Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PubKey Auth not working #1306

Closed
schmitch opened this issue Dec 14, 2018 · 45 comments
Closed

PubKey Auth not working #1306

schmitch opened this issue Dec 14, 2018 · 45 comments

Comments

@schmitch
Copy link

@schmitch schmitch commented Dec 14, 2018

"OpenSSH for Windows" version
((Get-Item (Get-Command sshd).Source).VersionInfo.FileVersion)
7.7.2.2

Server OperatingSystem
((Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows nt\CurrentVersion\" -Name ProductName).ProductName)
Windows Server 2019 Standard

Client OperatingSystem
macOS Mojave Version 10.14.1
ssh -V
OpenSSH_7.8p1, LibreSSL 2.7.3

What is failing
PubKey Authentication with ed25519

Expected output
Successful Login over PubKey

Actual output
Permission Denied

** Additional Data**
Currently I'm trying to achieve PubKey Authentication against a Windows Server 2019, however I could not get it to work.
I actually created a ed259919 key and put it into the correct folder C:\Users\Administrator\.ssh\authorized_keys.
However it just does not work.
What is even strange is the Windows Server Debug output (ProgramData?!):

PS C:\Users\Administrator\unzipped> sshd -d
debug1: sshd version OpenSSH_for_Windows_7.7, LibreSSL 2.6.5
debug1: private host key #0: ssh-rsa SHA256:PNoOxXBKB4SCOQougpsAZ9bUnku658ur9+wucTvsGSc
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:GKf1jbg/+ayrPx+MOCTeCSBgJze/9R7kVYdw4WcEMU8
debug1: private host key #2: ssh-ed25519 SHA256:q8Rqf9l/eUiPMx9YfVSd3mQKxm/2Detld2UgLmIPyLU
debug1: rexec_argv[0]='C:\\Windows\\System32\\OpenSSH\\sshd.exe'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
Connection from 192.168.179.152 port 61251 on 192.168.179.249 port 22
debug1: Client protocol version 2.0; client software version OpenSSH_7.8
debug1: match: OpenSSH_7.8 pat OpenSSH* compat 0x04000000
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug1: sshd version OpenSSH_for_Windows_7.7, LibreSSL 2.6.5
debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user Administrator service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: user C:\\Users\\Administrator matched group list administrators at line 84
debug1: userauth-request for user Administrator service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: userauth_pubkey: test pkalg ssh-ed25519 pkblob ED25519 SHA256:2nXx9fR4uOi8KRult6QjtZEvaTHIqH7i4cAv7qg3gSA [preauth]
debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys
debug1: Could not open authorized keys '__PROGRAMDATA__/ssh/administrators_authorized_keys': No such file or directory
Failed publickey for Administrator from 192.168.179.152 port 61251 ssh2: ED25519 SHA256:2nXx9fR4uOi8KRult6QjtZEvaTHIqH7i4cAv7qg3gSA
Connection closed by authenticating user Administrator 192.168.179.152 port 61251 [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug1: do_cleanup
debug1: Killing privsep child 1996

Client Verbose Output:

schmitch@tokio:~$ ssh -vvvv ci02
OpenSSH_7.8p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/schmitch/.ssh/config
debug1: /Users/schmitch/.ssh/config line 34: Applying options for ci02
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.179.249 is address
debug2: ssh_connect_direct
debug1: Connecting to 192.168.179.249 [192.168.179.249] port 22.
debug1: Connection established.
debug1: identity file /Users/schmitch/.ssh/windows type 3
debug1: identity file /Users/schmitch/.ssh/windows-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_for_Windows_7.7
debug1: match: OpenSSH_for_Windows_7.7 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.179.249:22 as 'Administrator'
debug3: hostkeys_foreach: reading file "/Users/schmitch/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/schmitch/.ssh/known_hosts:155
debug3: load_hostkeys: loaded 1 keys from 192.168.179.249
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:GKf1jbg/+ayrPx+MOCTeCSBgJze/9R7kVYdw4WcEMU8
debug3: hostkeys_foreach: reading file "/Users/schmitch/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/schmitch/.ssh/known_hosts:155
debug3: load_hostkeys: loaded 1 keys from 192.168.179.249
debug1: Host '192.168.179.249' is known and matches the ECDSA host key.
debug1: Found key in /Users/schmitch/.ssh/known_hosts:155
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /Users/schmitch/.ssh/windows (0x7fc576c07060), explicit
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred:
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: ED25519 SHA256:2nXx9fR4uOi8KRult6QjtZEvaTHIqH7i4cAv7qg3gSA /Users/schmitch/.ssh/windows
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Administrator@192.168.179.249: Permission denied (publickey,password,keyboard-interactive).

My PubKey lies at C:\Users\Administrator.ssh\authorized_keys

according to https://docs.microsoft.com/de-de/windows-server/administration/openssh/openssh_keymanagement

@schmitch

This comment has been minimized.

Copy link
Author

@schmitch schmitch commented Dec 14, 2018

i.e. copy the pubkey to C:\ProgramData\ssh\administrator_authorized_keys does not resolve the problem either

@schmitch

This comment has been minimized.

Copy link
Author

@schmitch schmitch commented Dec 14, 2018

I found that the SSH Config contained something like:

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

however even when commenting it out, it still does not work.

s3544 2018-12-14 15:06:37.650 debug2: fd 3 setting O_NONBLOCK
3544 2018-12-14 15:06:37.650 debug3: sock_set_v6only: set socket 3 IPV6_V6ONLY
3544 2018-12-14 15:06:37.650 debug1: Bind to port 22 on ::.
3544 2018-12-14 15:06:37.650 Server listening on :: port 22.
3544 2018-12-14 15:06:37.650 debug2: fd 4 setting O_NONBLOCK
3544 2018-12-14 15:06:37.650 debug1: Bind to port 22 on 0.0.0.0.
3544 2018-12-14 15:06:37.650 Server listening on 0.0.0.0 port 22.
3544 2018-12-14 15:06:40.670 debug3: fd 5 is not O_NONBLOCK
3544 2018-12-14 15:06:40.672 debug3: spawning "C:\\Windows\\System32\\OpenSSH\\sshd.exe" "-R"
3544 2018-12-14 15:06:40.675 debug3: send_rexec_state: entering fd = 8 config len 394
3544 2018-12-14 15:06:40.675 debug3: ssh_msg_send: type 0
3544 2018-12-14 15:06:40.675 debug3: send_rexec_state: done
2664 2018-12-14 15:06:40.721 debug1: inetd sockets after dupping: 3, 3
2664 2018-12-14 15:06:40.721 Connection from 192.168.179.152 port 65269 on 192.168.179.249 port 22
2664 2018-12-14 15:06:40.721 debug1: Client protocol version 2.0; client software version OpenSSH_7.8
2664 2018-12-14 15:06:40.721 debug1: match: OpenSSH_7.8 pat OpenSSH* compat 0x04000000
2664 2018-12-14 15:06:40.721 debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
2664 2018-12-14 15:06:40.722 debug2: fd 3 setting O_NONBLOCK
2664 2018-12-14 15:06:40.728 debug3: spawning "C:\\Windows\\System32\\OpenSSH\\sshd.exe" "-y"
2664 2018-12-14 15:06:40.730 debug2: Network child is on pid 2700
2664 2018-12-14 15:06:40.731 debug3: send_rexec_state: entering fd = 6 config len 394
2664 2018-12-14 15:06:40.731 debug3: ssh_msg_send: type 0
2664 2018-12-14 15:06:40.731 debug3: send_rexec_state: done
2664 2018-12-14 15:06:40.731 debug3: ssh_msg_send: type 0
2664 2018-12-14 15:06:40.731 debug3: ssh_msg_send: type 0
2664 2018-12-14 15:06:40.731 debug3: preauth child monitor started
2664 2018-12-14 15:06:40.756 debug3: list_hostkey_types: ssh-dss key not permitted by HostkeyAlgorithms [preauth]
2664 2018-12-14 15:06:40.756 debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
2664 2018-12-14 15:06:40.756 debug3: send packet: type 20 [preauth]
2664 2018-12-14 15:06:40.756 debug1: SSH2_MSG_KEXINIT sent [preauth]
2664 2018-12-14 15:06:40.756 debug3: receive packet: type 20 [preauth]
2664 2018-12-14 15:06:40.756 debug1: SSH2_MSG_KEXINIT received [preauth]
2664 2018-12-14 15:06:40.756 debug2: local server KEXINIT proposal [preauth]
2664 2018-12-14 15:06:40.756 debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 [preauth]
2664 2018-12-14 15:06:40.756 debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
2664 2018-12-14 15:06:40.756 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
2664 2018-12-14 15:06:40.756 debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
2664 2018-12-14 15:06:40.756 debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
2664 2018-12-14 15:06:40.756 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
2664 2018-12-14 15:06:40.756 debug2: compression ctos: none [preauth]
2664 2018-12-14 15:06:40.756 debug2: compression stoc: none [preauth]
2664 2018-12-14 15:06:40.756 debug2: languages ctos:  [preauth]
2664 2018-12-14 15:06:40.756 debug2: languages stoc:  [preauth]
2664 2018-12-14 15:06:40.756 debug2: first_kex_follows 0  [preauth]
2664 2018-12-14 15:06:40.756 debug2: reserved 0  [preauth]
2664 2018-12-14 15:06:40.756 debug2: peer client KEXINIT proposal [preauth]
2664 2018-12-14 15:06:40.756 debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c [preauth]
2664 2018-12-14 15:06:40.756 debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa [preauth]
2664 2018-12-14 15:06:40.756 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
2664 2018-12-14 15:06:40.757 debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
2664 2018-12-14 15:06:40.757 debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
2664 2018-12-14 15:06:40.757 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
2664 2018-12-14 15:06:40.757 debug2: compression ctos: none,zlib@openssh.com,zlib [preauth]
2664 2018-12-14 15:06:40.757 debug2: compression stoc: none,zlib@openssh.com,zlib [preauth]
2664 2018-12-14 15:06:40.757 debug2: languages ctos:  [preauth]
2664 2018-12-14 15:06:40.757 debug2: languages stoc:  [preauth]
2664 2018-12-14 15:06:40.757 debug2: first_kex_follows 0  [preauth]
2664 2018-12-14 15:06:40.757 debug2: reserved 0  [preauth]
2664 2018-12-14 15:06:40.757 debug1: kex: algorithm: curve25519-sha256 [preauth]
2664 2018-12-14 15:06:40.757 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
2664 2018-12-14 15:06:40.757 debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
2664 2018-12-14 15:06:40.757 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
2664 2018-12-14 15:06:40.757 debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
2664 2018-12-14 15:06:40.760 debug3: receive packet: type 30 [preauth]
2664 2018-12-14 15:06:40.768 debug3: mm_key_sign entering [preauth]
2664 2018-12-14 15:06:40.768 debug3: mm_request_send entering: type 6 [preauth]
2664 2018-12-14 15:06:40.768 debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth]
2664 2018-12-14 15:06:40.768 debug3: mm_request_receive_expect entering: type 7 [preauth]
2664 2018-12-14 15:06:40.768 debug3: mm_request_receive entering [preauth]
2664 2018-12-14 15:06:40.768 debug3: mm_request_receive entering
2664 2018-12-14 15:06:40.768 debug3: monitor_read: checking request 6
2664 2018-12-14 15:06:40.769 debug3: mm_answer_sign
2664 2018-12-14 15:06:40.770 debug3: mm_answer_sign: hostkey proof signature 000001683069E4C0(101)
2664 2018-12-14 15:06:40.770 debug3: mm_request_send entering: type 7
2664 2018-12-14 15:06:40.770 debug2: monitor_read: 6 used once, disabling now
2664 2018-12-14 15:06:40.770 debug3: send packet: type 31 [preauth]
2664 2018-12-14 15:06:40.770 debug3: send packet: type 21 [preauth]
2664 2018-12-14 15:06:40.770 debug2: set_newkeys: mode 1 [preauth]
2664 2018-12-14 15:06:40.770 debug1: rekey after 134217728 blocks [preauth]
2664 2018-12-14 15:06:40.770 debug1: SSH2_MSG_NEWKEYS sent [preauth]
2664 2018-12-14 15:06:40.770 debug1: expecting SSH2_MSG_NEWKEYS [preauth]
2664 2018-12-14 15:06:40.770 debug3: send packet: type 7 [preauth]
2664 2018-12-14 15:06:40.778 debug3: receive packet: type 21 [preauth]
2664 2018-12-14 15:06:40.778 debug1: SSH2_MSG_NEWKEYS received [preauth]
2664 2018-12-14 15:06:40.778 debug2: set_newkeys: mode 0 [preauth]
2664 2018-12-14 15:06:40.778 debug1: rekey after 134217728 blocks [preauth]
2664 2018-12-14 15:06:40.778 debug1: KEX done [preauth]
2664 2018-12-14 15:06:40.789 debug3: receive packet: type 5 [preauth]
2664 2018-12-14 15:06:40.789 debug3: send packet: type 6 [preauth]
2664 2018-12-14 15:06:40.789 debug3: receive packet: type 50 [preauth]
2664 2018-12-14 15:06:40.789 debug1: userauth-request for user Administrator service ssh-connection method none [preauth]
2664 2018-12-14 15:06:40.789 debug1: attempt 0 failures 0 [preauth]
2664 2018-12-14 15:06:40.789 debug3: mm_getpwnamallow entering [preauth]
2664 2018-12-14 15:06:40.789 debug3: mm_request_send entering: type 8 [preauth]
2664 2018-12-14 15:06:40.789 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
2664 2018-12-14 15:06:40.789 debug3: mm_request_receive_expect entering: type 9 [preauth]
2664 2018-12-14 15:06:40.789 debug3: mm_request_receive entering [preauth]
2664 2018-12-14 15:06:40.789 debug3: mm_request_receive entering
2664 2018-12-14 15:06:40.789 debug3: monitor_read: checking request 8
2664 2018-12-14 15:06:40.789 debug3: mm_answer_pwnamallow
2664 2018-12-14 15:06:40.790 debug2: parse_server_config: config reprocess config len 394
2664 2018-12-14 15:06:40.790 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
2664 2018-12-14 15:06:40.790 debug3: mm_request_send entering: type 9
2664 2018-12-14 15:06:40.791 debug2: monitor_read: 8 used once, disabling now
2664 2018-12-14 15:06:40.791 debug2: input_userauth_request: setting up authctxt for Administrator [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_inform_authserv entering [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_request_send entering: type 4 [preauth]
2664 2018-12-14 15:06:40.791 debug2: input_userauth_request: try method none [preauth]
2664 2018-12-14 15:06:40.791 debug3: userauth_finish: failure partial=0 next methods="publickey,keyboard-interactive" [preauth]
2664 2018-12-14 15:06:40.791 debug3: send packet: type 51 [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_request_receive entering
2664 2018-12-14 15:06:40.791 debug3: monitor_read: checking request 4
2664 2018-12-14 15:06:40.791 debug3: mm_answer_authserv: service=ssh-connection, style=
2664 2018-12-14 15:06:40.791 debug2: monitor_read: 4 used once, disabling now
2664 2018-12-14 15:06:40.791 debug3: receive packet: type 50 [preauth]
2664 2018-12-14 15:06:40.791 debug1: userauth-request for user Administrator service ssh-connection method publickey [preauth]
2664 2018-12-14 15:06:40.791 debug1: attempt 1 failures 0 [preauth]
2664 2018-12-14 15:06:40.791 debug2: input_userauth_request: try method publickey [preauth]
2664 2018-12-14 15:06:40.791 debug1: userauth_pubkey: test pkalg ssh-ed25519 pkblob ED25519 SHA256:2nXx9fR4uOi8KRult6QjtZEvaTHIqH7i4cAv7qg3gSA [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_key_allowed entering [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_request_send entering: type 22 [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_request_receive_expect entering: type 23 [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_request_receive entering [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_request_receive entering
2664 2018-12-14 15:06:40.791 debug3: monitor_read: checking request 22
2664 2018-12-14 15:06:40.791 debug3: mm_answer_keyallowed entering
2664 2018-12-14 15:06:40.791 debug3: mm_answer_keyallowed: key_from_blob: 000001683069E300
2664 2018-12-14 15:06:40.791 debug1: trying public key file C:\\Users\\Administrator\\.ssh/authorized_keys
2664 2018-12-14 15:06:40.792 debug3: Bad permissions. Try removing permissions for user: S-1-5-80-3847866527-469524349-687026318-516638107-1125189541 on file C:/Users/Administrator/.ssh/authorized_keys.
2664 2018-12-14 15:06:40.792 Authentication refused.
2664 2018-12-14 15:06:40.792 debug3: mm_answer_keyallowed: publickey authentication test: ED25519 key is not allowed
2664 2018-12-14 15:06:40.792 Failed publickey for Administrator from 192.168.179.152 port 65269 ssh2: ED25519 SHA256:2nXx9fR4uOi8KRult6QjtZEvaTHIqH7i4cAv7qg3gSA
2664 2018-12-14 15:06:40.792 debug3: mm_request_send entering: type 23
2664 2018-12-14 15:06:40.792 debug2: userauth_pubkey: authenticated 0 pkalg ssh-ed25519 [preauth]
2664 2018-12-14 15:06:40.792 debug3: userauth_finish: failure partial=0 next methods="publickey,keyboard-interactive" [preauth]
2664 2018-12-14 15:06:40.792 debug3: send packet: type 51 [preauth]
2664 2018-12-14 15:06:40.794 Connection closed by authenticating user Administrator 192.168.179.152 port 65269 [preauth]
2664 2018-12-14 15:06:40.794 debug1: do_cleanup [preauth]
2664 2018-12-14 15:06:40.795 debug1: monitor_read_log: child log fd closed
2664 2018-12-14 15:06:40.795 debug3: mm_request_receive entering
2664 2018-12-14 15:06:40.795 debug1: do_cleanup
2664 2018-12-14 15:06:40.795 debug1: Killing privsep child 2700

btw.:

PS C:\ProgramData\ssh> Repair-AuthorizedKeyPermission C:\Users\Administrator\.ssh\authorized_keys
  [*] C:\Users\Administrator\.ssh\authorized_keys
      looks good

File ACL:

PS C:\ProgramData\ssh> Get-Acl C:\Users\Administrator\.ssh\authorized_keys|Format-List


Path   : Microsoft.PowerShell.Core\FileSystem::C:\Users\Administrator\.ssh\authorized_keys
Owner  : BUILTIN\Administrators
Group  : WIN-JC8T67AORH2\None
Access : NT SERVICE\sshd Allow  Read, Synchronize
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         WIN-JC8T67AORH2\Administrator Allow  FullControl
Audit  :
Sddl   : O:BAG:S-1-5-21-2330858761-2518894999-591638271-513D:AI(A;;FR;;;S-1-5-80-3847866527-469524349-687026318-516638107-1125189541)(A;ID;FA;;;SY)
         (A;ID;FA;;;BA)(A;ID;FA;;;LA)

I'm on a headless windows. and completly out of ideas.

@manojampalam

This comment has been minimized.

Copy link
Collaborator

@manojampalam manojampalam commented Dec 14, 2018

Recommend uncommenting

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Make sure C:\ProgramData\ssh\administrators_authorized_keys is a file (and not a folder containing key files)
And its administrators_authorized_keys and not administrator_authorized_keys

For administrator C:\ProgramData\ssh\administrator_authorized_keys
@NoMoreFood

This comment has been minimized.

Copy link

@NoMoreFood NoMoreFood commented Dec 15, 2018

@manojampalam @schmitch The SID it's complaining about is from "NT SERVICE\sshd". Should this permission be necessary?

@manojampalam

This comment has been minimized.

Copy link
Collaborator

@manojampalam manojampalam commented Dec 15, 2018

@NoMoreFood right. That permission should not be there. @schmitch where did you get your version of Repair-AuthorizedKeyPermission utility ?

@schmitch

This comment has been minimized.

Copy link
Author

@schmitch schmitch commented Dec 16, 2018

Actually I did not download anything.
So it was either included in pwsh-core-6.1.1.msi or in Windows Server 2019

@manojampalam

This comment has been minimized.

Copy link
Collaborator

@manojampalam manojampalam commented Dec 16, 2018

@bingbing8 any clue on how Repair-AuthorizedKeyPermission could automatically land up in a system ?

@bingbing8

This comment has been minimized.

Copy link
Collaborator

@bingbing8 bingbing8 commented Dec 16, 2018

@manojampalam, the only thing I can guess is that older git version openssh was downloaded/installed from git or chocolaty before.

@schmitch

This comment has been minimized.

Copy link
Author

@schmitch schmitch commented Dec 17, 2018

Actually I remembered:

Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'
Name  : OpenSSH.Client~~~~0.0.1.0
State : Installed

Name  : OpenSSH.Server~~~~0.0.1.0
State : Installed

# Install the OpenSSH Client
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

# Install the OpenSSH Server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Source: https://docs.microsoft.com/de-de/windows-server/administration/openssh/openssh_install_firstuse

@bingbing8

This comment has been minimized.

Copy link
Collaborator

@bingbing8 bingbing8 commented Dec 17, 2018

@schmitch your above cmdlets install inbox openssh from windows update. The script module was never included as OpenSSH WindowsCapability. Not sure if your system is upgraded from previous windows version or not. The script module was needed on RS3 machine, but not needed on RS4 and RS5 any more. I guess you may downloaded the script module if followed openssh RS3 blog to fix key permission on RS3 machine.

@schmitch

This comment has been minimized.

Copy link
Author

@schmitch schmitch commented Dec 17, 2018

than i have no idea, how it was installed.
Actually the system was not upgraded, I only installed PowerShell Core and DotNet Core SDK from Microsoft and other Build Related Tooling like Git, NodeJS etc.
(I also used Pwsh to run the repair script)

@adilinden

This comment has been minimized.

Copy link

@adilinden adilinden commented Dec 18, 2018

I am seeing the exactly same thing. Fresh install of Server 2019 Core with Hyper-V service.

Installed OpenSSH with:

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Running sshd -d gets me:

debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys
debug1: Could not open authorized keys '__PROGRAMDATA__/ssh/administrators_authorized_keys': No such file or directory

Do note that I plugged my public key into c:\Users\Administrator\.ssh\authorized_keys.

@adilinden

This comment has been minimized.

Copy link

@adilinden adilinden commented Dec 18, 2018

I commented this out in C:\ProgramData\ssh\sshd_config per instructions above:

#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

I then created .ssh/authorized_keys using notepad. Finally I repaired permissions using:

Repair-AuthorizedKeyPermission -FilePath $home\.ssh\authorized_keys

It is still failing, but its looking for a file now closer to what would be expected, debug from sshd -d:

debug1: trying public key file C:\\Users\\Administrator\\.ssh/authorized_keys
Authentication refused.
Failed publickey for Administrator from 192.168.123.107 port 62628 ssh2: ED25519 SHA256:XUCnOR
@adilinden

This comment has been minimized.

Copy link

@adilinden adilinden commented Dec 18, 2018

Here is what works and doesn't. Note that this is on Server 2019 Core! I previously installed on Server 2016 Core (LTSB release) using the installer from GitHub. With it Repair-AuthorizedKeyPermission was needed and things failed without.

For Server 2019 Core:

Make sure we are in $home

cd $home

Open sshd_config using notepad

notepad C:\ProgramData\ssh\sshd_config`

Edit the Match statement pertaining Adminstrators

#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Create the $home\.ssh directory

mkdir .ssh

Create authorized_keys and add public key(s)

notepad .ssh\authorized_keys

The file created will be authorized_keys.txt, rename to authorized_keys

mv .\.ssh\authorized_keys.txt .\.ssh\authorized_keys

Do NOT repair permissions as this will thow an error

Repair-AuthorizedKeyPermission -FilePath $home\.ssh\authorized_keys

And the error:

debug1: trying public key file C:\\Users\\Administrator\\.ssh/authorized_keys
Authentication refused.

Do NOT create authorized_keys using echo and subsequently editing

echo test > .ssh\authorized_keys
echo $null > .ssh\authorized_keys

And the error:

debug1: read_keyfile_line: C:\\Users\\Administrator\\.ssh/authorized_keys line 1 exceeds size limit
@schmitch

This comment has been minimized.

Copy link
Author

@schmitch schmitch commented Dec 18, 2018

Actually I'm on Server Core aswell. However after "fixing" the sshd config and now correcting the permission (I.e. not using the powershell command everything works, with ed keys)

@SNikalaichyk

This comment has been minimized.

Copy link

@SNikalaichyk SNikalaichyk commented Jan 3, 2019

Hi! I was able to get the C:\ProgramData\ssh\administrators_authorized_keys file to work.

You should set the ACL for the administrators_authorized_keys file to match the ACL of the ssh_host_dsa_key file in the same C:\ProgramData\ssh directory.

icacls C:\ProgramData\ssh\administrators_authorized_keys /remove "NT AUTHORITY\Authenticated Users"
icacls C:\ProgramData\ssh\administrators_authorized_keys /inheritance:r

Then restart SSH services:

Restart-Service -Name sshd, ssh-agent -Force
@inickt

This comment has been minimized.

Copy link

@inickt inickt commented Jan 28, 2019

I had the same problem with a fresh install of Windows 10 Pro (October 2018 update 17763) in a virtual machine.

To fix I had to:

  • uncomment the Match policy in sshd_config
  • convert authorized_keys in .ssh from Unix to CRLF line endings (I had scp'ed this from Linux without thinking about this)
  • run Repair-AuthorizedKeyPermission on authorized_keys
@nathanshearer

This comment has been minimized.

Copy link

@nathanshearer nathanshearer commented Feb 5, 2019

I can confirm PubkeyAuthentication with authorized_keys is very broken in 7.9.0.0p1-Beta on a fresh Windws 7 Pro SP1 install.
I downgraded to 7.6.1.0p1-Beta and reinstalled from scratch. With this older version I was able to login with the same authorized_keys file.

@rob-scheepens

This comment has been minimized.

Copy link

@rob-scheepens rob-scheepens commented Feb 12, 2019

I'm trying to get this to work on 7.9.0.1 on 2019. Using ProcMon i noticed this ACCESS_DENIED for sshd.exe:
8:02:15.4257933 AM sshd.exe 2084 RegOpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters ACCESS DENIED Desired Access: All Access
Adding NT SERVICE\sshd to the relevant location did not make a difference.

Debug log:
C:\Program Files\OpenSSH-Win64>sshd -d debug1: sshd version OpenSSH_for_Windows_7.9, LibreSSL 2.6.5 debug1: get_passwd: LookupAccountName() failed: 1332. debug1: private host key #0: ssh-rsa SHA256:7bomFacw1cHpyMCnzLi3+G4HOicIv3jddTnWigJEjY4 debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:va3LpBEn29gupfMrlqnUjl3/U9rav8tau3WfEmFEuzA debug1: private host key #2: ssh-ed25519 SHA256:rx6LykIntPF00V4fTlv6mw8TlwL15iRBhhECrHRUEzA debug1: rexec_argv[0]='sshd' debug1: rexec_argv[1]='-d' debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: Server will not fork when running in debugging mode. Connection from 10.56.1.102 port 49808 on 10.57.16.149 port 22 debug1: Client protocol version 2.0; client software version OpenSSH_for_Windows_7.9 debug1: match: OpenSSH_for_Windows_7.9 pat OpenSSH* compat 0x04000000 debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.9 debug1: sshd version OpenSSH_for_Windows_7.9, LibreSSL 2.6.5 debug1: get_passwd: LookupAccountName() failed: 1332. debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug1: kex: algorithm: curve25519-sha256 [preauth] debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth] debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth] debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug1: rekey after 134217728 blocks [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug1: rekey after 134217728 blocks [preauth] debug1: KEX done [preauth] debug1: userauth-request for user drmperf1\\\\administrator service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug1: get_passwd: LookupAccountName() failed: 1332. Invalid user drmperf1\\administrator from 10.56.1.102 port 49808 debug1: authentication methods list 0: publickey debug1: authentication methods list 0: publickey [preauth] debug1: userauth-request for user drmperf1\\\\administrator service ssh-connection method publickey [preauth] debug1: attempt 1 failures 0 [preauth] debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:q46vzhlzMioBX9RHDS3L9WqgVvO07wIaXMPr3LKdNUU [preauth] Connection reset by invalid user drmperf1\\\\administrator 10.56.1.102 port 49808 [preauth] debug1: do_cleanup [preauth] debug1: monitor_read_log: child log fd closed debug1: do_cleanup debug1: Killing privsep child 4684

Edit: fixed by specifying administrator so it looked for the user administrator on the ssh server instead of the domain user I was logged on with, as the ssh server is not part of the same domain.

@NoMoreFood

This comment has been minimized.

Copy link

@NoMoreFood NoMoreFood commented Feb 12, 2019

Can you close the issue if you believe it to be resolved?

@schmitch

This comment has been minimized.

Copy link
Author

@schmitch schmitch commented Feb 13, 2019

actually since the problem was solved on my side is probably a totally different issue than the others, I'm closing this.

@schmitch schmitch closed this Feb 13, 2019
@vagabond1132

This comment has been minimized.

Copy link

@vagabond1132 vagabond1132 commented Feb 20, 2019

Are there any administrators_authorized_keys in the C:\ProgramData\ssh directory?

debug1: KEX done [preauth] debug1: userauth-request for user administrator service ssh-connection method no ne [preauth] debug1: attempt 0 failures 0 [preauth] debug1: user C:\\Users\\Administrator matched group list administrators at line 88 debug1: userauth-request for user administrator service ssh-connection method pu blickey [preauth] debug1: attempt 1 failures 0 [preauth] debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:o+WFqqS/UqUzb M3mhGY+oTiF0scZBatZKpnRgf0FCGQ [preauth] debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_key s debug1: Could not open authorized keys '__PROGRAMDATA__/ssh/administrators_autho rized_keys': No such file or directory Failed publickey for administrator from 192.168.100.156 port 9223 ssh2: RSA SHA2 56:o+WFqqS/UqUzbM3mhGY+oTiF0scZBatZKpnRgf0FCGQ debug1: userauth-request for user administrator service ssh-connection method ke yboard-interactive [preauth] debug1: attempt 2 failures 1 [preauth] debug1: keyboard-interactive devs [preauth] debug1: auth2_challenge: user=administrator devs= [preauth]

@jemiller0

This comment has been minimized.

Copy link

@jemiller0 jemiller0 commented Mar 7, 2019

Why is it looking under C:\ProgramData???? I am trying to login to my account, not administrator. My account is in the Administrator group. However, this is not how SSH works on Linux. It should be looking in my home directory in the .ssh directory. You would think this would be something that would be the first thing to get working by Microsoft. It's only one of the first things people want to do when setting up SSH.

@rkeithhill

This comment has been minimized.

Copy link

@rkeithhill rkeithhill commented Apr 9, 2019

PubKey auth is still not working for quite a few folks. Not sure why this was closed. The most voted up response did not work for me. Seems like pubkey authentication is a bit of cluster-cuss in Windows OpenSSH. :-( For instance, why doesn't the OpenSSH Server feature create an empty administrators_authorized_keys file in the <ProgramData>\ssh dir with the appropriate permissions? Either that or comment out this in the sshd_config file:

Match Group administrators
      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Also, the opensshutils command Repair-AuthorizedKeyPermission hasn't been updated to work on this centralized version of the file.

The current setup for pubkey auth is not good. It does not put the user in the pit of success. More like the pit of despair. :-(

@kimreyio

This comment has been minimized.

Copy link

@kimreyio kimreyio commented Apr 16, 2019

The most upvoted didn't work for me, or following the instructions on MS's site. I think I also installed a psgallery script when it wasn't needed, or maybe even correct for my latest windows 10. Can we please get some concise direction on this issue?

@bobpepin

This comment has been minimized.

Copy link

@bobpepin bobpepin commented Apr 18, 2019

For a fresh installation inside VirtualBox, as of April 2019, the following worked for me:

  1. DO NOT follow the official M$ documentation at https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement
    1.a. DO NOT use Repair-AuthorizedKeyPermission
  2. DO comment out the section on administrators_authorized_keys at the end of \ProgramData\ssh\sshd_config
  3. DO put your public keys in $home/.ssh/authorized_keys (e.g. using scp with password auth)
  4. DO make sure the authorized_keys file has windows CRLF line endings

#MicrosoftDocs/windowsserverdocs#2171
#MicrosoftDocs/windowsserverdocs#1911

@vagabond1132

This comment has been minimized.

Copy link

@vagabond1132 vagabond1132 commented Apr 19, 2019

@hcho3

This comment has been minimized.

Copy link

@hcho3 hcho3 commented May 12, 2019

@bobpepin Oh my God, you saved my day!

@mippos

This comment has been minimized.

Copy link

@mippos mippos commented May 15, 2019

I was also struggling with the c:\Users<user>.ssh\authorized_keys.

Running Repair-AuthorizedKeyPermission can be skipped, did not have any impact.

Comment out the section on administrators_authorized_keys at the end of \ProgramData\ssh\sshd_config file is recommended, but mandatory. This did not impact to my issue. But when this config is enabled, there comes an extra error to sshd logs.

But ensure that authorized_keys encoding gets right, otherwise passwordless authentication does not work:

If I e.g. cat public keys to the file, encoding gets from:

cat .\id_rsa.pub > .\authorized_keys
file authorized_keys
authorized_keys: Little-endian UTF-16 Unicode text, with very long lines, with CR line terminators
file authorized_keys
authorized_keys: OpenSSH RSA public key

vim .\authorized_keys # Or notepad etc.
file authorized_keys
authorized_keys: Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators

To correct the file encoding, use dos2unix:

dos2unix.exe authorized_keys
dos2unix: converting UTF-16LE file .\authorized_keys to ANSI_X3.4-1968 Unix format...

check that the file encoding is correct:

file authorized_keys
authorized_keys: OpenSSH RSA public key

@Adnn

This comment has been minimized.

Copy link

@Adnn Adnn commented May 20, 2019

This should not be closed, since the issue exactly as described here "Pub key auth not working", is always the case when following the official instructions for an administrator user (and Repair-AuthorizedKeyPermission currently makes thing worse).
https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement

@yobyot

This comment has been minimized.

Copy link

@yobyot yobyot commented Jun 8, 2019

I agree completely with @Adnn. The doc is a disaster and it's impossible to use key-only authentication with OpenSSH server on Windows Server 2019 (non-core). I've been trying for three days, then found this incident which also hasn't helped.

If this is a supported port for Windows Server, it needs detailed doc that is correct along with working examples. Otherwise, the current state of the port is bound to disappoint -- even infuriate -- people trying to set up public key-only authentication. That's the default for things like EC2 instances and Azure VMs and doing it for Windows Server should be cut-and-dried.

As it now stands, I don't think anyone really knows how to set this up correctly and securely.

@manojampalam

This comment has been minimized.

Copy link
Collaborator

@manojampalam manojampalam commented Jun 10, 2019

@maertendMSFT can you follow up on fixing documentation at
https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement

OpenSSHUtils module should be deprecated.

@petemounce

This comment has been minimized.

@devopsmikey

This comment has been minimized.

Copy link

@devopsmikey devopsmikey commented Jun 12, 2019

This is what got me working. Staring at C:\ProgramData\ssh\sshd_config I noticed this line was commented!!!

#PubkeyAuthentication yes

No idea how that happened; my box was pre-imaged. I uncommented that, plus ensured that these two lines in the config file were commented out:

#Match Group administrators
#      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

I then restarted with:

Restart-Service -Name sshd, ssh-agent -Force

And now it's working. OMG what a battle. Huge thanks to everyone who's posting here.

@jfromaniello

This comment has been minimized.

Copy link

@jfromaniello jfromaniello commented Jul 1, 2019

I initially installed with Add-WindowsCapability and I couldn't make it work even following everything in this thread, I suspect that something in the binary is broken. Here is how I make it work:

(caveat you need chocolatey)

First remove the windows capability:

Remove-WindowsCapability -Online -Name "OpenSSH.Client~~~~0.0.1.0"
Remove-WindowsCapability -Online -Name "OpenSSH.Server~~~~0.0.1.0"

Then install openssh latest version with chocolatey:

choco install openssh -params '"/SSHServerFeature /KeyBasedAuthenticationFeature /SSHAgentFeature"'
@mippos

This comment has been minimized.

Copy link

@mippos mippos commented Jul 3, 2019

Excellent @jfromaniello! I had big problems to get windows capability to work on one machine, but choco's package with those parameters work perfectly.

@andreasRu

This comment has been minimized.

Copy link

@andreasRu andreasRu commented Jul 31, 2019

Just to add some information: If StrictModes is set to yes, you should verify file permissions as follows.

Option I:

  1. Set AuthorizedKeysFile in sshd_config as comment. That will make ssh get the default authorized_keys file from the home directory of the user that is logging in.

  2. That would be:
    C:\Users\username\.ssh\authorized_keys

File permissions for strictmode to work:
C:\Users\username\.ssh\
C:\Users\username\.ssh\authorized_keys
The default inherited file permission of the users home directory should work.

OPTION II:
In some cases, and when you want to skip that and force only one central authorized_keys file to be read, do as follows:

  1. Set AuthorizedKeysFile in sshd_config to:
    AuthorizedKeysFile __PROGRAMDATA__/ssh/.ssh/authorized_keys

  2. Put the authorized_key file in a directory named .ssh (create the directory .ssh if necessary):
    C:\ProgramData\ssh\.ssh\authorized_keys

  3. Set file permission to work with strictmode as follows:

  • remove the group "authenticated users" from the folder C:\ProgramData\ssh\.ssh\
  • remove the group "authenticated users" from the file C:\ProgramData\ssh\.ssh\authorized_keys
    The group "authenticated users" was that made strictmode to block public key authentication
  1. For additional security set the permissions of folder and file to SYSTEM group and the user accessing to READ ONLY. No other users or groups should be defined there unless you want someone to access with a second administrator account with public key authentication. Otherwise do it like described in OPTION I.

Hope that helps a little others.

@teutat3s

This comment has been minimized.

Copy link

@teutat3s teutat3s commented Aug 7, 2019

Thank you all for your input. I managed to get the

Match Group administrators
        AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

shipped with the original sshd_config file working.

  • I scp'd the pub key file from a macOS machine, opened it once in notepad, saved (don't know if that was necessary).

  • Then changed permissions of administrators_authorized_keys file: Set Owner to SYSTEM and removed Authenticated User from the list.

Hope this helps someone getting this to work, too.

@mcxiaoke

This comment has been minimized.

Copy link

@mcxiaoke mcxiaoke commented Aug 31, 2019

This is what got me working. Staring at C:\ProgramData\ssh\sshd_config I noticed this line was commented!!!

#PubkeyAuthentication yes

No idea how that happened; my box was pre-imaged. I uncommented that, plus ensured that these two lines in the config file were commented out:

#Match Group administrators
#      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

I then restarted with:

Restart-Service -Name sshd, ssh-agent -Force

And now it's working. OMG what a battle. Huge thanks to everyone who's posting here.

thanks, simple solution, but worked for me!

@thatreguy

This comment has been minimized.

Copy link

@thatreguy thatreguy commented Jan 1, 2020

This is what got me working. Staring at C:\ProgramData\ssh\sshd_config I noticed this line was commented!!!

#PubkeyAuthentication yes

No idea how that happened; my box was pre-imaged. I uncommented that, plus ensured that these two lines in the config file were commented out:

#Match Group administrators
#      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

I then restarted with:

Restart-Service -Name sshd, ssh-agent -Force

And now it's working. OMG what a battle. Huge thanks to everyone who's posting here.

This. I simply do not get why someone would disable PubkeyAuthentication by default. Probably an oversight just like the useless OpenSSH {client|server} optional feature offered by MS!

@jeremybusk

This comment has been minimized.

Copy link

@jeremybusk jeremybusk commented Jan 9, 2020

This still isn't working for me. It really is sad it is this hard and no ssh-copy-id.

@bagajjal

This comment has been minimized.

Copy link
Collaborator

@bagajjal bagajjal commented Jan 9, 2020

@jeremybusk - Please share the ssh client logs (ssh.exe -vvv user@ip) and the sshd.log with DEBUG3 enabled.

If "%programdata%\ssh\sshd_config" file does't have the below config then add it and restart the sshd service (net stop sshd; net start sshd)
SyslogFacility LOCAL0
LogLevel DEBUG3

The sshd.log file will be at %programdata%\ssh\logs directory.

@AlexeyNovikov

This comment has been minimized.

Copy link

@AlexeyNovikov AlexeyNovikov commented Feb 22, 2020

Solution

For sshd-config do the following changes:

  1. Comment this one:
#Match Group administrators
#      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
  1. Uncomment these two:
PubkeyAuthentication yes
PasswordAuthentication no

Then open PowerShell as Admin and restart service:
Restart-Service sshd

Then through GUI.
For .ssh folder and authorized_keys file do the following:

  1. Properties -> Security -> Advanced -> Disable inheritance -> Convert inherited permissions into explicit permissions on this object.
  2. Then delete all users(groups) except:
  • System
  • Administrators
  • current user
@craigthackerx

This comment has been minimized.

Copy link

@craigthackerx craigthackerx commented Feb 26, 2020

Solution

For sshd-config do the following changes:

  1. Comment this one:
#Match Group administrators
#      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
  1. Uncomment these two:
PubkeyAuthentication yes
PasswordAuthentication no

Then open PowerShell as Admin and restart service:
Restart-Service sshd

Then through GUI.
For .ssh folder and authorized_keys file do the following:

  1. Properties -> Security -> Advanced -> Disable inheritance -> Convert inherited permissions into explicit permissions on this object.
  2. Then delete all users(groups) except:
  • System
  • Administrators
  • current user

Worked for me. Cheers.

@Jihadist

This comment has been minimized.

Copy link

@Jihadist Jihadist commented Mar 28, 2020

Solution

For sshd-config do the following changes:

1. Comment this one:
#Match Group administrators
#      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
1. Uncomment these two:
PubkeyAuthentication yes
PasswordAuthentication no

Then open PowerShell as Admin and restart service:
Restart-Service sshd

Then through GUI.
For .ssh folder and authorized_keys file do the following:

1. Properties -> Security -> Advanced -> Disable inheritance -> Convert inherited permissions into explicit permissions on this object.

2. Then delete all users(groups) except:


* System

* Administrators

* current user

Did all of this and it didnt work for me.
P.S. StrictModes no tried too

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
You can’t perform that action at this time.