-
Notifications
You must be signed in to change notification settings - Fork 756
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to authenticate when sshd_config is using Match Group administrators in a domain configuration #2254
Comments
I also tried after making PowerShell v7 the default shell for SSH connection and also trying to use PowerShell SSH Remoting. I get the same results as described in my post above. The first connection attempt (unsuccessful / asking for USER password) shown in the screenshot is when using the Match Group administrators SSH configuration. The second connection attempt (successful / only asking for the SSH key passphrase) in the screenshot is when the Match Group administrators SSH configuration is commented out. |
Can you provide the logs from the SSH server when the public key login is not accepted? |
I will work on this and past as soon as I am able (hope to get this by the end of this week). Thanks! |
I stopped the SSH service and I enabled SSH DEBUG logging in the sshd_config file. The entries in the sshd_config file look like this:
I restarted the SSH service with a blank administrators_authorized_keys file and then ran these commands (as per the documentation in Key-based authentication in OpenSSH for Windows):
I was prompted for my password (expected) which then copied over the public key into the administrators_authorized_keys file (expected). I validated that the public key was copied over. Then I attempted to SSH to the machine (the machine is a Domain Controller) using the command:
I was prompted for my password (not expected) The logs below encompass the password logon when I copied over the public key and the attempted logon after the public key was copied over.
Please let me know what else you may need and/or what you would like me to do in an attempt to get this to work properly. Thanks, Robert |
The logs below are after I stopped the SSH service, deleted the sshd.log file, commented out these lines in the sshd_config file and then restarted the ssh service:
The connection was from the same system as above using the same user account as above and using the same SSH public and private key as above. I ran these commands (as per the documentation in Key-based authentication in OpenSSH for Windows):
Then I connected to the remote machine using the standard SSH command:
and the connection was successful. So, a connection when using the Match Group administrators using an account that is a Domain Admin and an SSH key was not able to log in, but the same account was able to log in using an SSH key when that public key was in their $HOMEDIR.ssh\authorized_keys file but not using the same public SSH key when in the PROGRAMDATA__/ssh/administrators_authorized_keys file.
|
@jborean93 - thanks for the response! A) As noted in my post I got the commands from the Microsoft documentation here. I did not link it before, I just referred to the name of the article - Key-based authentication in OpenSSH for Windows
I have tried this numerous times and get the same result (one that I had gotten before when playing around with the quotes)
D) I should be able to eliminate all of this PowerShell key copying and just copy the public key to the administrators_authorized_keys file and have the connection work. That is not working for me either.
Please fix this! |
Additional info: I just reverted back to the original PowerShell commands posted on the Key-based authentication in OpenSSH for Windows page
This command works and it is entering the SSH public key correctly. But the key based authentication is still not working. Successful commands run to add SSH public key on SSH client side (the second command after the ssh-copy-id command was typed and executed - the error seen above that is the error experience described in the response directly above) Key correctly entered into the remote systems authorized key file FYI - SSH keys only good for my very segregated VM test environment ;-) |
My apologies, it must work and be needed if the default shell is |
|
I think I see what the problem is, I think something has either created the file with Unicode/UTF-16-LE encoding or you have a default parameter value set for You can prove it by doing
But in your case it's probably looking like this with
Adding |
You are correct ... the issue is solved. I believe that I know why it happened. I do not believe that any documentation changes need to be made on the Microsoft side for the I do want to reiterate that this crazy PowerShell command to copy a key from a remote system (essentially a replacement for the There are so many problems with the
I am pretty well versed in SSH on Linux and Mac systems and have been a Windows security engineer for over 20 years and I am very well versed and comfortable at the command line. When I compare the experience of copying keys from a remote Linux system to another Linux system it is a piece of cake. When doing this from a Windows system ... not so much. I have a goal of transitioning our environment to using PowerShell remoting over SSH as much as possible so I am going to have to train a bunch of Windows admins, many of whom have zero to very little experience with SSH, to understand and use this. In the end it should make things easier and more secure but this SSH key stuff .... grrrrrrrrrrrrrrrrrrrrrr ... this is kludgy at best! IMHO I am going to ask for another meeting with Danny to discuss this. @jborean93 - Thanks very much! |
Agreed on all points there :) Glad it's starting to work for you though. |
So here is what happened:
Had no idea that the result would be anything but a normal blank file. But you (@jborean93) noticed that the file was not UTF-8 This seems kind of crazy to me since echoing something to a file is about as old school as it gets. So, if you do this instead you get a file that is acceptable, one that works without issues with Windows OpenSSH
All I am trying to do here is figure out the best way of populating large numbers of SSH public keys for administrators (probably in an automated manner so it would not be using the documented PowerShell command). Right now this is just testing to develop a possible method. Ultimately we need to be able to manage these keys as new users (administrators or otherwise) need to be added and also removed. As a large enterprise, we do not want users to be spewing SSH keys all over the place without there being some kind of management of them. |
We will discuss adding the encoding ASCII to the docs, or other solutions with creating the file automatically. Closing this as answered. |
Prerequisites
Steps to reproduce
I am testing the latest version of Windows OpenSSH, v9.5.0.0p1 on Windows Server 2022. I have done the following:
FixHostFilePermissions.ps1
FixUserFilePermissions.ps1
to ensure that the users permissions for the SSH files are correctNow uncomment the lines and restart the sshd service
Unsuccessful authentication from a Windows system when the Match Group administrators are NOT commented out. Asking for the local password (not the SSH key password)
I have also tested this on a Windows Server 2022 that is NOT domain joined and I can log in using SSH keys when the Match Group administrators lines are NOT commented out
For the domain joined system I have tried the following domain name / user name schemes. All DO work when the Match Group administrators lines are commented out and all DO NOT work when the Match Group administrators lines are NOT commented out
2022testing\rstrom@server2022.2022testing.local
2022testing\rstrom@server2022
rstrom@2022testing.local@server2022
rstrom@server2022
Expected behavior
SSH key based authentication works for both domain joined and non-domain joined systems when using the **Match Group administrators** SSH configuration
Actual behavior
SSH key based authentication is only working as expected for a non-domain joined when using the **Match Group administrators** SSH configuration
Error details
No response
Environment data
Version
OpenSSH v9.5.0.0p1
Visuals
No response
The text was updated successfully, but these errors were encountered: