-
Notifications
You must be signed in to change notification settings - Fork 767
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PubKey Auth not working #1306
Comments
i.e. copy the pubkey to C:\ProgramData\ssh\administrator_authorized_keys does not resolve the problem either |
I found that the SSH Config contained something like:
however even when commenting it out, it still does not work.
btw.:
File ACL:
I'm on a headless windows. and completly out of ideas. |
Recommend uncommenting
Make sure C:\ProgramData\ssh\administrators_authorized_keys is a file (and not a folder containing key files)
|
@manojampalam @schmitch The SID it's complaining about is from "NT SERVICE\sshd". Should this permission be necessary? |
@NoMoreFood right. That permission should not be there. @schmitch where did you get your version of Repair-AuthorizedKeyPermission utility ? |
Actually I did not download anything. |
@bingbing8 any clue on how Repair-AuthorizedKeyPermission could automatically land up in a system ? |
@manojampalam, the only thing I can guess is that older git version openssh was downloaded/installed from git or chocolaty before. |
Actually I remembered:
Source: https://docs.microsoft.com/de-de/windows-server/administration/openssh/openssh_install_firstuse |
@schmitch your above cmdlets install inbox openssh from windows update. The script module was never included as OpenSSH WindowsCapability. Not sure if your system is upgraded from previous windows version or not. The script module was needed on RS3 machine, but not needed on RS4 and RS5 any more. I guess you may downloaded the script module if followed openssh RS3 blog to fix key permission on RS3 machine. |
than i have no idea, how it was installed. |
I am seeing the exactly same thing. Fresh install of Server 2019 Core with Hyper-V service. Installed OpenSSH with:
Running
Do note that I plugged my public key into |
I commented this out in
I then created
It is still failing, but its looking for a file now closer to what would be expected, debug from
|
Here is what works and doesn't. Note that this is on Server 2019 Core! I previously installed on Server 2016 Core (LTSB release) using the installer from GitHub. With it For Server 2019 Core: Make sure we are in
Open
Edit the
Create the
Create
The file created will be
Do NOT repair permissions as this will thow an error
And the error:
Do NOT create
And the error:
|
Actually I'm on Server Core aswell. However after "fixing" the sshd config and now correcting the permission (I.e. not using the powershell command everything works, with ed keys) |
Hi! I was able to get the You should set the ACL for the
Then restart SSH services: Restart-Service -Name sshd, ssh-agent -Force |
I had the same problem with a fresh install of Windows 10 Pro (October 2018 update 17763) in a virtual machine. To fix I had to:
|
I can confirm PubkeyAuthentication with authorized_keys is very broken in 7.9.0.0p1-Beta on a fresh Windws 7 Pro SP1 install. |
I'm trying to get this to work on 7.9.0.1 on 2019. Using ProcMon i noticed this ACCESS_DENIED for sshd.exe: Debug log: Edit: fixed by specifying administrator so it looked for the user administrator on the ssh server instead of the domain user I was logged on with, as the ssh server is not part of the same domain. |
Can you close the issue if you believe it to be resolved? |
actually since the problem was solved on my side is probably a totally different issue than the others, I'm closing this. |
Are there any administrators_authorized_keys in the C:\ProgramData\ssh directory?
|
Why is it looking under C:\ProgramData???? I am trying to login to my account, not administrator. My account is in the Administrator group. However, this is not how SSH works on Linux. It should be looking in my home directory in the .ssh directory. You would think this would be something that would be the first thing to get working by Microsoft. It's only one of the first things people want to do when setting up SSH. |
PubKey auth is still not working for quite a few folks. Not sure why this was closed. The most voted up response did not work for me. Seems like pubkey authentication is a bit of cluster-cuss in Windows OpenSSH. :-( For instance, why doesn't the OpenSSH Server feature create an empty
Also, the opensshutils command Repair-AuthorizedKeyPermission hasn't been updated to work on this centralized version of the file. The current setup for pubkey auth is not good. It does not put the user in the pit of success. More like the pit of despair. :-( |
The most upvoted didn't work for me, or following the instructions on MS's site. I think I also installed a psgallery script when it wasn't needed, or maybe even correct for my latest windows 10. Can we please get some concise direction on this issue? |
For a fresh installation inside VirtualBox, as of April 2019, the following worked for me:
#https://github.com/MicrosoftDocs/windowsserverdocs/issues/2171 |
I used the previous version,
Powerline modify the file, it will be usable
Keith Hill <notifications@github.com> 于2019年4月10日周三 上午5:53写道:
… PubKey auth is still not working for quite a few folks. Not sure why this
as closed. The most voted up response did not work for me. Seems like
pubkey authentication is a bit of cluster-cuss in Windows OpenSSH. :-(
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1306 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AHS-PpucaZC-eBmKAn1C4aoAAy7EmWUHks5vfQvfgaJpZM4ZThYb>
.
|
This should not be closed, since the issue exactly as described here "Pub key auth not working", is always the case when following the official instructions for an administrator user (and |
I agree completely with @Adnn. The doc is a disaster and it's impossible to use key-only authentication with OpenSSH server on Windows Server 2019 (non-core). I've been trying for three days, then found this incident which also hasn't helped. If this is a supported port for Windows Server, it needs detailed doc that is correct along with working examples. Otherwise, the current state of the port is bound to disappoint -- even infuriate -- people trying to set up public key-only authentication. That's the default for things like EC2 instances and Azure VMs and doing it for Windows Server should be cut-and-dried. As it now stands, I don't think anyone really knows how to set this up correctly and securely. |
@maertendMSFT can you follow up on fixing documentation at OpenSSHUtils module should be deprecated. |
I, via https://operator-error.com/2018/04/16/windows-amis-with-even/ and https://github.com/jen20/packer-aws-windows-ssh/blob/master/files/configure-source-ssh.ps1#L99-L114 (and https://stackoverflow.com/questions/16212816/setting-up-openssh-for-windows-using-public-key-authentication), with OpenSSH 7.9.0.1-Beta1, have pubkey auth working (within googlecompute with windows 2016 server). Thanks @jen20! |
This is what got me working. Staring at
No idea how that happened; my box was pre-imaged. I uncommented that, plus ensured that these two lines in the config file were commented out:
I then restarted with:
And now it's working. OMG what a battle. Huge thanks to everyone who's posting here. |
I initially installed with (caveat you need chocolatey) First remove the windows capability:
Then install openssh latest version with chocolatey:
|
Excellent @jfromaniello! I had big problems to get windows capability to work on one machine, but choco's package with those parameters work perfectly. |
Just to add some information: If StrictModes is set to yes, you should verify file permissions as follows. Option I:
File permissions for strictmode to work: OPTION II:
Hope that helps a little others. |
Thank you all for your input. I managed to get the
shipped with the original
Hope this helps someone getting this to work, too. |
thanks, simple solution, but worked for me! |
This. I simply do not get why someone would disable PubkeyAuthentication by default. Probably an oversight just like the useless OpenSSH {client|server} optional feature offered by MS! |
This still isn't working for me. It really is sad it is this hard and no ssh-copy-id. |
@jeremybusk - Please share the ssh client logs (ssh.exe -vvv user@ip) and the sshd.log with DEBUG3 enabled. If "%programdata%\ssh\sshd_config" file does't have the below config then add it and restart the sshd service (net stop sshd; net start sshd) The sshd.log file will be at %programdata%\ssh\logs directory. |
SolutionFor sshd-config do the following changes:
Then open PowerShell as Admin and restart service: Then through GUI.
|
Worked for me. Cheers. |
Did all of this and it didnt work for me. |
Finally got it working for myself on Windows 10 Pro using half of one of the solutions above. The key was "make sure that it has the same permissions as ssh_host_ecdsa_key". The same solution also recommended using |
Thanks for this! I had set the permissions on |
After struggling for a couple of hours on this; I have to report that this made it all works immediately. I just couldn't get over the error |
I don't know why Microsoft even provides support for this, if basic functionality doesn't work out of the box. It's an embarrassment. |
Thanks for all who comment out this! #Match Group administrators |
Just as a side-note for those not wanting to comment out that clause and use the PROGRAMDATA/ssh/administrators_authorized_keys file as "intended". I struggle with it for over an hour but realizing from how it works on linux that it silently discards the auth file with too open perms on the file. I disabled inheritance for parent and removed the "read & execute" for authenticated users. |
Thank you so much @SNikalaichyk! Those commands resolved an issue I was having getting OpenSSH to work on Windows Server 2016!! I didn't think about the permissions on that file, but now it makes sense come to think of it! |
fyi, starting from Win32-OpenSSH V8.6, there is no need to modify the administrators_authorized_keys ACLs. |
this worked for me $acl = Get-Acl C:\ProgramData\ssh\administrators_authorized_keys |
Does @adilinden or anybody now why |
I had a similar problem, nothing helped. I came across the advice to check that the authorized_keys file has a CRLF ending. Check that your authorized_keys has CRLF and UTF-8 encoding without BOM |
"OpenSSH for Windows" version
((Get-Item (Get-Command sshd).Source).VersionInfo.FileVersion)
7.7.2.2
Server OperatingSystem
((Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows nt\CurrentVersion\" -Name ProductName).ProductName)
Windows Server 2019 Standard
Client OperatingSystem
macOS Mojave Version 10.14.1
ssh -V
OpenSSH_7.8p1, LibreSSL 2.7.3
What is failing
PubKey Authentication with ed25519
Expected output
Successful Login over PubKey
Actual output
Permission Denied
** Additional Data**
Currently I'm trying to achieve PubKey Authentication against a Windows Server 2019, however I could not get it to work.
I actually created a ed259919 key and put it into the correct folder
C:\Users\Administrator\.ssh\authorized_keys
.However it just does not work.
What is even strange is the Windows Server Debug output (ProgramData?!):
Client Verbose Output:
My PubKey lies at C:\Users\Administrator.ssh\authorized_keys
according to https://docs.microsoft.com/de-de/windows-server/administration/openssh/openssh_keymanagement
The text was updated successfully, but these errors were encountered: