search

PowerShell / Win32-OpenSSH

Win32 port of OpenSSH
7.35k stars 756 forks source link

Unable to ssh localhost with neither key auth or password, after installing MSI (8.9p1) #1963

Closed tigerinus closed 1 year ago

tigerinus commented 2 years ago

Prerequisites

Steps to reproduce

  1. Uninstall all SSH client and server from Windows optional feature and make sure Windows is ssh free.
  2. Install 8.9p1 via MSI
  3. Follow https://github.com/PowerShell/Win32-OpenSSH/wiki/Setup-public-key-based-authentication-for-windows to setup key authentication.
  4. The C:\ProgramData\ssh\sshd_config ends up to be:
PubkeyAuthentication yes                                                                
AuthorizedKeysFile  .ssh/authorized_keys                                                
Subsystem   sftp    sftp-server.exe
  1. Ensure the %USERPROFILE%/.ssh/id_rsa* key pair works on Linux
  2. Come back to Windows and run ssh localhost

Expected behavior

I am able to login via either key auth or password

Actual behavior

> ssh -v localhost
OpenSSH_for_Windows_8.9p1, LibreSSL 3.4.3
debug1: Reading configuration data C:\\Users\\xiaoh/.ssh/config
debug1: Connecting to localhost [::1] port 22.
debug1: Connection established.
debug1: identity file C:\\Users\\xiaoh/.ssh/id_rsa type 0
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_for_Windows_8.9
debug1: compat_banner: match: OpenSSH_for_Windows_8.9 pat OpenSSH* compat 0x04000000
debug1: Authenticating to localhost:22 as 'xiaoh'
debug1: load_hostkeys: fopen C:\\Users\\xiaoh/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: zlib@openssh.com
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: zlib@openssh.com
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:kpFRs8uB+NFx5GwM9eGeUfUpKaF6yw8Jy7EHpWo9IgQ
debug1: load_hostkeys: fopen C:\\Users\\xiaoh/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'localhost' is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\xiaoh/.ssh/known_hosts:65
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: agent returned 3 keys
debug1: Will attempt key: C:\\Users\\xiaoh/.ssh/id_rsa RSA SHA256:lSF63iovTwXnmu5+RlaqRTP9kKRbQUmTW4NspIc2u/o agent
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: C:\\Users\\xiaoh/.ssh/id_rsa RSA SHA256:lSF63iovTwXnmu5+RlaqRTP9kKRbQUmTW4NspIc2u/o agent
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
xiaoh@localhost's password:
Received disconnect from ::1 port 22:2: Too many authentication failures
Disconnected from ::1 port 22

Error details

No response

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.19041.1682
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19041.1682
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version

8.9p1

Visuals

No response

Update 1

added following line to sshd_config

MaxAuthTries 99

Now when ssh localhost:

> ssh localhost
xiaoh@localhost's password:
Permission denied, please try again.
xiaoh@localhost's password:
Permission denied, please try again.
xiaoh@localhost's password:
xiaoh@localhost: Permission denied (publickey,password,keyboard-interactive).

I am very sure the password is correct.

syui commented 2 years ago

If password authentication does not pass, the default-shell may not be working.

check path

https://docs.microsoft.com/ja-jp/windows-server/administration/openssh/openssh_server_configuration

New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force

If you are an ADD user, publickey authentication will not go through.

c:/programdata/ssh/sshd_config

PasswordAuthentication yes
PermitEmptyPasswords yes
syui commented 2 years ago

If you are an ADD user and want to do publickey authentication, try the following steps.

c:/programdata/ssh/sshd_config

PasswordAuthentication no
PermitEmptyPasswords yes

AuthorizedKeysFile      .ssh/authorized_keys

#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

c:users/xxx/.ssh/authorized_keys

ssh-rsa AAAAB/GO0K8+js= syui@github.com
maertendMSFT commented 1 year ago

@tigerinus, did the posted recommendations solve the issue?

tigerinus commented 1 year ago

@maertendMSFT - Thanks for the steps, which I am sure they work.

However it turned out that it was a bad mistake I did, that I forgot to run busybox --install after installing a new version of busybox-w32. Because of this, the DefaultShell I specified earlier does not exist:

image

I wouldn't be looking at this regkey if you didn't mention it. Thanks again for the info!

tigerinus commented 1 year ago

I figure it'd be nice that at the login prompt it gives some error about the missing DefaultShell instead of asking for password repeatly, which is obviously misleading.