-12-14 15:06:40.731 debug3: send_rexec_state: entering fd = 6 config len 394
2664 2018-12-14 15:06:40.731 debug3: ssh_msg_send: type 0
2664 2018-12-14 15:06:40.731 debug3: send_rexec_state: done
2664 2018-12-14 15:06:40.731 debug3: ssh_msg_send: type 0
2664 2018-12-14 15:06:40.731 debug3: ssh_msg_send: type 0
2664 2018-12-14 15:06:40.731 debug3: preauth child monitor started
2664 2018-12-14 15:06:40.756 debug3: list_hostkey_types: ssh-dss key not permitted by HostkeyAlgorithms [preauth]
2664 2018-12-14 15:06:40.756 debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
2664 2018-12-14 15:06:40.756 debug3: send packet: type 20 [preauth]
2664 2018-12-14 15:06:40.756 debug1: SSH2_MSG_KEXINIT sent [preauth]
2664 2018-12-14 15:06:40.756 debug3: receive packet: type 20 [preauth]
2664 2018-12-14 15:06:40.756 debug1: SSH2_MSG_KEXINIT received [preauth]
2664 2018-12-14 15:06:40.756 debug2: local server KEXINIT proposal [preauth]
2664 2018-12-14 15:06:40.756 debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 [preauth]
2664 2018-12-14 15:06:40.756 debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
2664 2018-12-14 15:06:40.756 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
2664 2018-12-14 15:06:40.756 debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
2664 2018-12-14 15:06:40.756 debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
2664 2018-12-14 15:06:40.756 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
2664 2018-12-14 15:06:40.756 debug2: compression ctos: none [preauth]
2664 2018-12-14 15:06:40.756 debug2: compression stoc: none [preauth]
2664 2018-12-14 15:06:40.756 debug2: languages ctos:  [preauth]
2664 2018-12-14 15:06:40.756 debug2: languages stoc:  [preauth]
2664 2018-12-14 15:06:40.756 debug2: first_kex_follows 0  [preauth]
2664 2018-12-14 15:06:40.756 debug2: reserved 0  [preauth]
2664 2018-12-14 15:06:40.756 debug2: peer client KEXINIT proposal [preauth]
2664 2018-12-14 15:06:40.756 debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c [preauth]
2664 2018-12-14 15:06:40.756 debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa [preauth]
2664 2018-12-14 15:06:40.756 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
2664 2018-12-14 15:06:40.757 debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
2664 2018-12-14 15:06:40.757 debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
2664 2018-12-14 15:06:40.757 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
2664 2018-12-14 15:06:40.757 debug2: compression ctos: none,zlib@openssh.com,zlib [preauth]
2664 2018-12-14 15:06:40.757 debug2: compression stoc: none,zlib@openssh.com,zlib [preauth]
2664 2018-12-14 15:06:40.757 debug2: languages ctos:  [preauth]
2664 2018-12-14 15:06:40.757 debug2: languages stoc:  [preauth]
2664 2018-12-14 15:06:40.757 debug2: first_kex_follows 0  [preauth]
2664 2018-12-14 15:06:40.757 debug2: reserved 0  [preauth]
2664 2018-12-14 15:06:40.757 debug1: kex: algorithm: curve25519-sha256 [preauth]
2664 2018-12-14 15:06:40.757 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
2664 2018-12-14 15:06:40.757 debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
2664 2018-12-14 15:06:40.757 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
2664 2018-12-14 15:06:40.757 debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
2664 2018-12-14 15:06:40.760 debug3: receive packet: type 30 [preauth]
2664 2018-12-14 15:06:40.768 debug3: mm_key_sign entering [preauth]
2664 2018-12-14 15:06:40.768 debug3: mm_request_send entering: type 6 [preauth]
2664 2018-12-14 15:06:40.768 debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth]
2664 2018-12-14 15:06:40.768 debug3: mm_request_receive_expect entering: type 7 [preauth]
2664 2018-12-14 15:06:40.768 debug3: mm_request_receive entering [preauth]
2664 2018-12-14 15:06:40.768 debug3: mm_request_receive entering
2664 2018-12-14 15:06:40.768 debug3: monitor_read: checking request 6
2664 2018-12-14 15:06:40.769 debug3: mm_answer_sign
2664 2018-12-14 15:06:40.770 debug3: mm_answer_sign: hostkey proof signature 000001683069E4C0(101)
2664 2018-12-14 15:06:40.770 debug3: mm_request_send entering: type 7
2664 2018-12-14 15:06:40.770 debug2: monitor_read: 6 used once, disabling now
2664 2018-12-14 15:06:40.770 debug3: send packet: type 31 [preauth]
2664 2018-12-14 15:06:40.770 debug3: send packet: type 21 [preauth]
2664 2018-12-14 15:06:40.770 debug2: set_newkeys: mode 1 [preauth]
2664 2018-12-14 15:06:40.770 debug1: rekey after 134217728 blocks [preauth]
2664 2018-12-14 15:06:40.770 debug1: SSH2_MSG_NEWKEYS sent [preauth]
2664 2018-12-14 15:06:40.770 debug1: expecting SSH2_MSG_NEWKEYS [preauth]
2664 2018-12-14 15:06:40.770 debug3: send packet: type 7 [preauth]
2664 2018-12-14 15:06:40.778 debug3: receive packet: type 21 [preauth]
2664 2018-12-14 15:06:40.778 debug1: SSH2_MSG_NEWKEYS received [preauth]
2664 2018-12-14 15:06:40.778 debug2: set_newkeys: mode 0 [preauth]
2664 2018-12-14 15:06:40.778 debug1: rekey after 134217728 blocks [preauth]
2664 2018-12-14 15:06:40.778 debug1: KEX done [preauth]
2664 2018-12-14 15:06:40.789 debug3: receive packet: type 5 [preauth]
2664 2018-12-14 15:06:40.789 debug3: send packet: type 6 [preauth]
2664 2018-12-14 15:06:40.789 debug3: receive packet: type 50 [preauth]
2664 2018-12-14 15:06:40.789 debug1: userauth-request for user Administrator service ssh-connection method none [preauth]
2664 2018-12-14 15:06:40.789 debug1: attempt 0 failures 0 [preauth]
2664 2018-12-14 15:06:40.789 debug3: mm_getpwnamallow entering [preauth]
2664 2018-12-14 15:06:40.789 debug3: mm_request_send entering: type 8 [preauth]
2664 2018-12-14 15:06:40.789 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
2664 2018-12-14 15:06:40.789 debug3: mm_request_receive_expect entering: type 9 [preauth]
2664 2018-12-14 15:06:40.789 debug3: mm_request_receive entering [preauth]
2664 2018-12-14 15:06:40.789 debug3: mm_request_receive entering
2664 2018-12-14 15:06:40.789 debug3: monitor_read: checking request 8
2664 2018-12-14 15:06:40.789 debug3: mm_answer_pwnamallow
2664 2018-12-14 15:06:40.790 debug2: parse_server_config: config reprocess config len 394
2664 2018-12-14 15:06:40.790 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
2664 2018-12-14 15:06:40.790 debug3: mm_request_send entering: type 9
2664 2018-12-14 15:06:40.791 debug2: monitor_read: 8 used once, disabling now
2664 2018-12-14 15:06:40.791 debug2: input_userauth_request: setting up authctxt for Administrator [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_inform_authserv entering [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_request_send entering: type 4 [preauth]
2664 2018-12-14 15:06:40.791 debug2: input_userauth_request: try method none [preauth]
2664 2018-12-14 15:06:40.791 debug3: userauth_finish: failure partial=0 next methods="publickey,keyboard-interactive" [preauth]
2664 2018-12-14 15:06:40.791 debug3: send packet: type 51 [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_request_receive entering
2664 2018-12-14 15:06:40.791 debug3: monitor_read: checking request 4
2664 2018-12-14 15:06:40.791 debug3: mm_answer_authserv: service=ssh-connection, style=
2664 2018-12-14 15:06:40.791 debug2: monitor_read: 4 used once, disabling now
2664 2018-12-14 15:06:40.791 debug3: receive packet: type 50 [preauth]
2664 2018-12-14 15:06:40.791 debug1: userauth-request for user Administrator service ssh-connection method publickey [preauth]
2664 2018-12-14 15:06:40.791 debug1: attempt 1 failures 0 [preauth]
2664 2018-12-14 15:06:40.791 debug2: input_userauth_request: try method publickey [preauth]
2664 2018-12-14 15:06:40.791 debug1: userauth_pubkey: test pkalg ssh-ed25519 pkblob ED25519 SHA256:2nXx9fR4uOi8KRult6QjtZEvaTHIqH7i4cAv7qg3gSA [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_key_allowed entering [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_request_send entering: type 22 [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_request_receive_expect entering: type 23 [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_request_receive entering [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_request_receive entering
2664 2018-12-14 15:06:40.791 debug3: monitor_read: checking request 22
2664 2018-12-14 15:06:40.791 debug3: mm_answer_keyallowed entering
2664 2018-12-14 15:06:40.791 debug3: mm_answer_keyallowed: key_from_blob: 000001683069E300
2664 2018-12-14 15:06:40.791 debug1: trying public key file C:\\Users\\Administrator\\.ssh/authorized_keys
2664 2018-12-14 15:06:40.792 debug3: Bad permissions. Try removing permissions for user: S-1-5-80-3847866527-469524349-687026318-516638107-1125189541 on file C:/Users/Administrator/.ssh/authorized_keys.
2664 2018-12-14 15:06:40.792 Authentication refused.
2664 2018-12-14 15:06:40.792 debug3: mm_answer_keyallowed: publickey authentication test: ED25519 key is not allowed
2664 2018-12-14 15:06:40.792 Failed publickey for Administrator from 192.168.179.152 port 65269 ssh2: ED25519 SHA256:2nXx9fR4uOi8KRult6QjtZEvaTHIqH7i4cAv7qg3gSA
2664 2018-12-14 15:06:40.792 debug3: mm_request_send entering: type 23
2664 2018-12-14 15:06:40.792 debug2: userauth_pubkey: authenticated 0 pkalg ssh-ed25519 [preauth]
2664 2018-12-14 15:06:40.792 debug3: userauth_finish: failure partial=0 next methods="publickey,keyboard-interactive" [preauth]
2664 2018-12-14 15:06:40.792 debug3: send packet: type 51 [preauth]
2664 2018-12-14 15:06:40.794 Connection closed by authenticating user Administrator 192.168.179.152 port 65269 [preauth]
2664 2018-12-14 15:06:40.794 debug1: do_cleanup [preauth]
2664 2018-12-14 15:06:40.795 debug1: monitor_read_log: child log fd closed
2664 2018-12-14 15:06:40.795 debug3: mm_request_receive entering
2664 2018-12-14 15:06:40.795 debug1: do_cleanup
2664 2018-12-14 15:06:40.795 debug1: Killing privsep child 2700

btw.:

PS C:\ProgramData\ssh> Repair-AuthorizedKeyPermission C:\Users\Administrator\.ssh\authorized_keys
  [*] C:\Users\Administrator\.ssh\authorized_keys
      looks good

File ACL:

PS C:\ProgramData\ssh> Get-Acl C:\Users\Administrator\.ssh\authorized_keys|Format-List


Path   : Microsoft.PowerShell.Core\FileSystem::C:\Users\Administrator\.ssh\authorized_keys
Owner  : BUILTIN\Administrators
Group  : WIN-JC8T67AORH2\None
Access : NT SERVICE\sshd Allow  Read, Synchronize
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         WIN-JC8T67AORH2\Administrator Allow  FullControl
Audit  :
Sddl   : O:BAG:S-1-5-21-2330858761-2518894999-591638271-513D:AI(A;;FR;;;S-1-5-80-3847866527-469524349-687026318-516638107-1125189541)(A;ID;FA;;;SY)
         (A;ID;FA;;;BA)(A;ID;FA;;;LA)

I'm on a headless windows. and completly out of ideas.

@manojampalam
Copy link
Contributor

manojampalam commented Dec 14, 2018

Recommend uncommenting

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Make sure C:\ProgramData\ssh\administrators_authorized_keys is a file (and not a folder containing key files)
And its administrators_authorized_keys and not administrator_authorized_keys

For administrator C:\ProgramData\ssh\administrator_authorized_keys

@NoMoreFood
Copy link

NoMoreFood commented Dec 15, 2018

@manojampalam @schmitch The SID it's complaining about is from "NT SERVICE\sshd". Should this permission be necessary?

@manojampalam
Copy link
Contributor

@NoMoreFood right. That permission should not be there. @schmitch where did you get your version of Repair-AuthorizedKeyPermission utility ?

@schmitch
Copy link
Author

Actually I did not download anything.
So it was either included in pwsh-core-6.1.1.msi or in Windows Server 2019

@manojampalam
Copy link
Contributor

@bingbing8 any clue on how Repair-AuthorizedKeyPermission could automatically land up in a system ?

@bingbing8
Copy link
Contributor

@manojampalam, the only thing I can guess is that older git version openssh was downloaded/installed from git or chocolaty before.

@schmitch
Copy link
Author

Actually I remembered:

Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'
Name  : OpenSSH.Client~~~~0.0.1.0
State : Installed

Name  : OpenSSH.Server~~~~0.0.1.0
State : Installed

# Install the OpenSSH Client
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

# Install the OpenSSH Server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Source: https://docs.microsoft.com/de-de/windows-server/administration/openssh/openssh_install_firstuse

@bingbing8
Copy link
Contributor

bingbing8 commented Dec 17, 2018

@schmitch your above cmdlets install inbox openssh from windows update. The script module was never included as OpenSSH WindowsCapability. Not sure if your system is upgraded from previous windows version or not. The script module was needed on RS3 machine, but not needed on RS4 and RS5 any more. I guess you may downloaded the script module if followed openssh RS3 blog to fix key permission on RS3 machine.

@schmitch
Copy link
Author

schmitch commented Dec 17, 2018

than i have no idea, how it was installed.
Actually the system was not upgraded, I only installed PowerShell Core and DotNet Core SDK from Microsoft and other Build Related Tooling like Git, NodeJS etc.
(I also used Pwsh to run the repair script)

@adilinden
Copy link

I am seeing the exactly same thing. Fresh install of Server 2019 Core with Hyper-V service.

Installed OpenSSH with:

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Running sshd -d gets me:

debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys
debug1: Could not open authorized keys '__PROGRAMDATA__/ssh/administrators_authorized_keys': No such file or directory

Do note that I plugged my public key into c:\Users\Administrator\.ssh\authorized_keys.

@adilinden
Copy link

I commented this out in C:\ProgramData\ssh\sshd_config per instructions above:

#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

I then created .ssh/authorized_keys using notepad. Finally I repaired permissions using:

Repair-AuthorizedKeyPermission -FilePath $home\.ssh\authorized_keys

It is still failing, but its looking for a file now closer to what would be expected, debug from sshd -d:

debug1: trying public key file C:\\Users\\Administrator\\.ssh/authorized_keys
Authentication refused.
Failed publickey for Administrator from 192.168.123.107 port 62628 ssh2: ED25519 SHA256:XUCnOR

@adilinden
Copy link

Here is what works and doesn't. Note that this is on Server 2019 Core! I previously installed on Server 2016 Core (LTSB release) using the installer from GitHub. With it Repair-AuthorizedKeyPermission was needed and things failed without.

For Server 2019 Core:

Make sure we are in $home

cd $home

Open sshd_config using notepad

notepad C:\ProgramData\ssh\sshd_config`

Edit the Match statement pertaining Adminstrators

#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Create the $home\.ssh directory

mkdir .ssh

Create authorized_keys and add public key(s)

notepad .ssh\authorized_keys

The file created will be authorized_keys.txt, rename to authorized_keys

mv .\.ssh\authorized_keys.txt .\.ssh\authorized_keys

Do NOT repair permissions as this will thow an error

Repair-AuthorizedKeyPermission -FilePath $home\.ssh\authorized_keys

And the error:

debug1: trying public key file C:\\Users\\Administrator\\.ssh/authorized_keys
Authentication refused.

Do NOT create authorized_keys using echo and subsequently editing

echo test > .ssh\authorized_keys
echo $null > .ssh\authorized_keys

And the error:

debug1: read_keyfile_line: C:\\Users\\Administrator\\.ssh/authorized_keys line 1 exceeds size limit

@schmitch
Copy link
Author

Actually I'm on Server Core aswell. However after "fixing" the sshd config and now correcting the permission (I.e. not using the powershell command everything works, with ed keys)

@SNikalaichyk
Copy link

SNikalaichyk commented Jan 3, 2019

Hi! I was able to get the C:\ProgramData\ssh\administrators_authorized_keys file to work.

You should set the ACL for the administrators_authorized_keys file to match the ACL of the ssh_host_dsa_key file in the same C:\ProgramData\ssh directory.

icacls C:\ProgramData\ssh\administrators_authorized_keys /remove "NT AUTHORITY\Authenticated Users"
icacls C:\ProgramData\ssh\administrators_authorized_keys /inheritance:r

Then restart SSH services:

Restart-Service -Name sshd, ssh-agent -Force

@inickt
Copy link

inickt commented Jan 28, 2019

I had the same problem with a fresh install of Windows 10 Pro (October 2018 update 17763) in a virtual machine.

To fix I had to:

  • uncomment the Match policy in sshd_config
  • convert authorized_keys in .ssh from Unix to CRLF line endings (I had scp'ed this from Linux without thinking about this)
  • run Repair-AuthorizedKeyPermission on authorized_keys

@nathanshearer
Copy link

I can confirm PubkeyAuthentication with authorized_keys is very broken in 7.9.0.0p1-Beta on a fresh Windws 7 Pro SP1 install.
I downgraded to 7.6.1.0p1-Beta and reinstalled from scratch. With this older version I was able to login with the same authorized_keys file.

@rob-scheepens
Copy link

rob-scheepens commented Feb 12, 2019

I'm trying to get this to work on 7.9.0.1 on 2019. Using ProcMon i noticed this ACCESS_DENIED for sshd.exe:
8:02:15.4257933 AM sshd.exe 2084 RegOpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters ACCESS DENIED Desired Access: All Access
Adding NT SERVICE\sshd to the relevant location did not make a difference.

Debug log:
C:\Program Files\OpenSSH-Win64>sshd -d debug1: sshd version OpenSSH_for_Windows_7.9, LibreSSL 2.6.5 debug1: get_passwd: LookupAccountName() failed: 1332. debug1: private host key #0: ssh-rsa SHA256:7bomFacw1cHpyMCnzLi3+G4HOicIv3jddTnWigJEjY4 debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:va3LpBEn29gupfMrlqnUjl3/U9rav8tau3WfEmFEuzA debug1: private host key #2: ssh-ed25519 SHA256:rx6LykIntPF00V4fTlv6mw8TlwL15iRBhhECrHRUEzA debug1: rexec_argv[0]='sshd' debug1: rexec_argv[1]='-d' debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: Server will not fork when running in debugging mode. Connection from 10.56.1.102 port 49808 on 10.57.16.149 port 22 debug1: Client protocol version 2.0; client software version OpenSSH_for_Windows_7.9 debug1: match: OpenSSH_for_Windows_7.9 pat OpenSSH* compat 0x04000000 debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.9 debug1: sshd version OpenSSH_for_Windows_7.9, LibreSSL 2.6.5 debug1: get_passwd: LookupAccountName() failed: 1332. debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug1: kex: algorithm: curve25519-sha256 [preauth] debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth] debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth] debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug1: rekey after 134217728 blocks [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug1: rekey after 134217728 blocks [preauth] debug1: KEX done [preauth] debug1: userauth-request for user drmperf1\\\\administrator service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug1: get_passwd: LookupAccountName() failed: 1332. Invalid user drmperf1\\administrator from 10.56.1.102 port 49808 debug1: authentication methods list 0: publickey debug1: authentication methods list 0: publickey [preauth] debug1: userauth-request for user drmperf1\\\\administrator service ssh-connection method publickey [preauth] debug1: attempt 1 failures 0 [preauth] debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:q46vzhlzMioBX9RHDS3L9WqgVvO07wIaXMPr3LKdNUU [preauth] Connection reset by invalid user drmperf1\\\\administrator 10.56.1.102 port 49808 [preauth] debug1: do_cleanup [preauth] debug1: monitor_read_log: child log fd closed debug1: do_cleanup debug1: Killing privsep child 4684

Edit: fixed by specifying administrator so it looked for the user administrator on the ssh server instead of the domain user I was logged on with, as the ssh server is not part of the same domain.

@NoMoreFood
Copy link

Can you close the issue if you believe it to be resolved?

@schmitch
Copy link
Author

actually since the problem was solved on my side is probably a totally different issue than the others, I'm closing this.

@vagabond1132
Copy link

Are there any administrators_authorized_keys in the C:\ProgramData\ssh directory?

debug1: KEX done [preauth] debug1: userauth-request for user administrator service ssh-connection method no ne [preauth] debug1: attempt 0 failures 0 [preauth] debug1: user C:\\Users\\Administrator matched group list administrators at line 88 debug1: userauth-request for user administrator service ssh-connection method pu blickey [preauth] debug1: attempt 1 failures 0 [preauth] debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:o+WFqqS/UqUzb M3mhGY+oTiF0scZBatZKpnRgf0FCGQ [preauth] debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_key s debug1: Could not open authorized keys '__PROGRAMDATA__/ssh/administrators_autho rized_keys': No such file or directory Failed publickey for administrator from 192.168.100.156 port 9223 ssh2: RSA SHA2 56:o+WFqqS/UqUzbM3mhGY+oTiF0scZBatZKpnRgf0FCGQ debug1: userauth-request for user administrator service ssh-connection method ke yboard-interactive [preauth] debug1: attempt 2 failures 1 [preauth] debug1: keyboard-interactive devs [preauth] debug1: auth2_challenge: user=administrator devs= [preauth]

@jemiller0
Copy link

Why is it looking under C:\ProgramData???? I am trying to login to my account, not administrator. My account is in the Administrator group. However, this is not how SSH works on Linux. It should be looking in my home directory in the .ssh directory. You would think this would be something that would be the first thing to get working by Microsoft. It's only one of the first things people want to do when setting up SSH.

@rkeithhill
Copy link

rkeithhill commented Apr 9, 2019

PubKey auth is still not working for quite a few folks. Not sure why this was closed. The most voted up response did not work for me. Seems like pubkey authentication is a bit of cluster-cuss in Windows OpenSSH. :-( For instance, why doesn't the OpenSSH Server feature create an empty administrators_authorized_keys file in the <ProgramData>\ssh dir with the appropriate permissions? Either that or comment out this in the sshd_config file:

Match Group administrators
      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Also, the opensshutils command Repair-AuthorizedKeyPermission hasn't been updated to work on this centralized version of the file.

The current setup for pubkey auth is not good. It does not put the user in the pit of success. More like the pit of despair. :-(

@kimreyio
Copy link

The most upvoted didn't work for me, or following the instructions on MS's site. I think I also installed a psgallery script when it wasn't needed, or maybe even correct for my latest windows 10. Can we please get some concise direction on this issue?

@bobpepin
Copy link

bobpepin commented Apr 18, 2019

For a fresh installation inside VirtualBox, as of April 2019, the following worked for me:

  1. DO NOT follow the official M$ documentation at https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement
    1.a. DO NOT use Repair-AuthorizedKeyPermission
  2. DO comment out the section on administrators_authorized_keys at the end of \ProgramData\ssh\sshd_config
  3. DO put your public keys in $home/.ssh/authorized_keys (e.g. using scp with password auth)
  4. DO make sure the authorized_keys file has windows CRLF line endings

#https://github.com/MicrosoftDocs/windowsserverdocs/issues/2171
#https://github.com/MicrosoftDocs/windowsserverdocs/issues/1911

@vagabond1132
Copy link

vagabond1132 commented Apr 19, 2019 via email

@Adnn
Copy link

Adnn commented May 20, 2019

This should not be closed, since the issue exactly as described here "Pub key auth not working", is always the case when following the official instructions for an administrator user (and Repair-AuthorizedKeyPermission currently makes thing worse).
https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement

@yobyot
Copy link

yobyot commented Jun 8, 2019

I agree completely with @Adnn. The doc is a disaster and it's impossible to use key-only authentication with OpenSSH server on Windows Server 2019 (non-core). I've been trying for three days, then found this incident which also hasn't helped.

If this is a supported port for Windows Server, it needs detailed doc that is correct along with working examples. Otherwise, the current state of the port is bound to disappoint -- even infuriate -- people trying to set up public key-only authentication. That's the default for things like EC2 instances and Azure VMs and doing it for Windows Server should be cut-and-dried.

As it now stands, I don't think anyone really knows how to set this up correctly and securely.

@manojampalam
Copy link
Contributor

@maertendMSFT can you follow up on fixing documentation at
https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement

OpenSSHUtils module should be deprecated.

@petemounce
Copy link

petemounce commented Jun 12, 2019

@devopsmikey
Copy link

This is what got me working. Staring at C:\ProgramData\ssh\sshd_config I noticed this line was commented!!!

#PubkeyAuthentication yes

No idea how that happened; my box was pre-imaged. I uncommented that, plus ensured that these two lines in the config file were commented out:

#Match Group administrators
#      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

I then restarted with:

Restart-Service -Name sshd, ssh-agent -Force

And now it's working. OMG what a battle. Huge thanks to everyone who's posting here.

@jfromaniello
Copy link

I initially installed with Add-WindowsCapability and I couldn't make it work even following everything in this thread, I suspect that something in the binary is broken. Here is how I make it work:

(caveat you need chocolatey)

First remove the windows capability:

Remove-WindowsCapability -Online -Name "OpenSSH.Client~~~~0.0.1.0"
Remove-WindowsCapability -Online -Name "OpenSSH.Server~~~~0.0.1.0"

Then install openssh latest version with chocolatey:

choco install openssh -params '"/SSHServerFeature /KeyBasedAuthenticationFeature /SSHAgentFeature"'

@mippos
Copy link

mippos commented Jul 3, 2019

Excellent @jfromaniello! I had big problems to get windows capability to work on one machine, but choco's package with those parameters work perfectly.

@andreasRu
Copy link

andreasRu commented Jul 31, 2019

Just to add some information: If StrictModes is set to yes, you should verify file permissions as follows.

Option I:

  1. Set AuthorizedKeysFile in sshd_config as comment. That will make ssh get the default authorized_keys file from the home directory of the user that is logging in.

  2. That would be:
    C:\Users\username\.ssh\authorized_keys

File permissions for strictmode to work:
C:\Users\username\.ssh\
C:\Users\username\.ssh\authorized_keys
The default inherited file permission of the users home directory should work.

OPTION II:
In some cases, and when you want to skip that and force only one central authorized_keys file to be read, do as follows:

  1. Set AuthorizedKeysFile in sshd_config to:
    AuthorizedKeysFile __PROGRAMDATA__/ssh/.ssh/authorized_keys

  2. Put the authorized_key file in a directory named .ssh (create the directory .ssh if necessary):
    C:\ProgramData\ssh\.ssh\authorized_keys

  3. Set file permission to work with strictmode as follows:

  • remove the group "authenticated users" from the folder C:\ProgramData\ssh\.ssh\
  • remove the group "authenticated users" from the file C:\ProgramData\ssh\.ssh\authorized_keys
    The group "authenticated users" was that made strictmode to block public key authentication
  1. For additional security set the permissions of folder and file to SYSTEM group and the user accessing to READ ONLY. No other users or groups should be defined there unless you want someone to access with a second administrator account with public key authentication. Otherwise do it like described in OPTION I.

Hope that helps a little others.

@teutat3s
Copy link

teutat3s commented Aug 7, 2019

Thank you all for your input. I managed to get the

Match Group administrators
        AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

shipped with the original sshd_config file working.

  • I scp'd the pub key file from a macOS machine, opened it once in notepad, saved (don't know if that was necessary).

  • Then changed permissions of administrators_authorized_keys file: Set Owner to SYSTEM and removed Authenticated User from the list.

Hope this helps someone getting this to work, too.

@mcxiaoke
Copy link

This is what got me working. Staring at C:\ProgramData\ssh\sshd_config I noticed this line was commented!!!

#PubkeyAuthentication yes

No idea how that happened; my box was pre-imaged. I uncommented that, plus ensured that these two lines in the config file were commented out:

#Match Group administrators
#      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

I then restarted with:

Restart-Service -Name sshd, ssh-agent -Force

And now it's working. OMG what a battle. Huge thanks to everyone who's posting here.

thanks, simple solution, but worked for me!

@thatreguy
Copy link

This is what got me working. Staring at C:\ProgramData\ssh\sshd_config I noticed this line was commented!!!

#PubkeyAuthentication yes

No idea how that happened; my box was pre-imaged. I uncommented that, plus ensured that these two lines in the config file were commented out:

#Match Group administrators
#      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

I then restarted with:

Restart-Service -Name sshd, ssh-agent -Force

And now it's working. OMG what a battle. Huge thanks to everyone who's posting here.

This. I simply do not get why someone would disable PubkeyAuthentication by default. Probably an oversight just like the useless OpenSSH {client|server} optional feature offered by MS!

@jeremybusk
Copy link

This still isn't working for me. It really is sad it is this hard and no ssh-copy-id.

@bagajjal
Copy link
Collaborator

bagajjal commented Jan 9, 2020

@jeremybusk - Please share the ssh client logs (ssh.exe -vvv user@ip) and the sshd.log with DEBUG3 enabled.

If "%programdata%\ssh\sshd_config" file does't have the below config then add it and restart the sshd service (net stop sshd; net start sshd)
SyslogFacility LOCAL0
LogLevel DEBUG3

The sshd.log file will be at %programdata%\ssh\logs directory.

@AlexeyNovikov
Copy link

AlexeyNovikov commented Feb 22, 2020

Solution

For sshd-config do the following changes:

  1. Comment this one:
#Match Group administrators
#      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
  1. Uncomment these two:
PubkeyAuthentication yes
PasswordAuthentication no

Then open PowerShell as Admin and restart service:
Restart-Service sshd

Then through GUI.
For .ssh folder and authorized_keys file do the following:

  1. Properties -> Security -> Advanced -> Disable inheritance -> Convert inherited permissions into explicit permissions on this object.
  2. Then delete all users(groups) except:
  • System
  • Administrators
  • current user

@craigthackerx
Copy link

Solution

For sshd-config do the following changes:

  1. Comment this one:
#Match Group administrators
#      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
  1. Uncomment these two:
PubkeyAuthentication yes
PasswordAuthentication no

Then open PowerShell as Admin and restart service:
Restart-Service sshd

Then through GUI.
For .ssh folder and authorized_keys file do the following:

  1. Properties -> Security -> Advanced -> Disable inheritance -> Convert inherited permissions into explicit permissions on this object.
  2. Then delete all users(groups) except:
  • System
  • Administrators
  • current user

Worked for me. Cheers.

@xakod
Copy link

xakod commented Mar 28, 2020

Solution

For sshd-config do the following changes:

1. Comment this one:
#Match Group administrators
#      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
1. Uncomment these two:
PubkeyAuthentication yes
PasswordAuthentication no

Then open PowerShell as Admin and restart service:
Restart-Service sshd

Then through GUI.
For .ssh folder and authorized_keys file do the following:

1. Properties -> Security -> Advanced -> Disable inheritance -> Convert inherited permissions into explicit permissions on this object.

2. Then delete all users(groups) except:


* System

* Administrators

* current user

Did all of this and it didnt work for me.
P.S. StrictModes no tried too

@icosahedron
Copy link

Finally got it working for myself on Windows 10 Pro using half of one of the solutions above. The key was "make sure that it has the same permissions as ssh_host_ecdsa_key".

The same solution also recommended using icacls .\administrators_authorized_keys /inheritance:r, but this simply reset the permissions to nil. After resetting the permissions to the same as the key file, it then worked.

@Daniel15
Copy link

Solution

For sshd-config do the following changes:

1. Comment this one:
#Match Group administrators
#      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
1. Uncomment these two:
PubkeyAuthentication yes
PasswordAuthentication no

Then open PowerShell as Admin and restart service:
Restart-Service sshd

Then through GUI.
For .ssh folder and authorized_keys file do the following:

1. Properties -> Security -> Advanced -> Disable inheritance -> Convert inherited permissions into explicit permissions on this object.

2. Then delete all users(groups) except:


* System

* Administrators

* current user

Thanks for this! I had set the permissions on authorized_keys just to my user and forgot to add SYSTEM. That fixed it for me!

@jyavenard
Copy link

First remove the windows capability:

Remove-WindowsCapability -Online -Name "OpenSSH.Client~~~~0.0.1.0"
Remove-WindowsCapability -Online -Name "OpenSSH.Server~~~~0.0.1.0"

Then install openssh latest version with chocolatey:

choco install openssh -params '"/SSHServerFeature /KeyBasedAuthenticationFeature /SSHAgentFeature"'

After struggling for a couple of hours on this; I have to report that this made it all works immediately.

I just couldn't get over the error
12400 2020-06-28 13:55:52.151 Failed publickey for jyavenard from 192.168.160.1 port 51616 ssh2: RSA SHA256:Wsc+cG7fFMQi36MiurOKMpq3NFFAlqjlmoZ+vFVWjG8
12400 2020-06-28 13:55:52.158 debug1: userauth-request for user jyavenard service ssh-connection method keyboard-interactive [preauth]
12400 2020-06-28 13:55:52.158 debug1: attempt 2 failures 1 [preauth]
12400 2020-06-28 13:55:52.158 debug1: keyboard-interactive devs [preauth]
12400 2020-06-28 13:55:52.158 debug1: auth2_challenge: user=jyavenard devs= [preauth]
12400 2020-06-28 13:55:52.158 debug1: kbdint_alloc: devices '' [preauth]
12400 2020-06-28 13:55:53.186 Connection closed by authenticating user jyavenard 192.168.160.1 port 51616 [preauth]

@jemiller0
Copy link

I don't know why Microsoft even provides support for this, if basic functionality doesn't work out of the box. It's an embarrassment.

@yao-bin
Copy link

yao-bin commented Nov 20, 2020

Thanks for all who comment out this!

#Match Group administrators
#AuthorizedKeysFile PROGRAMDATA/ssh/administrators_authorized_keys

@frippe75
Copy link

frippe75 commented Mar 24, 2021

Just as a side-note for those not wanting to comment out that clause and use the PROGRAMDATA/ssh/administrators_authorized_keys file as "intended".

I struggle with it for over an hour but realizing from how it works on linux that it silently discards the auth file with too open perms on the file.

I disabled inheritance for parent and removed the "read & execute" for authenticated users.
I think this is part of what Repair-AuthorizedKeyPermission.ps1 does but could not find it to have a look at the source.

@realsircodesalot
Copy link

Hi! I was able to get the C:\ProgramData\ssh\administrators_authorized_keys file to work.

You should set the ACL for the administrators_authorized_keys file to match the ACL of the ssh_host_dsa_key file in the same C:\ProgramData\ssh directory.

icacls C:\ProgramData\ssh\administrators_authorized_keys /remove "NT AUTHORITY\Authenticated Users"
icacls C:\ProgramData\ssh\administrators_authorized_keys /inheritance:r

Then restart SSH services:

Restart-Service -Name sshd, ssh-agent -Force

Thank you so much @SNikalaichyk! Those commands resolved an issue I was having getting OpenSSH to work on Windows Server 2016!! I didn't think about the permissions on that file, but now it makes sense come to think of it!

@bagajjal
Copy link
Collaborator

fyi, starting from Win32-OpenSSH V8.6, there is no need to modify the administrators_authorized_keys ACLs.
All users can have read permissions to administrators_authorized_keys file as it contains the public key information for admin users.

@pshri
Copy link

pshri commented Dec 22, 2021

this worked for me

$acl = Get-Acl C:\ProgramData\ssh\administrators_authorized_keys
$acl.SetAccessRuleProtection($true, $false)
$administratorsRule = New-Object system.security.accesscontrol.filesystemaccessrule("Administrators","FullControl","Allow")
$systemRule = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","Allow")
$acl.SetAccessRule($administratorsRule)
$acl.SetAccessRule($systemRule)
$acl | Set-Acl

credit: https://superuser.com/questions/1445976/windows-ssh-server-refuses-key-based-authentication-from-client

@TonalidadeHidrica
Copy link

Does @adilinden or anybody now why echo-ing into authorized_keys doesn't work?

@yTI0r
Copy link

yTI0r commented Oct 12, 2024

I had a similar problem, nothing helped. I came across the advice to check that the authorized_keys file has a CRLF ending.
Actually, I noticed that the file created by notepad has UTF-16 BOM encoding as soon as I rearranged the encoding to UTF-8, everything worked!

Check that your authorized_keys has CRLF and UTF-8 encoding without BOM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests