bagajjal
commented
2 years ago @smru, I didn't get your scenario. Please list down the repro steps.
Open smru opened 2 years ago
bagajjal
commented
2 years ago @smru, I didn't get your scenario. Please list down the repro steps.
smru
commented
2 years ago Hi Bagajjal,
I installed OpenSSH Client and OpenSSH Server on a Windows 10 21H2 computer called SMRUWS-IT07: PS> cmd.exe /c ver Microsoft Windows [Version 10.0.19044.1586] PS> Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0 PS> Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 PS> cmd.exe /c "ssh.exe -V" OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
I decided to use SSH certificates.
SSH host certificates to prevent the first time use message: The authenticity of host '
I created a CA for host certificates: smru_host_ca, smru_host_ca.pub I created a CA for user certificates: smru_user_ca, smru_user_ca.pub
I decided to use the ed25519 algorithm, instead of the rsa, dsa and ecdsa algorithms. I digitally signed the C:\ProgramData\ssh\ ssh_host_ed25519_key.pub key to create the C:\ProgramData\ssh\ssh_host_ed25519_key-cert.pub host certificate. I digitally signed the C:\Users\Administrator.ssh\ id_ed25519.pub key to create the C:\Users\Administrator.ssh\ id_ed25519-cert.pub user certificate.
I added the following two lines to the C:\ProgramData\ssh\sshd_config file. HostCertificate PROGRAMDATA/ssh/ssh_host_ed25519_key-cert.pub TrustedUserCAKeys PROGRAMDATA/ssh/smru_user_ca.pub
And I restarted the OpenSSH Server (sshd service).
It turns out that I get errors in the Windows Event Viewer (Applications and Service logs > OpenSSH > Admin) about the permissions of the C:\ProgramData\ssh\ ssh_host_ed25519_key being too open, so I changed the permissions to only allow Administrator access. I had to remove the SYSTEM user. Also, the Administrators group cannot have access, it again will complain about permissions being too open.
sshd: error: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ sshd: error: Permissions for 'PROGRAMDATA\ssh/ssh_host_ed25519_key' are too open. sshd: error: It is required that your private key files are NOT accessible by others. sshd: error: This private key will be ignored.
PS> icacls.exe C:\ProgramData\ssh\ssh_host_ed25519_key C:\ProgramData\ssh\ssh_host_ed25519_key SMRUWS-IT07\Administrator:(M)
Then I set up two Debian 11.3 Bullseye virtual machines and installed openssh-client and openssh-server on them. I configured them to use the above mentioned host and user certificates for the smru user account. Everything works as expected on the Debian machines. I can type ssh @. ls -al on the vbox-debian1 vm and don’t get the first time usage message nor the password prompt. I can type ssh @. ls -al on the vbox-debian2 vm and don’t get the first time usage message nor the password prompt. I get a list of files in the smru home directory, as expected.
However, when I type ssh @.*** "dir" on the Debian machines I get the following: The authenticity of host 'smruws-it07 (10.10.1.122)' can't be established. ECDSA key fingerprint is SHA256:Zk1IYTW2SngsYyBwlq+SZtkhY87+CxmngNjjpx/qvww. Are you sure you want to continue connecting (yes/no/[fingerprint])?
I get the first time usage message and type no and press Enter.
Looking in the Event Viewer on the SMRUWS-IT07 Windows 10 computer I see the following error:
sshd: error: No matching private key for certificate: PROGRAMDATA/ssh/ssh_host_ed25519_key-cert.pub
I think there is a mismatch in the permissions of the C:\ProgramData\ssh\ssh_host_ed25519_key* files: PS> icacls.exe C:\ProgramData\ssh\ssh_host_ed25519_key C:\ProgramData\ssh\ssh_host_ed25519_key SMRUWS-IT07\Administrator:(M) PS> icacls.exe C:\ProgramData\ssh\ssh_host_ed25519_key.pub C:\ProgramData\ssh\ssh_host_ed25519_key.pub BUILTIN\Administrators:(F), NT AUTHORITY\SYSTEM:(F), SMRUWS-IT07\Administrator:(M) PS> icacls.exe C:\ProgramData\ssh\ssh_host_ed25519_key-cert.pub C:\ProgramData\ssh\ssh_host_ed25519_key-cert.pub BUILTIN\Administrators:(F), NT AUTHORITY\SYSTEM:(F)
When I remove SYSTEM user and Administrators group from the C:\ProgramData\ssh\ssh_host_ed25519_key-cert.pub file and add the Administrator user I get the following error:
sshd: error: Could not load host certificate "PROGRAMDATA/ssh/ssh_host_ed25519_key-cert.pub": No such file or directory
However, if I stop the sshd service and start sshd manually: PS> Stop-Service sshd PS> C:\Windows\System32\OpenSSH\sshd.exe -d
then it works.
I get the same behaviour, regardless if using OpenSSH Server versions 8.11, 8.6.1 or 8.9.1.
Best regards, Douwe.
From: bagajjal @.> Sent: Tuesday, April 05, 2022 01:06 To: PowerShell/Win32-OpenSSH @.> Cc: SMRU IT (Shoklo) @.>; Mention @.> Subject: Re: [PowerShell/Win32-OpenSSH] No matching private key for certificate. (Issue #1925)
@smruhttps://github.com/smru, I didn't get your scenario. Please list down the repro steps.
— Reply to this email directly, view it on GitHubhttps://github.com/PowerShell/Win32-OpenSSH/issues/1925#issuecomment-1087856789, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACY2FYU57CHAX6UPILLPLJTVDMVQFANCNFSM5SPKCCQA. You are receiving this because you were mentioned.Message ID: @.**@.>>
zoechi
commented
9 months ago I run into the same error with OpenSSH from Linux client to Linux server. The ssh connection is established anyway.
error: Public key for /etc/ssh/ssh_host_ed25519_key does not match private keyI checked the pub/private key with the method explained in https://serverfault.com/a/426429/176160 and they match.
Troubleshooting steps https://github.com/PowerShell/Win32-OpenSSH/wiki/Troubleshooting-Steps
Using CA to sign public ssh key to generate ssh host certificate. Added HostCertificate line in sshd_config file. to prevent TOFU/TUFU message. When running in foreground everything works and no errors. But when running as sshd service it fails.
"OpenSSH for Windows" version 8.1.1 8.6.1 8.9.1
Server OperatingSystem Windows 10 21H2
Client OperatingSystem Debian 11.3 Bullseye
What is failing sshd: error: No matching private key for certificate: PROGRAMDATA/ssh/ssh_host_ed25519_key-cert.pub
Expected output No error. Should just connect without TOFU/TUFU.
Actual output Get the prevent trust on first use (TOFU) or trust upon first use (TUFU) message.