0

I'm instructed to start a new question about: Logging into Windows 10 OpenSSH server with Administrator account and public key

I've followed the suggestions here and I still get prompted for a password.

icacls %USERPROFILE%\.ssh\authorized_keys

and

icacls c:\programdata\ssh\administrators_authorized_keys

prints

C:\Users\someone\.ssh\authorized_keys NT AUTHORITY\SYSTEM:(F)
                                       BUILTIN\Administrators:(F)
                                       SOME\someone:(F)

The content of the two files is the same. They match the content of :

c:\Users\someone\.ssh\id_rsa.pub

c:\ProgramData\ssh\sshd_config (minus lines that are comments) contains

SyslogFacility LOCAL0
LogLevel DEBUG3
StrictModes yes
PubkeyAuthentication yes
AuthorizedKeysFile  .ssh/authorized_keys
PasswordAuthentication no
GSSAPIAuthentication no
Subsystem   sftp    sftp-server.exe

The results has been the same if I uncomment:

Match Group administrators
      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

With ssh -vvv someone@localhost

Nothing is logged after startup on the console from sshd, i.e. nothings is logged as a result of my trying to login.

ssh prints to the console:

OpenSSH_for_Windows_8.1p1, LibreSSL 2.9.2
debug1: Connecting to localhost [::1] port 22.
debug1: Connection established.
debug1: identity file C:\\Users\\some/.ssh/id_rsa type 0
debug1: identity file C:\\Users\\some/.ssh/id_rsa-cert type -1
debug1: identity file C:\\Users\\some/.ssh/id_dsa type -1
debug1: identity file C:\\Users\\some/.ssh/id_dsa-cert type -1
debug1: identity file C:\\Users\\some/.ssh/id_ecdsa type -1
debug1: identity file C:\\Users\\some/.ssh/id_ecdsa-cert type -1
debug1: identity file C:\\Users\\some/.ssh/id_ed25519 type -1
debug1: identity file C:\\Users\\some/.ssh/id_ed25519-cert type -1
debug1: identity file C:\\Users\\some/.ssh/id_xmss type -1
debug1: identity file C:\\Users\\some/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
debug1: Remote protocol version 2.0, remote software version MS_1.100
debug1: no match: MS_1.100
debug1: Authenticating to localhost:22 as 'some'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:pAdLIZxB6Ekw2II8ZtBIrIfXBItei16i4164bQSpdSA
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in C:\\Users\\some/.ssh/known_hosts:1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug1: Will attempt key: C:\\Users\\some/.ssh/id_rsa RSA SHA256:gQP7gu2KaoJVtwxeYpBeqyi/EshC3uaPtnzd2avi0pI
debug1: Will attempt key: C:\\Users\\some/.ssh/id_dsa
debug1: Will attempt key: C:\\Users\\some/.ssh/id_ecdsa
debug1: Will attempt key: C:\\Users\\some/.ssh/id_ed25519
debug1: Will attempt key: C:\\Users\\some/.ssh/id_xmss
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: gssapi-with-mic,password
debug1: Next authentication method: password
debug1: read_passphrase: can't open /dev/tty: No such file or directory
some@localhost's password:

Here is the output of sshd -d

debug1: sshd version OpenSSH_for_Windows_8.1, LibreSSL 2.9.2
debug1: private host key #0: ssh-rsa SHA256:oKN60O0yPPCOhZhrx5ofoPvjlKST+Sp4U2FDBXFlbR0
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:3nDlWzmbKh7y/VOf+SmFNQkb9vIQv4mA76RS3GZ6EaI
debug1: private host key #2: ssh-ed25519 SHA256:Qsrp2KAHkstmi+3eBdeeEhKb9pnAjvl3nTSLoVplucs
debug1: rexec_argv[0]='C:\\Program Files\\OpenSSH\\sshd.exe'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.

What can I do?

Shawken X
  • 21
  • 4
  • Is `gQP7gu2KaoJVtwxeYpBeqyi/EshC3uaPtnzd2avi0pI` or `pAdLIZxB6Ekw2II8ZtBIrIfXBItei16i4164bQSpdSA` the correct hash for the certificate? I am 99% sure the public and private certificates should both have the same fingerprint. Please provide the entire configuration file. Please provide the output of `sshd -d` this should list the private keys fingerprints sshd demon detects. – Ramhound Mar 06 '20 at 01:27
  • Make you have followed the correct steps to configure OpenSSH. The Microsoft documentation has some errors, some scripts are broken, there is currently an answer at Stack Overflow that is [correct](https://stackoverflow.com/questions/16212816/setting-up-openssh-for-windows-using-public-key-authentication) – Ramhound Mar 06 '20 at 01:34
  • Verify [this](https://github.com/PowerShell/Win32-OpenSSH/issues/1306) and [this](https://github.com/MicrosoftDocs/windowsserverdocs/issues/3806) does not apply. – Ramhound Mar 06 '20 at 01:38
  • Did you check server-side log file? – Martin Prikryl Mar 06 '20 at 07:06
  • @Ramhound *"Server host key"* refers to *server's* public key and *"Will attempt key"* refers to *user's/client's* public key. They are completely different. + It's not a *"certificate"*, but a *"fingerprint"* – Martin Prikryl Mar 06 '20 at 07:08
  • @Martin - I am aware and understand public and private key authentication – Ramhound Mar 06 '20 at 12:02
  • @Ramhound thanks for helping. The 2 hashes are the user's public key, which I get from ssh-keygen -lf on .ssh\id_rsa.pub authorized_keys and administrators_authorized_keys and the server host key. I included the entire sshd_config, above, without comments. I can't included output off sshd -d because of the character limit in comments. – Shawken X Mar 06 '20 at 19:52
  • @Ramhound sshd -d debug1: private host key #0: ssh-rsa SHA256:oKN60O0yPPCOhZhrx5ofoPvjlKST+Sp4U2FDBXFlbR0 debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:3nDlWzmbKh7y/VOf+SmFNQkb9vIQv4mA76RS3GZ6EaI debug1: private host key #2: ssh-ed25519 SHA256:Qsrp2KAHkstmi+3eBdeeEhKb9pnAjvl3nTSLoVplucs – Shawken X Mar 06 '20 at 19:54
  • The only difference from links was changes to permissions. I made those changes and the behavior is the same. – Shawken X Mar 06 '20 at 19:56
  • @MartinPrikryl I have not seen anything that would explain what I see, from sshd -d or output to log files. – Shawken X Mar 06 '20 at 20:02
  • @ShawkenX - Edit your question to include that information, but I really was asking you, to verify the information listed the correct fingerprint. – Ramhound Mar 07 '20 at 00:36
  • @Ramhound ok I've added the output of sshd -d. The 2 fingerprints are 1) the user's public key, the user's authorized_keys and administrators_authorized_keys, and 2) the server host key. I'm testing using the same account to run sshd and to login. – Shawken X Mar 09 '20 at 17:08

0 Answers0