PublicKey authetication failed

[XDTZ]

"OpenSSH for Windows" version
0.0.12.0

OS details
Server: Windows 10 Education Insider Preivew 15063
Client: Ubuntu 16.04

What is failing
Although password login works fine. I cannot login with public key authentication.
Installation process followed the example in wiki. I also checked the permission of C:\Users\myuser.ssh\authorized_keys and granted NS SERIVCE\SSHD full control of such directory. However from the logs below, it seems the path format is illegal for Windows system: debug1: Could not open authorized keys 'C:\\Users\\Frank/.ssh/authorized_keys': Permission denied

My server log dump:

debug1: sshd version OpenSSH_7.5, OpenSSL 1.0.2d 9 Jul 2015
debug1: private host key #0: ssh-rsa SHA256:NJXMg9sEiwzznoNIxWzSMQeW7I2p9ooFyhONeXemLYg
debug1: private host key #1: ssh-dss SHA256:mdZHUeSuv+bQDr5t2WDURGcGi35wkGe3zM5EyFd1qrE
debug1: private host key #2: ecdsa-sha2-nistp256 SHA256:NfefP4/JvlDT4grtqvzfy4PaFzXRXrwjFSKaPQNpyiw
debug1: private host key #3: ssh-ed25519 SHA256:TItk06cdmtTF7wnmLOfWWs0AP0h/nbyqoyzcymbhjLQ
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
Connection from 192.168.0.149 port 37990 on 192.168.0.143 port 22
debug1: Client protocol version 2.0; client software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 pat OpenSSH* compat 0x04000000
debug1: Local version string SSH-2.0-OpenSSH_7.5
debug1: Enabling compatibility mode for protocol 2.0
debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_INIT
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: KEX done
debug1: userauth-request for user frank service ssh-connection method none
debug1: attempt 0 failures 0
Failed none for frank from 192.168.0.149 port 37990 ssh2
debug1: userauth-request for user frank service ssh-connection method publickey
debug1: attempt 1 failures 0
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:Gy8dup7Oha6veCTZ2hkku4BrCyTi5RKC/KHFPH6
dNG0
debug1: trying public key file C:\\Users\\Frank/.ssh/authorized_keys
debug1: Could not open authorized keys 'C:\\Users\\Frank/.ssh/authorized_keys': Permission denied
Failed publickey for frank from 192.168.0.149 port 37990 ssh2
debug1: userauth-request for user frank service ssh-connection method keyboard-interactive
debug1: attempt 2 failures 1
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=frank devs=
debug1: kbdint_alloc: devices ''
Failed keyboard-interactive for frank from 192.168.0.149 port 37990 ssh2
Connection closed by authenticating user frank 192.168.0.149 port 37990
debug1: do_cleanup

My client ssh -v dump:

OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to frank [192.168.0.143] port 22.
debug1: Connection established.
debug1: identity file /home/frank/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/frank/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/frank/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/frank/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/frank/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/frank/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/frank/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/frank/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.5
debug1: match: OpenSSH_7.5 pat OpenSSH* compat 0x04000000
debug1: Authenticating to frank:22 as 'frank'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit                                                                                                                                                             > compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit                                                                                                                                                             > compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:NfefP4/JvlDT4grtqvzfy4PaFzXR                                                                                                                                                             XrwjFSKaPQNpyiw
debug1: Host 'frank' is known and matches the ECDSA host key.
debug1: Found key in /home/frank/.ssh/known_hosts:5
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rs                                                                                                                                                             a-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/frank/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /home/frank/.ssh/id_dsa
debug1: Trying private key: /home/frank/.ssh/id_ecdsa
debug1: Trying private key: /home/frank/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
Permission denied (publickey,keyboard-interactive).

My sshd_config:

#	$OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
PidFile .\sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	sftp-server.exe

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	ForceCommand cvs server
# PubkeyAcceptedKeyTypes ssh-ed25519*

Any help would be much appreciated!

[davidjahn]

We are seeing the same exact error with the latest release 0.0.12.0. Is there a suggested fix for this?

[manojampalam]

@XDTZ
Are you sure this is your path C:\Users\myuser.ssh\authorized_keys

IT should be C:\Users\myuser.ssh\authorized_keys // "" after user name

[XDTZ]

@manojampalam Well it's straight from the logs. I did not change anything. However in #253 someone else posted a working case with similar log output :

...
392 12:07:41 333 debug1: trying public key file C:\\Users\\user/.ssh/authorized_keys
392 12:07:41 333 debug1: matching key found: file C:\\Users\\user/.ssh/authorized_keys, line 1 RSA SHA256:un5BKdZypyGubEWUkUm0aZviyj51a3gLAq5esppTTIY
...

[manojampalam]

The way path is output in logs is an aartifact of path differences between Windows and Unix. We have a bug tracking this (#469).

Otherwise, can you dump the output of the following:
icacls.exe C:\Users\user.ssh\authorized_keys

Also, is authorized_keys a dir or a file (It should be a file)

[XDTZ]

@manojampalam I'm such a noob. Only until now do I find out authorized_keys is a file rather than a folder! It totally works now. I'm closing the issue. Thanks!