passwordless public key ssh from linuxe to windows works for domain user fails for local user

[ileGITimo]

Prerequisites

• [X] Write a descriptive title.
• [X] Make sure you are able to repro it on the latest version
• [X] Search the existing issues.

Steps to reproduce

I've setup ssh for two remote linux users almost identically, the only (unix local) differences are that one user's private key is password protected the other isn't, and obviously they have different keys.

Both public keys have been entered in administrators_authorized_keys, and they will attempt to ssh into the Windows boxes as users in the administrator group. Neither of them has an .ssh folder under their windows' home directories.

Unix client is Fedora 39, Window server is 2019 LTSC, current with patches. Sshd.exe claims to be OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5.

ssh user1@machine works, after entering the password for the private key (either typing it or supplied by ssh-agent), NO windows password prompt, with user1 being domain\user1, the domain machine belongs to.

ssh user2@machine, no local password prompt for private key as it is not password protected, results in a PROMPT for the windows password on machine, with user2 being a local user there, i.e. not a domain user.

What am I missing to make user2 session being accepted without a password prompt? SSHD logs at DebugLevel3, shows the correct rsa fingerprint being receive but rejected, with no further explanation.

Expected behavior

No Windows password prompt for user2@machine

Actual behavior

user2's windows password is prompted and if entered session does work

Error details

N/A

Environment data

There is no PowerShell involved that I can see, not on the linux side, and on the Windows side cmd.exe will be invoked, after successful session.

Version

OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5

Visuals

No response

[ileGITimo]

Typo on title

[maertendMSFT]

Can you please provide the server side logs?

You can also confirm that the user is actually an admin, run net localgroup administrators

[ileGITimo]

Got it working, it was when I went looking for logs to post that I stumbled into my problem. Couple of nitpicks:

• SyslogFacility AUTH with LogLevel DEBUG3 doesn' t really log anything useful in EventViewer, one does need to set SyslogFacility to LOCAL0. Documentation (maybe on a quick read) gave me the impression that they would report the same info.
• I followed the instructions on changing the ACL for the administrators_authorized_keys, but that doesn't seem to be enough. Somehow that file ended up being owned by user1, in my test case above, and thus sshd complained of Bad Ownership, when trying user2.

I'll need to install it on another machine (I have about 50+ to go through, and none have internet access, a bit of pain) to check out who's the default owner, system, Administrator or someone else. I gave it to system and it worked. Also now wondering how to add public keys in there without changing the owner.

And yes, user2 is an admin. I've been using it with winexe to remotely admin a bunch of stations for 10+ years, but now SentinelOne doesn't like it and I'm trying to replace it with ssh. Last time I tried this a few years back I couldn't get neither user1 above (me) neither user2 (account that runs most maintenance scripts) to work.

Thanks.

[ileGITimo]

Closing