14

I am unable to log into a Windows 10 OpenSSH Server from a CentOS OpenSSH client via public key. My password is always requested (and is accepted).

I've found many posts about setting the permissions properly on the server side for:

  • Directory C:\Users\username\.ssh
  • File C:\Users\username\.ssh\authorized_keys

I believe I've done everything required in terms of permissions. But to rule a permissions problem out, I set StrictModes=no on the server as a test and restarted the server. I found that I still must enter my password.

What else might be preventing me from logging in via public key?

Martin Prikryl
  • 21,071
  • 9
  • 77
  • 157
Dave
  • 1,051
  • 3
  • 19
  • 41
  • Does the openssh server config file allow for PubKeyAuthentication (also confirm it's not commented out -- effectively disabling) – linuxdev2013 Feb 18 '19 at 12:57
  • Yes, PubkeyAuthentication=yes. Also, I noticed the following in C:\ProgramData\ssh\sshd_config: AuthorizedKeysFile .ssh/authorized_keys I am assuming this is relative to the home directory of the user I am logging in as. – Dave Feb 18 '19 at 13:08
  • Yes, that was a typo in the post. I will update the post now. Thank you for the catch. – Dave Feb 18 '19 at 13:32
  • I suggest you run both server and client with increased verbosity, possible in debug mode (not as a service). You’ll quickly find out why your key isn’t working. – Daniel B Feb 18 '19 at 13:35
  • Please edit your post to reflect the following information, which is required to solve your issue: **Output of:** `C:\ProgramData\ssh\sshd_config` (exclude comments). **Output of:** `cmd /c icacls %userprofile%\.ssh\authorized_keys` **Output of:** `ls -ls /path/to/centos/client.key` **Output of:** CentOS SSH client config (`ssh_config`/`config`), excluding comments. Depending on setup, will either be at `~/.ssh/config` or `/etc/ssh/ssh_config`. It would also help if you change verbosity to `LogLevel = DEBUG3` & post output of the log, however, you'll need to **_sanitize it_** before posting. – JW0914 Feb 18 '19 at 13:50
  • According to https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_server_configuration#not-supported StrictModes is irrelevant for sshd on windows. – Jan Matějka May 31 '22 at 15:08

3 Answers3

15

Your comments and requests for relevant information led me to the answer. In case anybody else hits this, the problem was...

My user is an administrator, and the following appears in sshd_config:

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

So, by placing my public key in my own user's .ssh/authorized_keys, it was not getting picked up. Once I placed it in the file called out in sshd_config, things worked fine.

bad_coder
  • 643
  • 1
  • 7
  • 16
Dave
  • 1,051
  • 3
  • 19
  • 41
  • A general FYI, password login should never be allowed for SSH. The SSH key should be passphrase protected. The following should be set in the `sshd_config`: `ChallengeResponseAuthentication = no` `PasswordAuthentication = no` `PermitEmptyPasswords = no` `StrictModes = yes` `PubkeyAuthentication = yes` – JW0914 Feb 18 '19 at 16:18
14
    Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

I just ended up #commenting out these two lines in sshd_config. It was driving me UP THE WALL trying to figure out why none of the keys were being accepted.

If you comment them out, it will just use the keys in your %User%/.ssh folder, like every other SSH program in existence.

I literally spent 4 hours trying to figure out why it wasn't accepting my keys. I'm so mad at those two lines of code right now.

StrangeSudo
  • 141
  • 1
  • 2
0

To resolve this for me I needed to use Martins answer and Nick comment. So final solution was

StrictModes no
Match Group administrators
   AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

in sshd_config

EDIT: As Martin pointed there are security risks to this, strictmodes is there to protect your system when it is deemed that certain file permission are too relaxed and so this setting is there as an added security measure. Here's a good article explaining -

https://www.ibm.com/support/knowledgecenter/SS7K4U_liberty/com.ibm.websphere.wlp.zseries.doc/ae/tagt_wlp_collective_zos_ssh.html

In my case, this config is for a test automation server with no critical data on it that runs for less than 15mins at a time, a couple of times a week.

Paul Doherty
  • 9
  • 2
  • 1
    Adhering to the initial question, this is a resolution. However, to the point made by @MartinPrikryl, this works because "StrictModes no" relaxes security requirements. This article covers the ACL issues with administrators_authorized_keys and how to fix it it so that "StrictModes yes" can remain the active setting. https://superuser.com/questions/1445976/windows-ssh-server-refuses-key-based-authentication-from-client – patrick fogarty Dec 29 '20 at 15:31