Closed vovcacik closed 7 years ago
You should have restricted access to authorized_keys file. System(FullControl), SSHD(Read only), Administrators group (can be anything). Your security settings should look like this
https://user-images.githubusercontent.com/23668037/28344039-f117e942-6bd5-11e7-9c25-2e6b99766a53.png
@vovcacik what is the output for
(Get-Acl C:\Users\Administrator\.ssh/authorized_keys).Access
? My guess is that the file is not granted with read perm to "nt service\sshd"
please follow either OpenSSH utility scripts to fix file permissions or Security protection of files to fix the acl of the file.
@bingbing8
(Get-Acl C:\Users\Administrator\.ssh/authorized_keys).Access
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : PC\Administrator
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : Read, Synchronize
AccessControlType : Allow
IdentityReference : NT SERVICE\sshd
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
I have tried to fix the file permission with bundled script OpenSSH utility scripts to fix file permissions
PS C:\Program Files\OpenSSH> Import-Module .\OpenSSHUtils.psd1 -Force
PS C:\Program Files\OpenSSH> Repair-AuthorizedKeyPermission -FilePath C:\Users\Administrator\.ssh\authorized_keys
[*] C:\Users\Administrator\.ssh\authorized_keys
looks good
PS C:\Program Files\OpenSSH> (Get-Acl C:\Users\Administrator\.ssh\authorized_keys).Access
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : PC\Administrator
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : Read, Synchronize
AccessControlType : Allow
IdentityReference : NT SERVICE\sshd
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
Then I have restarted the sshd and ssh-agent services, removed all logs and tried to connect with this result:
6512 10:56:30:862 debug1: trying public key file C:\\Users\\Administrator\\.ssh/authorized_keys
6512 10:56:30:878 debug3: Failed to open file:C:\\Users\\Administrator\\.ssh/authorized_keys error:13
6512 10:56:30:878 debug1: Could not open authorized keys 'C:\\Users\\Administrator\\.ssh/authorized_keys': Permission denied
@bagajjal I tried to grant full control to Administrators group and to the SYSTEM. I kept full control for my own account, as well as ownership of the authorized_keys file.
PS C:\Users\Administrator\.ssh> icacls .\authorized_keys /grant `"BUILTIN\Administrators`":`(F`)
processed file: .\authorized_keys
Successfully processed 1 files; Failed processing 0 files
PS C:\Users\Administrator\.ssh> icacls .\authorized_keys /grant `"SYSTEM`":`(F`)
processed file: .\authorized_keys
Successfully processed 1 files; Failed processing 0 files
PS C:\Users\Administrator\.ssh> (Get-Acl C:\Users\Administrator\.ssh\authorized_keys).Access
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : PC\Administrator
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : Read, Synchronize
AccessControlType : Allow
IdentityReference : NT SERVICE\sshd
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
Then I restarted the sshd and ssh-agent services, purged all logs and tried to connect - the sshd no longer tries to load authorized_keys. Even when I temporarily disable password authentication PasswordAuthentication no
.
@bingbing8 With the above change it seems sshd does not like the permissions on the file and rejecting to read altogether (just my guess, the log is empty, see below). So I rerun the permission fix script:
PS C:\Program Files\OpenSSH> Import-Module .\OpenSSHUtils.psd1 -Force
PS C:\Program Files\OpenSSH> Repair-AuthorizedKeyPermission -FilePath C:\Users\Administrator\.ssh\authorized_keys
[*] C:\Users\Administrator\.ssh\authorized_keys
looks good
PS C:\Program Files\OpenSSH> (Get-Acl C:\Users\Administrator\.ssh\authorized_keys).Access
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : PC\Administrator
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : Read, Synchronize
AccessControlType : Allow
IdentityReference : NT SERVICE\sshd
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
All seems to be fine, yet nothing changed; permissions are the same and sshd is not loading the authorized_keys:
10080 11:20:16:995 debug1: sshd version OpenSSH_7.5, LibreSSL 2.5.3
10080 11:20:16:995 debug3: socket:0, socktype:1, io:0000021434069470, fd:3
10080 11:20:16:995 debug3: close - io:0000021434069470, type:2, fd:3, table_index:3
10080 11:20:16:995 debug3: failed to open file:./ssh_host_rsa_key error:2
10080 11:20:16:995 debug1: key_load_private: No such file or directory
10080 11:20:16:995 debug3: Failed to open file:./ssh_host_rsa_key error:2
10080 11:20:16:995 debug1: will rely on agent for hostkey ./ssh_host_rsa_key
10080 11:20:16:995 debug1: agent host key #0: ssh-rsa SHA256:YExvD7/Rnr+5AWn86WFaqTwnjZWlil3/W1EbHxlGfTM
10080 11:20:16:995 debug3: failed to open file:./ssh_host_dsa_key error:2
10080 11:20:16:995 debug1: key_load_private: No such file or directory
10080 11:20:17:011 debug3: Failed to open file:./ssh_host_dsa_key error:2
10080 11:20:17:011 debug1: will rely on agent for hostkey ./ssh_host_dsa_key
10080 11:20:17:011 debug1: agent host key #1: ssh-dss SHA256:Y/3XrbMNDtK0OUoSuwhhF3+yuHla6jrDJCDMPX55YvY
10080 11:20:17:011 debug3: failed to open file:./ssh_host_ecdsa_key error:2
10080 11:20:17:011 debug1: key_load_private: No such file or directory
10080 11:20:17:011 debug3: Failed to open file:./ssh_host_ecdsa_key error:2
10080 11:20:17:011 debug1: will rely on agent for hostkey ./ssh_host_ecdsa_key
10080 11:20:17:011 debug1: agent host key #2: ecdsa-sha2-nistp256 SHA256:Q2c1pa+mlZ1N0+aNN1XnOUkKLVpYh9RO7LBlsR9gAbw
10080 11:20:17:011 debug3: failed to open file:./ssh_host_ed25519_key error:2
10080 11:20:17:011 debug1: key_load_private: No such file or directory
10080 11:20:17:011 debug3: Failed to open file:./ssh_host_ed25519_key error:2
10080 11:20:17:011 debug1: will rely on agent for hostkey ./ssh_host_ed25519_key
10080 11:20:17:011 debug1: agent host key #3: ssh-ed25519 SHA256:xIAKsqs/SltdRYenFQuvWR7ERvyZhNDqim815dZ7fC8
10080 11:20:17:011 debug3: socket:248, socktype:1, io:00000214340693C0, fd:3
10080 11:20:17:011 debug2: fd 3 setting O_NONBLOCK
10080 11:20:17:011 debug3: sock_set_v6only: set socket 3 IPV6_V6ONLY
10080 11:20:17:011 debug1: Bind to port 22 on ::.
10080 11:20:17:011 Server listening on :: port 22.
10080 11:20:17:011 debug3: socket:276, socktype:1, io:0000021434068FA0, fd:4
10080 11:20:17:011 debug2: fd 4 setting O_NONBLOCK
10080 11:20:17:011 debug1: Bind to port 22 on 0.0.0.0.
10080 11:20:17:011 Server listening on 0.0.0.0 port 22.
10080 11:20:17:011 debug3: Failed to open file:./sshd.pid error:13
10080 11:20:17:011 error: Couldn't create pid file "./sshd.pid": Permission denied
10080 11:20:19:839 debug3: socket:284, io:0000021434069310, fd:5
10080 11:20:19:839 debug3: fd 5 is not O_NONBLOCK
10080 11:20:19:839 debug3: pipe - r-h:296,io:00000214340691B0,fd:6 w-h:292,io:0000021434068EF0,fd:7
10080 11:20:19:839 debug3: spawning "C:\\Program Files\\OpenSSH\\sshd.exe"
10080 11:20:19:839 debug3: Register child 0000000000000130 pid 2096, 0 zombies of 0
10080 11:20:19:839 debug3: close - io:0000021434069310, type:1, fd:5, table_index:5
10080 11:20:19:839 debug1: Forked child 2096.
10080 11:20:19:839 debug3: close - io:0000021434068EF0, type:2, fd:7, table_index:7
2096 11:20:19:902 debug1: sshd version OpenSSH_7.5, LibreSSL 2.5.3
2096 11:20:19:902 debug3: socket:0, socktype:1, io:000002A341173A40, fd:3
2096 11:20:19:902 debug3: close - io:000002A341173A40, type:2, fd:3, table_index:3
2096 11:20:19:902 debug3: failed to open file:./ssh_host_rsa_key error:2
2096 11:20:19:902 debug1: key_load_private: No such file or directory
2096 11:20:19:902 debug3: Failed to open file:./ssh_host_rsa_key error:2
2096 11:20:19:902 debug1: will rely on agent for hostkey ./ssh_host_rsa_key
2096 11:20:19:902 debug1: agent host key #0: ssh-rsa SHA256:YExvD7/Rnr+5AWn86WFaqTwnjZWlil3/W1EbHxlGfTM
2096 11:20:19:902 debug3: failed to open file:./ssh_host_dsa_key error:2
2096 11:20:19:902 debug1: key_load_private: No such file or directory
2096 11:20:19:902 debug3: Failed to open file:./ssh_host_dsa_key error:2
2096 11:20:19:902 debug1: will rely on agent for hostkey ./ssh_host_dsa_key
2096 11:20:19:902 debug1: agent host key #1: ssh-dss SHA256:Y/3XrbMNDtK0OUoSuwhhF3+yuHla6jrDJCDMPX55YvY
2096 11:20:19:902 debug3: failed to open file:./ssh_host_ecdsa_key error:2
2096 11:20:19:902 debug1: key_load_private: No such file or directory
2096 11:20:19:902 debug3: Failed to open file:./ssh_host_ecdsa_key error:2
2096 11:20:19:902 debug1: will rely on agent for hostkey ./ssh_host_ecdsa_key
2096 11:20:19:902 debug1: agent host key #2: ecdsa-sha2-nistp256 SHA256:Q2c1pa+mlZ1N0+aNN1XnOUkKLVpYh9RO7LBlsR9gAbw
2096 11:20:19:902 debug3: failed to open file:./ssh_host_ed25519_key error:2
2096 11:20:19:902 debug1: key_load_private: No such file or directory
2096 11:20:19:902 debug3: Failed to open file:./ssh_host_ed25519_key error:2
2096 11:20:19:902 debug1: will rely on agent for hostkey ./ssh_host_ed25519_key
2096 11:20:19:902 debug1: agent host key #3: ssh-ed25519 SHA256:xIAKsqs/SltdRYenFQuvWR7ERvyZhNDqim815dZ7fC8
2096 11:20:19:902 debug3: Failed to open file:./sshd.pid error:13
2096 11:20:19:902 error: Couldn't create pid file "./sshd.pid": Permission denied
2096 11:20:19:902 debug1: child socket: 284
2096 11:20:19:902 debug1: child startup_pipe: 292
2096 11:20:19:902 Connection from ::1 port 59586 on ::1 port 22
2096 11:20:19:917 debug1: Client protocol version 2.0; client software version PuTTYTray_p0.66_t028
2096 11:20:19:917 debug1: no match: PuTTYTray_p0.66_t028
2096 11:20:19:917 debug1: Local version string SSH-2.0-OpenSSH_7.5
2096 11:20:19:917 debug2: fd 3 setting O_NONBLOCK
2096 11:20:19:917 debug3: socket:0, socktype:1, io:000002A341154A90, fd:5
2096 11:20:19:917 debug3: list_hostkey_types: ssh-dss key not permitted by HostkeyAlgorithms
2096 11:20:19:917 debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
2096 11:20:19:917 debug3: send packet: type 20
2096 11:20:19:917 debug1: SSH2_MSG_KEXINIT sent
2096 11:20:19:917 debug3: receive packet: type 20
2096 11:20:19:917 debug1: SSH2_MSG_KEXINIT received
2096 11:20:19:917 debug2: local server KEXINIT proposal
2096 11:20:19:917 debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
2096 11:20:19:917 debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
2096 11:20:19:917 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
2096 11:20:19:917 debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
2096 11:20:19:917 debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
2096 11:20:19:917 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
2096 11:20:19:917 debug2: compression ctos: none
2096 11:20:19:917 debug2: compression stoc: none
2096 11:20:19:917 debug2: languages ctos:
2096 11:20:19:917 debug2: languages stoc:
2096 11:20:19:917 debug2: first_kex_follows 0
2096 11:20:19:917 debug2: reserved 0
2096 11:20:19:917 debug2: peer client KEXINIT proposal
2096 11:20:19:917 debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,rsa2048-sha256,rsa1024-sha1
2096 11:20:19:917 debug2: host key algorithms: ssh-rsa,ssh-dss
2096 11:20:19:917 debug2: ciphers ctos: aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128
2096 11:20:19:917 debug2: ciphers stoc: aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128
2096 11:20:19:917 debug2: MACs ctos: hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5
2096 11:20:19:917 debug2: MACs stoc: hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5
2096 11:20:19:917 debug2: compression ctos: none,zlib
2096 11:20:19:917 debug2: compression stoc: none,zlib
2096 11:20:19:917 debug2: languages ctos:
2096 11:20:19:917 debug2: languages stoc:
2096 11:20:19:917 debug2: first_kex_follows 0
2096 11:20:19:917 debug2: reserved 0
2096 11:20:19:917 debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
2096 11:20:19:917 debug1: kex: host key algorithm: ssh-rsa
2096 11:20:19:917 debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha2-256 compression: none
2096 11:20:19:917 debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha2-256 compression: none
2096 11:20:19:917 debug1: expecting SSH2_MSG_KEX_DH_GEX_REQUEST
2096 11:20:19:917 debug3: receive packet: type 34
2096 11:20:19:917 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
2096 11:20:19:917 debug3: Failed to open file:./moduli error:2
2096 11:20:19:917 WARNING: could not open ./moduli (No such file or directory), using fixed modulus
2096 11:20:19:917 debug3: dh_new_group_fallback: requested max size 8192
2096 11:20:19:917 debug3: using 8k bit group 18
2096 11:20:19:917 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
2096 11:20:19:917 debug3: send packet: type 31
2096 11:20:20:011 debug2: bits set: 4057/8192
2096 11:20:20:011 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
2096 11:20:20:558 debug3: receive packet: type 32
2096 11:20:20:558 debug2: bits set: 4109/8192
2096 11:20:20:683 debug3: send packet: type 33
2096 11:20:20:683 debug3: send packet: type 21
2096 11:20:20:683 debug2: set_newkeys: mode 1
2096 11:20:20:683 debug1: rekey after 4294967296 blocks
2096 11:20:20:683 debug1: SSH2_MSG_NEWKEYS sent
2096 11:20:20:683 debug1: expecting SSH2_MSG_NEWKEYS
2096 11:20:21:245 debug3: receive packet: type 21
2096 11:20:21:245 debug1: SSH2_MSG_NEWKEYS received
2096 11:20:21:245 debug2: set_newkeys: mode 0
2096 11:20:21:245 debug1: rekey after 4294967296 blocks
2096 11:20:21:245 debug1: KEX done
2096 11:20:21:245 debug3: receive packet: type 5
2096 11:20:21:245 debug3: send packet: type 6
2096 11:20:21:245 debug3: receive packet: type 50
2096 11:20:21:245 debug1: userauth-request for user Administrator service ssh-connection method none
2096 11:20:21:245 debug1: attempt 0 failures 0
2096 11:20:21:245 debug2: parse_server_config: config reprocess config len 248
2096 11:20:21:245 debug2: input_userauth_request: setting up authctxt for Administrator
2096 11:20:21:245 debug2: input_userauth_request: try method none
2096 11:20:21:245 Failed none for Administrator from ::1 port 59586 ssh2
2096 11:20:21:245 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive"
2096 11:20:21:245 debug3: send packet: type 51
2096 11:20:21:245 debug3: receive packet: type 50
2096 11:20:21:245 debug1: userauth-request for user Administrator service ssh-connection method keyboard-interactive
2096 11:20:21:245 debug1: attempt 1 failures 0
2096 11:20:21:245 debug2: input_userauth_request: try method keyboard-interactive
2096 11:20:21:245 debug1: keyboard-interactive devs
2096 11:20:21:245 debug1: auth2_challenge: user=Administrator devs=
2096 11:20:21:245 debug1: kbdint_alloc: devices ''
2096 11:20:21:245 debug2: auth2_challenge_start: devices
2096 11:20:21:245 Failed keyboard-interactive for Administrator from ::1 port 59586 ssh2
2096 11:20:21:245 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive"
2096 11:20:21:245 debug3: send packet: type 51
2096 11:20:23:730 Connection closed by authenticating user Administrator ::1 port 59586
2096 11:20:23:730 debug1: do_cleanup
10080 11:20:23:730 debug3: close - io:00000214340691B0, type:2, fd:6, table_index:6
10080 11:20:23:730 debug3: zombie'ing child at index 0, 0 zombies of 1
10080 11:20:23:730 debug3: Unregister child at index 0, 1 zombies of 1
@bagajjal I tried to set the permissions exactly as on your screenshot, but still the same problem - authorzied_keys is not even attempted to be read.
I took another approach, I've removed all permissions on the authorized_keys file and kept ownership. Then I run the fix script:
PS C:\Program Files\OpenSSH> Import-Module .\OpenSSHUtils.psd1 -Force
PS C:\Program Files\OpenSSH> Repair-AuthorizedKeyPermission -FilePath C:\Users\Administrator\.ssh\authorized_keys
[*] C:\Users\Administrator\.ssh\authorized_keys
'NT SERVICE\sshd' needs Read access to 'C:\Users\Administrator\.ssh\authorized_keys'.
Shall I make the above change?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):
'NT SERVICE\sshd' now has Read access to 'C:\Users\Administrator\.ssh\authorized_keys'.
Repaired permissions
PS C:\Program Files\OpenSSH> (Get-Acl C:\Users\Administrator\.ssh\authorized_keys).Access
FileSystemRights : Read, Synchronize
AccessControlType : Allow
IdentityReference : NT SERVICE\sshd
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
I also tried to check Effective access and it looks just fine:
I get same results when I assign additional permission to Traverse folder/execute file
or even Full control
.
Also note that I have input NT SERVICE\sshd
, but the ui abbreviate it to just sshd
.
I made sure the sshd processes are running with correct permissions:
sshd.exe NT SERVICE\sshd
ssh-agent.exe NT AUTHORITY\SYSTEM
Despite all that:
6524 11:47:15:895 debug1: trying public key file C:\\Users\\Administrator\\.ssh/authorized_keys
6524 11:47:15:895 debug3: Failed to open file:C:\\Users\\Administrator\\.ssh/authorized_keys error:13
6524 11:47:15:895 debug1: Could not open authorized keys 'C:\\Users\\Administrator\\.ssh/authorized_keys': Permission denied
I managed to successfully install the OpenSSH on another Windows 10 machine. I will try to reinstall OpenSSH on the problematic machine, but as far as I can tell the only difference was that I have skipped the New-NetFirewallRule -Protocol TCP -LocalPort 22 -Direction Inbound -Action Allow -DisplayName SSH
line in installation instructions and went for netsh advfirewall firewall add rule name='SSH Port' dir=in action=allow protocol=TCP localport=22
directly. I ran both lines on the first machine.
I was seeing this same issue and while it may not have been vovcacik's issue I figured I'd post here to assist anyone else that runs into it. The problem ended up being that I had mistakenly created "authorized_keys" as a folder with my .pub key file simply copied into the folder. Authorized_keys should be created as a generic text file with the text of the pub key file copied into Athorized_keys.
To accomplish this I did the following;
I didn't solve this issue, however I think I have provide enough data to point finger at win32-openssh. Especially the fact, that Windows reported proper permissions for user sshd
in Effective access view.
I no longer need this to fix.
I'm frustrated by Win32-OpenSSH too. It has problems with simple configs and does not write enough info to logs. However, I was able to fix pubkey authentication when removed some unwanted inherited permissions.
@vovcacik
Are you sure that the service runs under sshd
user? It's Local System
in my case.
@sspencer3 thank you. That resolved my issue. For anyone else, follow @sspencer3's instructions then run the following to set the permissions correctly
In an elevated powershell open and run the following Import-Module .\OpenSSHUtils.psd1 -Force Repair-AuthorizedKeyPermission -FilePath C:\Users\username.ssh\authorized_keys
I've trouble too:
PS C:\Program Files\OpenSSH-Win64> Import-Module .\OpenSSHUtils.psd1 -Force
PS C:\Program Files\OpenSSH-Win64> Repair-AuthorizedKeyPermission -FilePath C:\Users\Administrator.DOMAIN\.ssh\authoriz
ed_keys
[*] C:\Users\Administrator.DOMAIN\.ssh\authorized_keys
Need to remove the inheritance before repair the rules.
Shall I remove the inheritace?
[S] Sì [T] Sì a tutti [N] No [U] No a tutti [O] Sospendi [?] Guida (il valore predefinito è "S"): s
Inheritance is removed from 'C:\Users\Administrator.DOMAIN\.ssh\authorized_keys'.
'NT AUTHORITY\SYSTEM' has the following access to 'C:\Users\Administrator.DOMAIN\.ssh\authorized_keys': 'Allow'-'Read,
Synchronize'.
Shall I make it Allow FullControl?
[S] Sì [T] Sì a tutti [N] No [U] No a tutti [O] Sospendi [?] Guida (il valore predefinito è "S"): s
'NT AUTHORITY\SYSTEM' now has FullControl access to 'C:\Users\Administrator.DOMAIN\.ssh\authorized_keys'.
Repaired permissions
PS C:\Program Files\OpenSSH-Win64> Repair-AuthorizedKeyPermission -FilePath C:\Users\Administrator.DOMAIN\.ssh\authoriz
ed_keys
[*] C:\Users\Administrator.DOMAIN\.ssh\authorized_keys
looks good
PS C:\Program Files\OpenSSH-Win64> Repair-AuthorizedKeyPermission -FilePath C:\Users\Administrator.DOMAIN\.ssh\authoriz
ed_keys
[*] C:\Users\Administrator.DOMAIN\.ssh\authorized_keys
looks good
PS C:\Program Files\OpenSSH-Win64> icacls.exe C:\Users\Administrator.DOMAIN\.ssh
C:\Users\Administrator.DOMAIN\.ssh DOMAIN\Administrator:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(R)
Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file
PS C:\Program Files\OpenSSH-Win64> icacls.exe C:\Users\Administrator.DOMAIN\.ssh\authorized_keys
C:\Users\Administrator.DOMAIN\.ssh\authorized_keys NT AUTHORITY\SYSTEM:(F)
DOMAIN\Administrator:(F)
Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file
On the linux client side:
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: .ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
@sgargel , is C:\Users\Administrator.DOMAIN.ssh\authorized_keys a file or a directory?
@bingbing8
C:\Users\Administrator.DOMAIN\.ssh\authorized_keys
is a file containing my pub key
If you are using the openssh-server from windows utilities, just comment out the last lines in C:\ProgramData\ssh\sshd_config, it works for me.
If you are using the openssh-server from windows utilities, just comment out the last lines in C:\ProgramData\ssh\sshd_config, it works for me.
that helps.
Even though I've put the public key in it, it seems does not work. But ~/.ssh/authorized_keys works fine
I was seeing this same issue and while it may not have been vovcacik's issue I figured I'd post here to assist anyone else that runs into it. The problem ended up being that I had mistakenly created "authorized_keys" as a folder with my .pub key file simply copied into the folder. Authorized_keys should be created as a generic text file with the text of the pub key file copied into Athorized_keys.
To accomplish this I did the following;
- Used notepad to create a text file named authorized_keys in C:\users\username\ .ssh\
- Copied the contents of my .pub key file into the authorized_keys text file as a single line of text.
- Used "Save As" to change the encoding to use UTF-8 because the default ANSI can have issues being read by the sshd service.
- After closing the authorized_keys file I then removed its .txt extension. To do this you may need to uncheck "Hide extensions for known file types" from the Windows Folder Options control panel. When done correctly Windows should now show the file type as "File" instead of "Text Document".
- I then used icacls to updated the permissions for the authorized_keys file as shown here: https://github.com/PowerShell/Win32-OpenSSH/wiki/Security-protection-of-various-files-in-win32-openssh
- I then updated the sshd_config file's "AuthorizedKeysFile" line to point to C:\users\username\ .ssh\authorized_keys
- Restart sshd service
- Test SSH connection
Step 5. Especially these commands
` PS C:>icacls administrators_authorized_keys /inheritance:r
PS C:>icacls administrators_authorized_keys /grant SYSTEM:(F
)
PS C:>icacls administrators_authorized_keys /grant BUILTIN\Administrators:(F
)
` Solved my issue!
"OpenSSH for Windows" version
PS C:\Program Files\OpenSSH> ((Get-Item (Get-Command sshd).Source).VersionInfo.FileVersion)
Get-Command : The term 'sshd' is not recognized as the name of a cmdlet, function, script file, or operable program.
Anyway, it is 0.0.18.0.
Server OperatingSystem
((Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows nt\CurrentVersion\" -Name ProductName).ProductName)
Windows 10 Pro
Client OperatingSystem
Windows 10 Pro
What is failing Public key login.
in spite of
Expected output
Actual output