search

PowerShell / Win32-OpenSSH

Win32 port of OpenSSH
7.44k stars 762 forks source link

Permission Denied Reading authroized_keys File #2264

Closed donpwinston closed 2 months ago

donpwinston commented 3 months ago

Prerequisites

Steps to reproduce

We cannot get public access key to work when using ssh. ssh with password works. Log indicates permission denied error but permissions appear correct:

7948 2024-08-09 17:43:27.343 debug1: trying public key file C:\Users\info001sec\.ssh/authorized_keys 7948 2024-08-09 17:43:27.343 debug3: Failed to open file:C:/Users/info001sec/.ssh/authorized_keys error:13 7948 2024-08-09 17:43:27.343 debug1: Could not open authorized keys 'C:\Users\info001sec\.ssh/authorized_keys': Permission denied

info001sec has full access (rw) according to Windows10. info001sec is an Administrator. "Match Group" and "AuthorizedKeysFile PROGRAMDATA/ssh/administrators_authorized_keys" are commented out in sshd_config.

Default shell for ssh is set to PowerShell (version 5)

Expected behavior

Public access key authentication should work at the same time as password authentication.

Actual behavior

Password authentication works. Public access key authentication does not.

Error details

7948 2024-08-09 17:43:27.343 debug1: trying public key file C:\\Users\\info001sec\\.ssh/authorized_keys
7948 2024-08-09 17:43:27.343 debug3: Failed to open file:C:/Users/info001sec/.ssh/authorized_keys error:13
7948 2024-08-09 17:43:27.343 debug1: Could not open authorized keys 'C:\\Users\\info001sec\\.ssh/authorized_keys': Permission denied

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.19041.4780
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19041.4780
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version

OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2

Visuals

No response

tgauth commented 3 months ago

The SSHD server runs as SYSTEM so full access to the file is also required by the SYSTEM. Can you verify the permissions are correct?

https://github.com/PowerShell/openssh-portable/blob/latestw_all/contrib/win32/openssh/OpenSSHUtils.psm1#L201 is a helper function that can also be used for reference, with $adminsSid replaced by the info001sec SID

donpwinston commented 2 months ago

Thanks. I fixed the problem with: CACLS authorized_keys /e /p SYSTEM:f