schmitch commented 5 years ago

"OpenSSH for Windows" version ((Get-Item (Get-Command sshd).Source).VersionInfo.FileVersion) 7.7.2.2

Server OperatingSystem ((Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows nt\CurrentVersion\" -Name ProductName).ProductName) Windows Server 2019 Standard

Client OperatingSystem macOS Mojave Version 10.14.1 ssh -V OpenSSH_7.8p1, LibreSSL 2.7.3

What is failing PubKey Authentication with ed25519

Expected output Successful Login over PubKey

Actual output Permission Denied

Additional Data Currently I'm trying to achieve PubKey Authentication against a Windows Server 2019, however I could not get it to work. I actually created a ed259919 key and put it into the correct folder C:\Users\Administrator\.ssh\authorized_keys. However it just does not work. What is even strange is the Windows Server Debug output (ProgramData?!):

PS C:\Users\Administrator\unzipped> sshd -d
debug1: sshd version OpenSSH_for_Windows_7.7, LibreSSL 2.6.5
debug1: private host key #0: ssh-rsa SHA256:PNoOxXBKB4SCOQougpsAZ9bUnku658ur9+wucTvsGSc
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:GKf1jbg/+ayrPx+MOCTeCSBgJze/9R7kVYdw4WcEMU8
debug1: private host key #2: ssh-ed25519 SHA256:q8Rqf9l/eUiPMx9YfVSd3mQKxm/2Detld2UgLmIPyLU
debug1: rexec_argv[0]='C:\\Windows\\System32\\OpenSSH\\sshd.exe'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
Connection from 192.168.179.152 port 61251 on 192.168.179.249 port 22
debug1: Client protocol version 2.0; client software version OpenSSH_7.8
debug1: match: OpenSSH_7.8 pat OpenSSH* compat 0x04000000
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug1: sshd version OpenSSH_for_Windows_7.7, LibreSSL 2.6.5
debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user Administrator service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: user C:\\Users\\Administrator matched group list administrators at line 84
debug1: userauth-request for user Administrator service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: userauth_pubkey: test pkalg ssh-ed25519 pkblob ED25519 SHA256:2nXx9fR4uOi8KRult6QjtZEvaTHIqH7i4cAv7qg3gSA [preauth]
debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys
debug1: Could not open authorized keys '__PROGRAMDATA__/ssh/administrators_authorized_keys': No such file or directory
Failed publickey for Administrator from 192.168.179.152 port 61251 ssh2: ED25519 SHA256:2nXx9fR4uOi8KRult6QjtZEvaTHIqH7i4cAv7qg3gSA
Connection closed by authenticating user Administrator 192.168.179.152 port 61251 [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug1: do_cleanup
debug1: Killing privsep child 1996

Client Verbose Output:

schmitch@tokio:~$ ssh -vvvv ci02
OpenSSH_7.8p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/schmitch/.ssh/config
debug1: /Users/schmitch/.ssh/config line 34: Applying options for ci02
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.179.249 is address
debug2: ssh_connect_direct
debug1: Connecting to 192.168.179.249 [192.168.179.249] port 22.
debug1: Connection established.
debug1: identity file /Users/schmitch/.ssh/windows type 3
debug1: identity file /Users/schmitch/.ssh/windows-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_for_Windows_7.7
debug1: match: OpenSSH_for_Windows_7.7 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.179.249:22 as 'Administrator'
debug3: hostkeys_foreach: reading file "/Users/schmitch/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/schmitch/.ssh/known_hosts:155
debug3: load_hostkeys: loaded 1 keys from 192.168.179.249
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:GKf1jbg/+ayrPx+MOCTeCSBgJze/9R7kVYdw4WcEMU8
debug3: hostkeys_foreach: reading file "/Users/schmitch/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/schmitch/.ssh/known_hosts:155
debug3: load_hostkeys: loaded 1 keys from 192.168.179.249
debug1: Host '192.168.179.249' is known and matches the ECDSA host key.
debug1: Found key in /Users/schmitch/.ssh/known_hosts:155
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /Users/schmitch/.ssh/windows (0x7fc576c07060), explicit
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred:
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: ED25519 SHA256:2nXx9fR4uOi8KRult6QjtZEvaTHIqH7i4cAv7qg3gSA /Users/schmitch/.ssh/windows
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Administrator@192.168.179.249: Permission denied (publickey,password,keyboard-interactive).

My PubKey lies at C:\Users\Administrator.ssh\authorized_keys

according to https://docs.microsoft.com/de-de/windows-server/administration/openssh/openssh_keymanagement

schmitch commented 5 years ago

i.e. copy the pubkey to C:\ProgramData\ssh\administrator_authorized_keys does not resolve the problem either

schmitch commented 5 years ago

I found that the SSH Config contained something like:

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

however even when commenting it out, it still does not work.

s3544 2018-12-14 15:06:37.650 debug2: fd 3 setting O_NONBLOCK
3544 2018-12-14 15:06:37.650 debug3: sock_set_v6only: set socket 3 IPV6_V6ONLY
3544 2018-12-14 15:06:37.650 debug1: Bind to port 22 on ::.
3544 2018-12-14 15:06:37.650 Server listening on :: port 22.
3544 2018-12-14 15:06:37.650 debug2: fd 4 setting O_NONBLOCK
3544 2018-12-14 15:06:37.650 debug1: Bind to port 22 on 0.0.0.0.
3544 2018-12-14 15:06:37.650 Server listening on 0.0.0.0 port 22.
3544 2018-12-14 15:06:40.670 debug3: fd 5 is not O_NONBLOCK
3544 2018-12-14 15:06:40.672 debug3: spawning "C:\\Windows\\System32\\OpenSSH\\sshd.exe" "-R"
3544 2018-12-14 15:06:40.675 debug3: send_rexec_state: entering fd = 8 config len 394
3544 2018-12-14 15:06:40.675 debug3: ssh_msg_send: type 0
3544 2018-12-14 15:06:40.675 debug3: send_rexec_state: done
2664 2018-12-14 15:06:40.721 debug1: inetd sockets after dupping: 3, 3
2664 2018-12-14 15:06:40.721 Connection from 192.168.179.152 port 65269 on 192.168.179.249 port 22
2664 2018-12-14 15:06:40.721 debug1: Client protocol version 2.0; client software version OpenSSH_7.8
2664 2018-12-14 15:06:40.721 debug1: match: OpenSSH_7.8 pat OpenSSH* compat 0x04000000
2664 2018-12-14 15:06:40.721 debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
2664 2018-12-14 15:06:40.722 debug2: fd 3 setting O_NONBLOCK
2664 2018-12-14 15:06:40.728 debug3: spawning "C:\\Windows\\System32\\OpenSSH\\sshd.exe" "-y"
2664 2018-12-14 15:06:40.730 debug2: Network child is on pid 2700
2664 2018-12-14 15:06:40.731 debug3: send_rexec_state: entering fd = 6 config len 394
2664 2018-12-14 15:06:40.731 debug3: ssh_msg_send: type 0
2664 2018-12-14 15:06:40.731 debug3: send_rexec_state: done
2664 2018-12-14 15:06:40.731 debug3: ssh_msg_send: type 0
2664 2018-12-14 15:06:40.731 debug3: ssh_msg_send: type 0
2664 2018-12-14 15:06:40.731 debug3: preauth child monitor started
2664 2018-12-14 15:06:40.756 debug3: list_hostkey_types: ssh-dss key not permitted by HostkeyAlgorithms [preauth]
2664 2018-12-14 15:06:40.756 debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
2664 2018-12-14 15:06:40.756 debug3: send packet: type 20 [preauth]
2664 2018-12-14 15:06:40.756 debug1: SSH2_MSG_KEXINIT sent [preauth]
2664 2018-12-14 15:06:40.756 debug3: receive packet: type 20 [preauth]
2664 2018-12-14 15:06:40.756 debug1: SSH2_MSG_KEXINIT received [preauth]
2664 2018-12-14 15:06:40.756 debug2: local server KEXINIT proposal [preauth]
2664 2018-12-14 15:06:40.756 debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 [preauth]
2664 2018-12-14 15:06:40.756 debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
2664 2018-12-14 15:06:40.756 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
2664 2018-12-14 15:06:40.756 debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
2664 2018-12-14 15:06:40.756 debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
2664 2018-12-14 15:06:40.756 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
2664 2018-12-14 15:06:40.756 debug2: compression ctos: none [preauth]
2664 2018-12-14 15:06:40.756 debug2: compression stoc: none [preauth]
2664 2018-12-14 15:06:40.756 debug2: languages ctos:  [preauth]
2664 2018-12-14 15:06:40.756 debug2: languages stoc:  [preauth]
2664 2018-12-14 15:06:40.756 debug2: first_kex_follows 0  [preauth]
2664 2018-12-14 15:06:40.756 debug2: reserved 0  [preauth]
2664 2018-12-14 15:06:40.756 debug2: peer client KEXINIT proposal [preauth]
2664 2018-12-14 15:06:40.756 debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c [preauth]
2664 2018-12-14 15:06:40.756 debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa [preauth]
2664 2018-12-14 15:06:40.756 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
2664 2018-12-14 15:06:40.757 debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
2664 2018-12-14 15:06:40.757 debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
2664 2018-12-14 15:06:40.757 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
2664 2018-12-14 15:06:40.757 debug2: compression ctos: none,zlib@openssh.com,zlib [preauth]
2664 2018-12-14 15:06:40.757 debug2: compression stoc: none,zlib@openssh.com,zlib [preauth]
2664 2018-12-14 15:06:40.757 debug2: languages ctos:  [preauth]
2664 2018-12-14 15:06:40.757 debug2: languages stoc:  [preauth]
2664 2018-12-14 15:06:40.757 debug2: first_kex_follows 0  [preauth]
2664 2018-12-14 15:06:40.757 debug2: reserved 0  [preauth]
2664 2018-12-14 15:06:40.757 debug1: kex: algorithm: curve25519-sha256 [preauth]
2664 2018-12-14 15:06:40.757 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
2664 2018-12-14 15:06:40.757 debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
2664 2018-12-14 15:06:40.757 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
2664 2018-12-14 15:06:40.757 debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
2664 2018-12-14 15:06:40.760 debug3: receive packet: type 30 [preauth]
2664 2018-12-14 15:06:40.768 debug3: mm_key_sign entering [preauth]
2664 2018-12-14 15:06:40.768 debug3: mm_request_send entering: type 6 [preauth]
2664 2018-12-14 15:06:40.768 debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth]
2664 2018-12-14 15:06:40.768 debug3: mm_request_receive_expect entering: type 7 [preauth]
2664 2018-12-14 15:06:40.768 debug3: mm_request_receive entering [preauth]
2664 2018-12-14 15:06:40.768 debug3: mm_request_receive entering
2664 2018-12-14 15:06:40.768 debug3: monitor_read: checking request 6
2664 2018-12-14 15:06:40.769 debug3: mm_answer_sign
2664 2018-12-14 15:06:40.770 debug3: mm_answer_sign: hostkey proof signature 000001683069E4C0(101)
2664 2018-12-14 15:06:40.770 debug3: mm_request_send entering: type 7
2664 2018-12-14 15:06:40.770 debug2: monitor_read: 6 used once, disabling now
2664 2018-12-14 15:06:40.770 debug3: send packet: type 31 [preauth]
2664 2018-12-14 15:06:40.770 debug3: send packet: type 21 [preauth]
2664 2018-12-14 15:06:40.770 debug2: set_newkeys: mode 1 [preauth]
2664 2018-12-14 15:06:40.770 debug1: rekey after 134217728 blocks [preauth]
2664 2018-12-14 15:06:40.770 debug1: SSH2_MSG_NEWKEYS sent [preauth]
2664 2018-12-14 15:06:40.770 debug1: expecting SSH2_MSG_NEWKEYS [preauth]
2664 2018-12-14 15:06:40.770 debug3: send packet: type 7 [preauth]
2664 2018-12-14 15:06:40.778 debug3: receive packet: type 21 [preauth]
2664 2018-12-14 15:06:40.778 debug1: SSH2_MSG_NEWKEYS received [preauth]
2664 2018-12-14 15:06:40.778 debug2: set_newkeys: mode 0 [preauth]
2664 2018-12-14 15:06:40.778 debug1: rekey after 134217728 blocks [preauth]
2664 2018-12-14 15:06:40.778 debug1: KEX done [preauth]
2664 2018-12-14 15:06:40.789 debug3: receive packet: type 5 [preauth]
2664 2018-12-14 15:06:40.789 debug3: send packet: type 6 [preauth]
2664 2018-12-14 15:06:40.789 debug3: receive packet: type 50 [preauth]
2664 2018-12-14 15:06:40.789 debug1: userauth-request for user Administrator service ssh-connection method none [preauth]
2664 2018-12-14 15:06:40.789 debug1: attempt 0 failures 0 [preauth]
2664 2018-12-14 15:06:40.789 debug3: mm_getpwnamallow entering [preauth]
2664 2018-12-14 15:06:40.789 debug3: mm_request_send entering: type 8 [preauth]
2664 2018-12-14 15:06:40.789 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
2664 2018-12-14 15:06:40.789 debug3: mm_request_receive_expect entering: type 9 [preauth]
2664 2018-12-14 15:06:40.789 debug3: mm_request_receive entering [preauth]
2664 2018-12-14 15:06:40.789 debug3: mm_request_receive entering
2664 2018-12-14 15:06:40.789 debug3: monitor_read: checking request 8
2664 2018-12-14 15:06:40.789 debug3: mm_answer_pwnamallow
2664 2018-12-14 15:06:40.790 debug2: parse_server_config: config reprocess config len 394
2664 2018-12-14 15:06:40.790 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
2664 2018-12-14 15:06:40.790 debug3: mm_request_send entering: type 9
2664 2018-12-14 15:06:40.791 debug2: monitor_read: 8 used once, disabling now
2664 2018-12-14 15:06:40.791 debug2: input_userauth_request: setting up authctxt for Administrator [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_inform_authserv entering [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_request_send entering: type 4 [preauth]
2664 2018-12-14 15:06:40.791 debug2: input_userauth_request: try method none [preauth]
2664 2018-12-14 15:06:40.791 debug3: userauth_finish: failure partial=0 next methods="publickey,keyboard-interactive" [preauth]
2664 2018-12-14 15:06:40.791 debug3: send packet: type 51 [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_request_receive entering
2664 2018-12-14 15:06:40.791 debug3: monitor_read: checking request 4
2664 2018-12-14 15:06:40.791 debug3: mm_answer_authserv: service=ssh-connection, style=
2664 2018-12-14 15:06:40.791 debug2: monitor_read: 4 used once, disabling now
2664 2018-12-14 15:06:40.791 debug3: receive packet: type 50 [preauth]
2664 2018-12-14 15:06:40.791 debug1: userauth-request for user Administrator service ssh-connection method publickey [preauth]
2664 2018-12-14 15:06:40.791 debug1: attempt 1 failures 0 [preauth]
2664 2018-12-14 15:06:40.791 debug2: input_userauth_request: try method publickey [preauth]
2664 2018-12-14 15:06:40.791 debug1: userauth_pubkey: test pkalg ssh-ed25519 pkblob ED25519 SHA256:2nXx9fR4uOi8KRult6QjtZEvaTHIqH7i4cAv7qg3gSA [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_key_allowed entering [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_request_send entering: type 22 [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_request_receive_expect entering: type 23 [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_request_receive entering [preauth]
2664 2018-12-14 15:06:40.791 debug3: mm_request_receive entering
2664 2018-12-14 15:06:40.791 debug3: monitor_read: checking request 22
2664 2018-12-14 15:06:40.791 debug3: mm_answer_keyallowed entering
2664 2018-12-14 15:06:40.791 debug3: mm_answer_keyallowed: key_from_blob: 000001683069E300
2664 2018-12-14 15:06:40.791 debug1: trying public key file C:\\Users\\Administrator\\.ssh/authorized_keys
2664 2018-12-14 15:06:40.792 debug3: Bad permissions. Try removing permissions for user: S-1-5-80-3847866527-469524349-687026318-516638107-1125189541 on file C:/Users/Administrator/.ssh/authorized_keys.
2664 2018-12-14 15:06:40.792 Authentication refused.
2664 2018-12-14 15:06:40.792 debug3: mm_answer_keyallowed: publickey authentication test: ED25519 key is not allowed
2664 2018-12-14 15:06:40.792 Failed publickey for Administrator from 192.168.179.152 port 65269 ssh2: ED25519 SHA256:2nXx9fR4uOi8KRult6QjtZEvaTHIqH7i4cAv7qg3gSA
2664 2018-12-14 15:06:40.792 debug3: mm_request_send entering: type 23
2664 2018-12-14 15:06:40.792 debug2: userauth_pubkey: authenticated 0 pkalg ssh-ed25519 [preauth]
2664 2018-12-14 15:06:40.792 debug3: userauth_finish: failure partial=0 next methods="publickey,keyboard-interactive" [preauth]
2664 2018-12-14 15:06:40.792 debug3: send packet: type 51 [preauth]
2664 2018-12-14 15:06:40.794 Connection closed by authenticating user Administrator 192.168.179.152 port 65269 [preauth]
2664 2018-12-14 15:06:40.794 debug1: do_cleanup [preauth]
2664 2018-12-14 15:06:40.795 debug1: monitor_read_log: child log fd closed
2664 2018-12-14 15:06:40.795 debug3: mm_request_receive entering
2664 2018-12-14 15:06:40.795 debug1: do_cleanup
2664 2018-12-14 15:06:40.795 debug1: Killing privsep child 2700

btw.:

PS C:\ProgramData\ssh> Repair-AuthorizedKeyPermission C:\Users\Administrator\.ssh\authorized_keys
  [*] C:\Users\Administrator\.ssh\authorized_keys
      looks good

File ACL:

PS C:\ProgramData\ssh> Get-Acl C:\Users\Administrator\.ssh\authorized_keys|Format-List

Path   : Microsoft.PowerShell.Core\FileSystem::C:\Users\Administrator\.ssh\authorized_keys
Owner  : BUILTIN\Administrators
Group  : WIN-JC8T67AORH2\None
Access : NT SERVICE\sshd Allow  Read, Synchronize
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         WIN-JC8T67AORH2\Administrator Allow  FullControl
Audit  :
Sddl   : O:BAG:S-1-5-21-2330858761-2518894999-591638271-513D:AI(A;;FR;;;S-1-5-80-3847866527-469524349-687026318-516638107-1125189541)(A;ID;FA;;;SY)
         (A;ID;FA;;;BA)(A;ID;FA;;;LA)

I'm on a headless windows. and completly out of ideas.

manojampalam commented 5 years ago

Recommend uncommenting

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Make sure C:\ProgramData\ssh\administrators_authorized_keys is a file (and not a folder containing key files) And its administrators_authorized_keys and not administrator_authorized_keys

For administrator C:\ProgramData\ssh\administrator_authorized_keys

NoMoreFood commented 5 years ago

@manojampalam @schmitch The SID it's complaining about is from "NT SERVICE\sshd". Should this permission be necessary?

manojampalam commented 5 years ago

@NoMoreFood right. That permission should not be there. @schmitch where did you get your version of Repair-AuthorizedKeyPermission utility ?

schmitch commented 5 years ago

Actually I did not download anything. So it was either included in pwsh-core-6.1.1.msi or in Windows Server 2019

manojampalam commented 5 years ago

@bingbing8 any clue on how Repair-AuthorizedKeyPermission could automatically land up in a system ?

bingbing8 commented 5 years ago

@manojampalam, the only thing I can guess is that older git version openssh was downloaded/installed from git or chocolaty before.

schmitch commented 5 years ago

Actually I remembered:

Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'
Name  : OpenSSH.Client~~~~0.0.1.0
State : Installed

Name  : OpenSSH.Server~~~~0.0.1.0
State : Installed

# Install the OpenSSH Client
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

# Install the OpenSSH Server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Source: https://docs.microsoft.com/de-de/windows-server/administration/openssh/openssh_install_firstuse

bingbing8 commented 5 years ago

@schmitch your above cmdlets install inbox openssh from windows update. The script module was never included as OpenSSH WindowsCapability. Not sure if your system is upgraded from previous windows version or not. The script module was needed on RS3 machine, but not needed on RS4 and RS5 any more. I guess you may downloaded the script module if followed openssh RS3 blog to fix key permission on RS3 machine.

schmitch commented 5 years ago

than i have no idea, how it was installed. Actually the system was not upgraded, I only installed PowerShell Core and DotNet Core SDK from Microsoft and other Build Related Tooling like Git, NodeJS etc. (I also used Pwsh to run the repair script)

adilinden commented 5 years ago

I am seeing the exactly same thing. Fresh install of Server 2019 Core with Hyper-V service.

Installed OpenSSH with:

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Running sshd -d gets me:

debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys
debug1: Could not open authorized keys '__PROGRAMDATA__/ssh/administrators_authorized_keys': No such file or directory

Do note that I plugged my public key into c:\Users\Administrator\.ssh\authorized_keys.

adilinden commented 5 years ago

I commented this out in C:\ProgramData\ssh\sshd_config per instructions above:

#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

I then created .ssh/authorized_keys using notepad. Finally I repaired permissions using:

Repair-AuthorizedKeyPermission -FilePath $home\.ssh\authorized_keys

It is still failing, but its looking for a file now closer to what would be expected, debug from sshd -d:

debug1: trying public key file C:\\Users\\Administrator\\.ssh/authorized_keys
Authentication refused.
Failed publickey for Administrator from 192.168.123.107 port 62628 ssh2: ED25519 SHA256:XUCnOR

adilinden commented 5 years ago

Here is what works and doesn't. Note that this is on Server 2019 Core! I previously installed on Server 2016 Core (LTSB release) using the installer from GitHub. With it Repair-AuthorizedKeyPermission was needed and things failed without.

For Server 2019 Core:

Make sure we are in $home

cd $home

Open sshd_config using notepad

notepad C:\ProgramData\ssh\sshd_config`

Edit the Match statement pertaining Adminstrators

#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Create the $home\.ssh directory

mkdir .ssh

Create authorized_keys and add public key(s)

notepad .ssh\authorized_keys

The file created will be authorized_keys.txt, rename to authorized_keys

mv .\.ssh\authorized_keys.txt .\.ssh\authorized_keys

Do NOT repair permissions as this will thow an error

Repair-AuthorizedKeyPermission -FilePath $home\.ssh\authorized_keys

And the error:

debug1: trying public key file C:\\Users\\Administrator\\.ssh/authorized_keys
Authentication refused.

Do NOT create authorized_keys using echo and subsequently editing

echo test > .ssh\authorized_keys
echo $null > .ssh\authorized_keys

And the error:

debug1: read_keyfile_line: C:\\Users\\Administrator\\.ssh/authorized_keys line 1 exceeds size limit

schmitch commented 5 years ago

Actually I'm on Server Core aswell. However after "fixing" the sshd config and now correcting the permission (I.e. not using the powershell command everything works, with ed keys)

SNikalaichyk commented 5 years ago

Hi! I was able to get the C:\ProgramData\ssh\administrators_authorized_keys file to work.

You should set the ACL for the administrators_authorized_keys file to match the ACL of the ssh_host_dsa_key file in the same C:\ProgramData\ssh directory.

icacls C:\ProgramData\ssh\administrators_authorized_keys /remove "NT AUTHORITY\Authenticated Users"
icacls C:\ProgramData\ssh\administrators_authorized_keys /inheritance:r

Then restart SSH services:

Restart-Service -Name sshd, ssh-agent -Force

inickt commented 5 years ago

I had the same problem with a fresh install of Windows 10 Pro (October 2018 update 17763) in a virtual machine.

To fix I had to:

uncomment the Match policy in sshd_config
convert authorized_keys in .ssh from Unix to CRLF line endings (I had scp'ed this from Linux without thinking about this)
run Repair-AuthorizedKeyPermission on authorized_keys

nathanshearer commented 5 years ago

I can confirm PubkeyAuthentication with authorized_keys is very broken in 7.9.0.0p1-Beta on a fresh Windws 7 Pro SP1 install. I downgraded to 7.6.1.0p1-Beta and reinstalled from scratch. With this older version I was able to login with the same authorized_keys file.

rob-scheepens commented 5 years ago

I'm trying to get this to work on 7.9.0.1 on 2019. Using ProcMon i noticed this ACCESS_DENIED for sshd.exe: 8:02:15.4257933 AM sshd.exe 2084 RegOpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters ACCESS DENIED Desired Access: All Access Adding NT SERVICE\sshd to the relevant location did not make a difference.

Debug log: C:\Program Files\OpenSSH-Win64>sshd -d debug1: sshd version OpenSSH_for_Windows_7.9, LibreSSL 2.6.5 debug1: get_passwd: LookupAccountName() failed: 1332. debug1: private host key #0: ssh-rsa SHA256:7bomFacw1cHpyMCnzLi3+G4HOicIv3jddTnWigJEjY4 debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:va3LpBEn29gupfMrlqnUjl3/U9rav8tau3WfEmFEuzA debug1: private host key #2: ssh-ed25519 SHA256:rx6LykIntPF00V4fTlv6mw8TlwL15iRBhhECrHRUEzA debug1: rexec_argv[0]='sshd' debug1: rexec_argv[1]='-d' debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: Server will not fork when running in debugging mode. Connection from 10.56.1.102 port 49808 on 10.57.16.149 port 22 debug1: Client protocol version 2.0; client software version OpenSSH_for_Windows_7.9 debug1: match: OpenSSH_for_Windows_7.9 pat OpenSSH* compat 0x04000000 debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.9 debug1: sshd version OpenSSH_for_Windows_7.9, LibreSSL 2.6.5 debug1: get_passwd: LookupAccountName() failed: 1332. debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug1: kex: algorithm: curve25519-sha256 [preauth] debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth] debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth] debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug1: rekey after 134217728 blocks [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug1: rekey after 134217728 blocks [preauth] debug1: KEX done [preauth] debug1: userauth-request for user drmperf1\\\\administrator service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug1: get_passwd: LookupAccountName() failed: 1332. Invalid user drmperf1\\administrator from 10.56.1.102 port 49808 debug1: authentication methods list 0: publickey debug1: authentication methods list 0: publickey [preauth] debug1: userauth-request for user drmperf1\\\\administrator service ssh-connection method publickey [preauth] debug1: attempt 1 failures 0 [preauth] debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:q46vzhlzMioBX9RHDS3L9WqgVvO07wIaXMPr3LKdNUU [preauth] Connection reset by invalid user drmperf1\\\\administrator 10.56.1.102 port 49808 [preauth] debug1: do_cleanup [preauth] debug1: monitor_read_log: child log fd closed debug1: do_cleanup debug1: Killing privsep child 4684

Edit: fixed by specifying administrator so it looked for the user administrator on the ssh server instead of the domain user I was logged on with, as the ssh server is not part of the same domain.

NoMoreFood commented 5 years ago

Can you close the issue if you believe it to be resolved?

schmitch commented 5 years ago

actually since the problem was solved on my side is probably a totally different issue than the others, I'm closing this.

vagabond1132 commented 5 years ago

Are there any administrators_authorized_keys in the C:\ProgramData\ssh directory?

debug1: KEX done [preauth] debug1: userauth-request for user administrator service ssh-connection method no ne [preauth] debug1: attempt 0 failures 0 [preauth] debug1: user C:\\Users\\Administrator matched group list administrators at line 88 debug1: userauth-request for user administrator service ssh-connection method pu blickey [preauth] debug1: attempt 1 failures 0 [preauth] debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:o+WFqqS/UqUzb M3mhGY+oTiF0scZBatZKpnRgf0FCGQ [preauth] debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_key s debug1: Could not open authorized keys '__PROGRAMDATA__/ssh/administrators_autho rized_keys': No such file or directory Failed publickey for administrator from 192.168.100.156 port 9223 ssh2: RSA SHA2 56:o+WFqqS/UqUzbM3mhGY+oTiF0scZBatZKpnRgf0FCGQ debug1: userauth-request for user administrator service ssh-connection method ke yboard-interactive [preauth] debug1: attempt 2 failures 1 [preauth] debug1: keyboard-interactive devs [preauth] debug1: auth2_challenge: user=administrator devs= [preauth]

jemiller0 commented 5 years ago

Why is it looking under C:\ProgramData???? I am trying to login to my account, not administrator. My account is in the Administrator group. However, this is not how SSH works on Linux. It should be looking in my home directory in the .ssh directory. You would think this would be something that would be the first thing to get working by Microsoft. It's only one of the first things people want to do when setting up SSH.

rkeithhill commented 5 years ago

PubKey auth is still not working for quite a few folks. Not sure why this was closed. The most voted up response did not work for me. Seems like pubkey authentication is a bit of cluster-cuss in Windows OpenSSH. :-( For instance, why doesn't the OpenSSH Server feature create an empty administrators_authorized_keys file in the <ProgramData>\ssh dir with the appropriate permissions? Either that or comment out this in the sshd_config file:

Match Group administrators
      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Also, the opensshutils command Repair-AuthorizedKeyPermission hasn't been updated to work on this centralized version of the file.

The current setup for pubkey auth is not good. It does not put the user in the pit of success. More like the pit of despair. :-(

kimreyio commented 5 years ago

The most upvoted didn't work for me, or following the instructions on MS's site. I think I also installed a psgallery script when it wasn't needed, or maybe even correct for my latest windows 10. Can we please get some concise direction on this issue?

bobpepin commented 5 years ago

For a fresh installation inside VirtualBox, as of April 2019, the following worked for me:

DO NOT follow the official M$ documentation at https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement 1.a. DO NOT use Repair-AuthorizedKeyPermission
DO comment out the section on administrators_authorized_keys at the end of \ProgramData\ssh\sshd_config
DO put your public keys in $home/.ssh/authorized_keys (e.g. using scp with password auth)
DO make sure the authorized_keys file has windows CRLF line endings

2171

https://github.com/MicrosoftDocs/windowsserverdocs/issues/1911

vagabond1132 commented 5 years ago

I used the previous version，

Powerline modify the file, it will be usable

Keith Hill notifications@github.com 于2019年4月10日周三上午5:53写道：

PubKey auth is still not working for quite a few folks. Not sure why this as closed. The most voted up response did not work for me. Seems like pubkey authentication is a bit of cluster-cuss in Windows OpenSSH. :-(

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/PowerShell/Win32-OpenSSH/issues/1306#issuecomment-481454221, or mute the thread https://github.com/notifications/unsubscribe-auth/AHS-PpucaZC-eBmKAn1C4aoAAy7EmWUHks5vfQvfgaJpZM4ZThYb .

hcho3 commented 5 years ago

@bobpepin Oh my God, you saved my day!

mippos commented 5 years ago

I was also struggling with the c:\Users\.ssh\authorized_keys.

Running Repair-AuthorizedKeyPermission can be skipped, did not have any impact.

Comment out the section on administrators_authorized_keys at the end of \ProgramData\ssh\sshd_config file is recommended, but mandatory. This did not impact to my issue. But when this config is enabled, there comes an extra error to sshd logs.

But ensure that authorized_keys encoding gets right, otherwise passwordless authentication does not work:

If I e.g. cat public keys to the file, encoding gets from:

cat .\id_rsa.pub > .\authorized_keys file authorized_keys authorized_keys: Little-endian UTF-16 Unicode text, with very long lines, with CR line terminators file authorized_keys authorized_keys: OpenSSH RSA public key

vim .\authorized_keys # Or notepad etc. file authorized_keys authorized_keys: Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators

To correct the file encoding, use dos2unix:

dos2unix.exe authorized_keys dos2unix: converting UTF-16LE file .\authorized_keys to ANSI_X3.4-1968 Unix format...

check that the file encoding is correct:

file authorized_keys authorized_keys: OpenSSH RSA public key

Adnn commented 5 years ago

This should not be closed, since the issue exactly as described here "Pub key auth not working", is always the case when following the official instructions for an administrator user (and Repair-AuthorizedKeyPermission currently makes thing worse). https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement

yobyot commented 5 years ago

I agree completely with @Adnn. The doc is a disaster and it's impossible to use key-only authentication with OpenSSH server on Windows Server 2019 (non-core). I've been trying for three days, then found this incident which also hasn't helped.

If this is a supported port for Windows Server, it needs detailed doc that is correct along with working examples. Otherwise, the current state of the port is bound to disappoint -- even infuriate -- people trying to set up public key-only authentication. That's the default for things like EC2 instances and Azure VMs and doing it for Windows Server should be cut-and-dried.

As it now stands, I don't think anyone really knows how to set this up correctly and securely.

manojampalam commented 5 years ago

@maertendMSFT can you follow up on fixing documentation at https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement

OpenSSHUtils module should be deprecated.

petemounce commented 5 years ago

I, via https://operator-error.com/2018/04/16/windows-amis-with-even/ and https://github.com/jen20/packer-aws-windows-ssh/blob/master/files/configure-source-ssh.ps1#L99-L114 (and https://stackoverflow.com/questions/16212816/setting-up-openssh-for-windows-using-public-key-authentication), with OpenSSH 7.9.0.1-Beta1, have pubkey auth working (within googlecompute with windows 2016 server). Thanks @jen20!

devopsmikey commented 5 years ago

This is what got me working. Staring at C:\ProgramData\ssh\sshd_config I noticed this line was commented!!!

#PubkeyAuthentication yes

No idea how that happened; my box was pre-imaged. I uncommented that, plus ensured that these two lines in the config file were commented out:

#Match Group administrators
#      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

I then restarted with:

Restart-Service -Name sshd, ssh-agent -Force

And now it's working. OMG what a battle. Huge thanks to everyone who's posting here.

jfromaniello commented 5 years ago

I initially installed with Add-WindowsCapability and I couldn't make it work even following everything in this thread, I suspect that something in the binary is broken. Here is how I make it work:

(caveat you need chocolatey)

First remove the windows capability:

Remove-WindowsCapability -Online -Name "OpenSSH.Client~~~~0.0.1.0"
Remove-WindowsCapability -Online -Name "OpenSSH.Server~~~~0.0.1.0"

Then install openssh latest version with chocolatey:

choco install openssh -params '"/SSHServerFeature /KeyBasedAuthenticationFeature /SSHAgentFeature"'

mippos commented 5 years ago

Excellent @jfromaniello! I had big problems to get windows capability to work on one machine, but choco's package with those parameters work perfectly.

andreasRu commented 5 years ago

Just to add some information: If StrictModes is set to yes, you should verify file permissions as follows.

Option I:

Set AuthorizedKeysFile in sshd_config as comment. That will make ssh get the default authorized_keys file from the home directory of the user that is logging in.
That would be: C:\Users\username\.ssh\authorized_keys

File permissions for strictmode to work: C:\Users\username\.ssh\ C:\Users\username\.ssh\authorized_keys The default inherited file permission of the users home directory should work.

OPTION II: In some cases, and when you want to skip that and force only one central authorized_keys file to be read, do as follows:

Set AuthorizedKeysFile in sshd_config to: AuthorizedKeysFile __PROGRAMDATA__/ssh/.ssh/authorized_keys
Put the authorized_key file in a directory named .ssh (create the directory .ssh if necessary): C:\ProgramData\ssh\.ssh\authorized_keys
Set file permission to work with strictmode as follows:
- remove the group "authenticated users" from the folder C:\ProgramData\ssh\.ssh\
- remove the group "authenticated users" from the file C:\ProgramData\ssh\.ssh\authorized_keys The group "authenticated users" was that made strictmode to block public key authentication
For additional security set the permissions of folder and file to SYSTEM group and the user accessing to READ ONLY. No other users or groups should be defined there unless you want someone to access with a second administrator account with public key authentication. Otherwise do it like described in OPTION I.

Hope that helps a little others.

teutat3s commented 5 years ago

Thank you all for your input. I managed to get the

Match Group administrators
        AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

shipped with the original sshd_config file working.

I scp'd the pub key file from a macOS machine, opened it once in notepad, saved (don't know if that was necessary).
Then changed permissions of administrators_authorized_keys file: Set Owner to SYSTEM and removed Authenticated User from the list.

Hope this helps someone getting this to work, too.

mcxiaoke commented 5 years ago

This is what got me working. Staring at C:\ProgramData\ssh\sshd_config I noticed this line was commented!!!

#PubkeyAuthentication yes

No idea how that happened; my box was pre-imaged. I uncommented that, plus ensured that these two lines in the config file were commented out:
#Match Group administrators
#      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
I then restarted with:

Restart-Service -Name sshd, ssh-agent -Force

And now it's working. OMG what a battle. Huge thanks to everyone who's posting here.

thanks, simple solution, but worked for me!

thatreguy commented 4 years ago

This is what got me working. Staring at C:\ProgramData\ssh\sshd_config I noticed this line was commented!!!

#PubkeyAuthentication yes

No idea how that happened; my box was pre-imaged. I uncommented that, plus ensured that these two lines in the config file were commented out:
#Match Group administrators
#      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
I then restarted with:

Restart-Service -Name sshd, ssh-agent -Force

And now it's working. OMG what a battle. Huge thanks to everyone who's posting here.

This. I simply do not get why someone would disable PubkeyAuthentication by default. Probably an oversight just like the useless OpenSSH {client|server} optional feature offered by MS!

jeremybusk commented 4 years ago

This still isn't working for me. It really is sad it is this hard and no ssh-copy-id.

bagajjal commented 4 years ago

@jeremybusk - Please share the ssh client logs (ssh.exe -vvv user@ip) and the sshd.log with DEBUG3 enabled.

If "%programdata%\ssh\sshd_config" file does't have the below config then add it and restart the sshd service (net stop sshd; net start sshd) SyslogFacility LOCAL0 LogLevel DEBUG3

The sshd.log file will be at %programdata%\ssh\logs directory.

AlexeyNovikov commented 4 years ago

Solution

For sshd-config do the following changes:

Comment this one:

#Match Group administrators
#      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Uncomment these two:
```
PubkeyAuthentication yes
PasswordAuthentication no
```
Then open PowerShell as Admin and restart service: Restart-Service sshd

Then through GUI. For .ssh folder and authorized_keys file do the following:

Properties -> Security -> Advanced -> Disable inheritance -> Convert inherited permissions into explicit permissions on this object.
Then delete all users(groups) except:
- System
- Administrators
- current user

craigthackerx commented 4 years ago

Solution

For sshd-config do the following changes:

Comment this one:
#Match Group administrators
#      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
Uncomment these two:
PubkeyAuthentication yes
PasswordAuthentication no
Then open PowerShell as Admin and restart service: Restart-Service sshd

Then through GUI. For .ssh folder and authorized_keys file do the following:

Properties -> Security -> Advanced -> Disable inheritance -> Convert inherited permissions into explicit permissions on this object.

Then delete all users(groups) except:

System

Administrators

current user

Worked for me. Cheers.

xakod commented 4 years ago

Solution

For sshd-config do the following changes:
1. Comment this one:
#Match Group administrators
#      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
1. Uncomment these two:
PubkeyAuthentication yes
PasswordAuthentication no
Then open PowerShell as Admin and restart service: Restart-Service sshd

Then through GUI. For .ssh folder and authorized_keys file do the following:
1. Properties -> Security -> Advanced -> Disable inheritance -> Convert inherited permissions into explicit permissions on this object.

2. Then delete all users(groups) except:

* System

* Administrators

* current user

Did all of this and it didnt work for me. P.S. StrictModes no tried too

icosahedron commented 4 years ago

Finally got it working for myself on Windows 10 Pro using half of one of the solutions above. The key was "make sure that it has the same permissions as ssh_host_ecdsa_key".

The same solution also recommended using icacls .\administrators_authorized_keys /inheritance:r, but this simply reset the permissions to nil. After resetting the permissions to the same as the key file, it then worked.

Daniel15 commented 4 years ago

Solution

For sshd-config do the following changes:
1. Comment this one:
#Match Group administrators
#      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
1. Uncomment these two:
PubkeyAuthentication yes
PasswordAuthentication no
Then open PowerShell as Admin and restart service: Restart-Service sshd

Then through GUI. For .ssh folder and authorized_keys file do the following:
1. Properties -> Security -> Advanced -> Disable inheritance -> Convert inherited permissions into explicit permissions on this object.

2. Then delete all users(groups) except:

* System

* Administrators

* current user

Thanks for this! I had set the permissions on authorized_keys just to my user and forgot to add SYSTEM. That fixed it for me!

jyavenard commented 4 years ago

First remove the windows capability:

Remove-WindowsCapability -Online -Name "OpenSSH.Client~~~~0.0.1.0"
Remove-WindowsCapability -Online -Name "OpenSSH.Server~~~~0.0.1.0"

Then install openssh latest version with chocolatey:

choco install openssh -params '"/SSHServerFeature /KeyBasedAuthenticationFeature /SSHAgentFeature"'

After struggling for a couple of hours on this; I have to report that this made it all works immediately.

I just couldn't get over the error 12400 2020-06-28 13:55:52.151 Failed publickey for jyavenard from 192.168.160.1 port 51616 ssh2: RSA SHA256:Wsc+cG7fFMQi36MiurOKMpq3NFFAlqjlmoZ+vFVWjG8 12400 2020-06-28 13:55:52.158 debug1: userauth-request for user jyavenard service ssh-connection method keyboard-interactive [preauth] 12400 2020-06-28 13:55:52.158 debug1: attempt 2 failures 1 [preauth] 12400 2020-06-28 13:55:52.158 debug1: keyboard-interactive devs [preauth] 12400 2020-06-28 13:55:52.158 debug1: auth2_challenge: user=jyavenard devs= [preauth] 12400 2020-06-28 13:55:52.158 debug1: kbdint_alloc: devices '' [preauth] 12400 2020-06-28 13:55:53.186 Connection closed by authenticating user jyavenard 192.168.160.1 port 51616 [preauth]

jemiller0 commented 4 years ago

I don't know why Microsoft even provides support for this, if basic functionality doesn't work out of the box. It's an embarrassment.

yao-bin commented 3 years ago

Thanks for all who comment out this!

Match Group administrators

AuthorizedKeysFile PROGRAMDATA/ssh/administrators_authorized_keys

PowerShell / Win32-OpenSSH

PubKey Auth not working #1306

https://github.com/MicrosoftDocs/windowsserverdocs/issues/2171

https://github.com/MicrosoftDocs/windowsserverdocs/issues/1911

Solution

Solution

Solution

Solution

Match Group administrators

AuthorizedKeysFile PROGRAMDATA/ssh/administrators_authorized_keys