Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RSA-Cert based Auth Not working in Windows #1656

Open
txnovoid opened this issue Aug 23, 2020 · 1 comment
Open

RSA-Cert based Auth Not working in Windows #1656

txnovoid opened this issue Aug 23, 2020 · 1 comment

Comments

@txnovoid
Copy link

Troubleshooting steps
https://github.com/PowerShell/Win32-OpenSSH/wiki/Troubleshooting-Steps

Terminal issue? please go through wiki
https://github.com/PowerShell/Win32-OpenSSH/wiki/TTY-PTY-support-in-Windows-OpenSSH

Please answer the following

"OpenSSH for Windows" version
PS C:\ProgramData\ssh> ((Get-Item (Get-Command sshd).Source).VersionInfo.FileVersion)
7.7.2.1
Server OperatingSystem
((Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows nt\CurrentVersion\" -Name ProductName).ProductName)
PS C:\ProgramData\ssh> ((Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows nt\CurrentVersion" -Name ProductName).ProductName)
Windows Server 2019 Datacenter

Client OperatingSystem
CentOS8

What is failing

I have been working with the RSA-CERT authentication mechanisms in conjunction with Hashicorp's documentation. I have this working (mostly fine in CentOS8 as a Target. Configuring the same thing in Windows is not happening.

Life looks good up through here:
debug2: parse_server_config: config reprocess config len 365
debug3: checking match for 'Group administrators' user lab\MYUSER host 192.168.0.211 addr 192.168.0.211 laddr 192.168.0.130 lport 22
debug3: lookup_principal_name: Successfully discovered explicit principal name: 'lab\MYUSER'=>'MYUSER@mydomain.net'
debug3: LsaLogonUser Succeeded (Impersonation: 0)
debug1: user \001 matched group list administrators at line 85
debug3: match found
debug3: reprocess config:86 setting AuthorizedKeysFile PROGRAMDATA/ssh/administrators_authorized_keys
debug3: reprocess config:88 setting TrustedUserCAkeys PROGRAMDATA/ssh/trusted-user-ca-keys.pem

But then I get this error message:
userauth_pubkey: unsupported public key algorithm: rsa-sha2-256-cert-v01@openssh.com [preauth]

Which seems odd, because the documentation suggests that this is supported by default.

On the user end:

[USER@c8s1 ~]$ ssh -i signed-cert-win.pub -i ~/.ssh/id_rsa USER@192.168.0.130
USER@192.168.0.130: Permission denied (publickey,keyboard-interactive).

Now, this appears to be an AuthZ error (permission denied). Full debug log below

Expected output
Certificate Based Authentication works?

Actual output
C:\PSTools>psexec -s sshd.exe -ddd

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

debug2: load_server_config: filename PROGRAMDATA\ssh/sshd_config
debug2: load_server_config: done config len = 365
debug2: parse_server_config: config PROGRAMDATA\ssh/sshd_config len 365
debug3: PROGRAMDATA\ssh/sshd_config:35 setting PubkeyAuthentication yes
debug3: PROGRAMDATA\ssh/sshd_config:39 setting AuthorizedKeysFile .ssh/authorized_keys
debug3: PROGRAMDATA\ssh/sshd_config:52 setting PasswordAuthentication no
debug3: PROGRAMDATA\ssh/sshd_config:77 setting Subsystem sftp sftp-server.exe
debug3: checking syntax for 'Match Group administrators'
debug1: sshd version OpenSSH_for_Windows_7.7, LibreSSL 2.6.5
debug1: private host key #0: ssh-rsa SHA256:EAhuImKrQbUk+v42huzU12vyD0iW/mYbNhetRnqD/Sw
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:vkj2u3PENt3BxoG7Cm3Hrx0jliDdnZ5jp0L7WQkgfac
debug1: private host key #2: ssh-ed25519 SHA256:IsQ7vTGcMbtao4244AVeQEZ34D1pvvvH0kEonWdF1Fk
debug1: rexec_argv[0]='sshd.exe'
debug1: rexec_argv[1]='-ddd'
debug2: fd 3 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 3 IPV6_V6ONLY
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 365
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
Connection from 192.168.0.211 port 34466 on 192.168.0.130 port 22
debug1: Client protocol version 2.0; client software version OpenSSH_8.0
debug1: match: OpenSSH_8.0 pat OpenSSH* compat 0x04000000
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug2: fd 5 setting O_NONBLOCK
debug3: spawning "C:\Windows\System32\OpenSSH\sshd.exe" "-ddd" "-y"
debug2: Network child is on pid 7928
debug3: send_rexec_state: entering fd = 4 config len 365
debug3: ssh_msg_send: type 0
debug3: recv_rexec_state: entering fd = 3
debug3: send_rexec_state: done
debug3: ssh_msg_recv entering
debug3: ssh_msg_send: type 0
debug3: recv_rexec_state: done
debug2: parse_server_config: config PROGRAMDATA\ssh/sshd_config len 365
debug3: ssh_msg_send: type 0
debug3: PROGRAMDATA\ssh/sshd_config:35 setting PubkeyAuthentication yes
debug3: preauth child monitor started
debug3: PROGRAMDATA\ssh/sshd_config:39 setting AuthorizedKeysFile .ssh/authorized_keys
debug3: PROGRAMDATA\ssh/sshd_config:52 setting PasswordAuthentication no
debug3: PROGRAMDATA\ssh/sshd_config:77 setting Subsystem sftp sftp-server.exe
debug3: checking syntax for 'Match Group administrators'
debug1: sshd version OpenSSH_for_Windows_7.7, LibreSSL 2.6.5
debug3: ssh_msg_recv entering
debug3: ssh_msg_recv entering
debug2: fd 5 setting O_NONBLOCK
debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug3: send packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug3: receive packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: local server KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 [preauth]
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: compression ctos: none [preauth]
debug2: compression stoc: none [preauth]
debug2: languages ctos: [preauth]
debug2: languages stoc: [preauth]
debug2: first_kex_follows 0 [preauth]
debug2: reserved 0 [preauth]
debug2: peer client KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c [preauth]
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa [preauth]
debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc [preauth]
debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc [preauth]
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 [preauth]
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 [preauth]
debug2: compression ctos: none,zlib@openssh.com,zlib [preauth]
debug2: compression stoc: none,zlib@openssh.com,zlib [preauth]
debug2: languages ctos: [preauth]
debug2: languages stoc: [preauth]
debug2: first_kex_follows 0 [preauth]
debug2: reserved 0 [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: compression: none [preauth]
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug3: receive packet: type 30 [preauth]
debug3: mm_key_sign entering [preauth]
debug3: mm_request_send entering: type 6 [preauth]
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect entering: type 7 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_sign
debug3: mm_answer_sign: hostkey proof signature 0000016ED1C6AA10(100)
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: send packet: type 31 [preauth]
debug3: send packet: type 21 [preauth]
debug2: set_newkeys: mode 1 [preauth]
debug1: rekey after 4294967296 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug3: send packet: type 7 [preauth]
debug3: receive packet: type 21 [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug2: set_newkeys: mode 0 [preauth]
debug1: rekey after 4294967296 blocks [preauth]
debug1: KEX done [preauth]
debug3: receive packet: type 5 [preauth]
debug3: send packet: type 6 [preauth]
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user MYUSER service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug3: mm_getpwnamallow entering [preauth]
debug3: mm_request_send entering: type 8 [preauth]
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
debug3: mm_request_receive_expect entering: type 9 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 8
debug3: mm_answer_pwnamallow
debug2: parse_server_config: config reprocess config len 365
debug3: checking match for 'Group administrators' user lab\MYUSER host 192.168.0.211 addr 192.168.0.211 laddr 192.168.0.130 lport 22
debug3: lookup_principal_name: Successfully discovered explicit principal name: 'lab\MYUSER'=>'MYUSER@mydomain.net'
debug3: LsaLogonUser Succeeded (Impersonation: 0)
debug1: user \001 matched group list administrators at line 85
debug3: match found
debug3: reprocess config:86 setting AuthorizedKeysFile PROGRAMDATA/ssh/administrators_authorized_keys
debug3: reprocess config:88 setting TrustedUserCAkeys PROGRAMDATA/ssh/trusted-user-ca-keys.pem
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 9
debug2: monitor_read: 8 used once, disabling now
debug2: input_userauth_request: setting up authctxt for MYUSER [preauth]
debug3: mm_inform_authserv entering [preauth]
debug3: mm_request_send entering: type 4 [preauth]
debug2: input_userauth_request: try method none [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,keyboard-interactive" [preauth]
debug3: send packet: type 51 [preauth]
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user MYUSER service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
userauth_pubkey: unsupported public key algorithm: rsa-sha2-256-cert-v01@openssh.com [preauth]
debug2: userauth_pubkey: authenticated 0 pkalg rsa-sha2-256-cert-v01@openssh.com [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,keyboard-interactive" [preauth]
debug3: send packet: type 51 [preauth]
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user MYUSER service ssh-connection method publickey [preauth]
debug1: attempt 2 failures 1 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
debug1: userauth_pubkey: test pkalg rsa-sha2-256 pkblob RSA SHA256:vREtEXRtCNltN3de4Io/FluUtKUyxOFicNl7NjcHhpQ [preauth]
debug3: mm_key_allowed entering [preauth]
debug3: mm_request_send entering: type 22 [preauth]
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
debug3: mm_request_receive_expect entering: type 23 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 22
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0000016ED1C6AE70
debug1: trying public key file PROGRAMDATA/ssh/administrators_authorized_keys
debug3: Failed to open file:C:/ProgramData/ssh/administrators_authorized_keys error:2
debug1: Could not open authorized keys 'PROGRAMDATA/ssh/administrators_authorized_keys': No such file or directory
debug3: mm_answer_keyallowed: publickey authentication test: RSA key is not allowed
Failed publickey for MYUSER from 192.168.0.211 port 34466 ssh2: RSA SHA256:vREtEXRtCNltN3de4Io/FluUtKUyxOFicNl7NjcHhpQ
debug3: mm_request_send entering: type 23
debug2: userauth_pubkey: authenticated 0 pkalg rsa-sha2-256 [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,keyboard-interactive" [preauth]
debug3: send packet: type 51 [preauth]
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user MYUSER service ssh-connection method keyboard-interactive [preauth]
debug1: attempt 3 failures 2 [preauth]
debug2: input_userauth_request: try method keyboard-interactive [preauth]
debug1: keyboard-interactive devs [preauth]
debug1: auth2_challenge: user=MYUSER devs= [preauth]
debug1: kbdint_alloc: devices '' [preauth]
debug2: auth2_challenge_start: devices [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,keyboard-interactive" [preauth]
debug3: send packet: type 51 [preauth]
Connection closed by authenticating user MYUSER 192.168.0.211 port 34466 [preauth]
debug1: do_cleanup [preauth]
debug3: ReadFileEx() ERROR:109, io:0000016ED1C67770
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive entering
debug1: do_cleanup
debug1: Killing privsep child 7928
sshd.exe exited on KUBERNETES1 with error code 255.

C:\PSTools>
@keke8273
Copy link

Hi all, could somebody confirm if certificate base authentication is supported by Win32-OpenSSH?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@keke8273 @txnovoid