Answer the question
In order to leave comments, you need to log in
E
E
Eugene2021-06-25 21:22:49
Eugene, 2021-06-25 21:22:49
OpenSSH on Windows 10. Why is access denied?
Good afternoon. There was a question with authorization in Windows OpenSSH on a key.
Before that, I had several times to configure without keys (only with a password) and everything seemed to be ok.
This time I decided to make authorization only by SSH key and ran into Permission denied (publickey,keyboard-interactive).
Briefly about the server:
Server - Windows 10
User - local account (with administrator rights)
The public key is located in authorized_keys in the user directory (C:\Users\LocalUser\.ssh\authorized_keys).
All sorts of restarts and reboots were.
OpenSSH server installed: (I tried both options just in case)
1) Settings -> Applications -> Additional Components -> OpenSSH Server
2) Via
PowerShell according to the official instructions
Windows inbox Beta version currently supports one key type (ed25519).
Before that, I used RSA keys and information about keys in the log flashed in the spirit
debug1: identity file C:\\Users\\LocalUser/.ssh/id_rsa type 0
debug1: identity file C:\\Users\\LocalUser/.ssh/id_ed25519 type -1Under each of which there was a line that the file was not found.
After reading that issue, I began to use the ed25519 key, now it has become like this:
debug1: identity file C:\\Users\\LocalUser/.ssh/id_ed25519 type 3
debug3: Failed to open file:C:/Users/LocalUser/.ssh/id_ed25519-cert error:2
debug3: Failed to open file:C:/Users/LocalUser/.ssh/id_ed25519-cert.pub error:2
debug1: identity file C:\\Users\\LocalUser/.ssh/id_ed25519-cert type -1Actually, in the end, the log flashes (if I understand correctly) sending the key
debug1: Offering public key: C:\\Users\\LocalUser/.ssh/id_ed25519 ED25519 SHA256:xKMs9i1ZJyeQjvIY3jL2WIZnGNwOr6v/7QLUPu9t2Nw explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51However, after it, SSH tries to authenticate using other enabled authorization methods - if enabled by password, it asks for a password (even if the key is explicitly specified), if it is disabled, Permission denied (publickey,keyboard-interactive) immediately.
What is the problem in this case?
The full log from the client is available at https://gist.github.com/NEK-RA/e3656f98ca7e1b6c4d7... (because if you paste it directly here, the limit of 10,000 characters in the question text will be exceeded)
UPD: According to that The server log has been added to the same link with a slight difference - at the moment there was no access to the required device, so the situation is duplicated in the virtual machine.
1 answer(s)
@RyoidenshiAokigahara
When connecting to an OpenSSH server installed on win and using key authentication, you need to pay attention to two points:
1. If the user is an admin, his public key must be specified in C:\ProgramData\ssh\administrators_authorized_keys
2. Make sure that the owner *authorized_keys files are correct: system - system, user - user, and without unnecessary access.
For example, you can set permissions for the system by copying them from another file:
GitHub also comes with special scripts for the same purposes: FixHostFilePermissions.ps1 FixUserFilePermissions.ps1 They
seem
to be correcting something else in the registry. A way to
bypass the settings for this file is to comment out its mention in the configs:
. Well, and, as noted in the comments, you need to make sure that the encoding of the file is correct
https://github.com/PowerShell/Win32-OpenSSH/issues...
In short, it turned out that *authorized_keys encoding by default is UCS -2 LE BOM, instead of expected UTF-8. After changing the encoding, everything worked as it should.
My personal files are all in ASCII
M
MaxKozlov, 2021-06-27 @RyoidenshiAokigahara
I got to the computer, I'll write it here :)
In the server logs, you can see what the problem is - the rights of the same file that I mentioned in the comment are not the same
debug3: Bad permissions. Try removing permissions for user: S-1-5-11 on file C:/ProgramData/ssh/administrators_authorized_keys.
Authentication refused.
When connecting to an OpenSSH server installed on win and using key authentication, you need to pay attention to two points:
1. If the user is an admin, his public key must be specified in C:\ProgramData\ssh\administrators_authorized_keys
2. Make sure that the owner *authorized_keys files are correct: system - system, user - user, and without unnecessary access.
For example, you can set permissions for the system by copying them from another file:
$acl = Get-Acl C:\ProgramData\ssh\ssh_host_dsa_key.pub
Set-Acl -Path C:\ProgramData\ssh\administrators_authorized_keys -Acl $aclGitHub also comes with special scripts for the same purposes: FixHostFilePermissions.ps1 FixUserFilePermissions.ps1 They
seem
to be correcting something else in the registry. A way to
bypass the settings for this file is to comment out its mention in the configs:
Match Group administrators
AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys. Well, and, as noted in the comments, you need to make sure that the encoding of the file is correct
https://github.com/PowerShell/Win32-OpenSSH/issues...
In short, it turned out that *authorized_keys encoding by default is UCS -2 LE BOM, instead of expected UTF-8. After changing the encoding, everything worked as it should.
My personal files are all in ASCII
Similar questions
M
H
V
2
E
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question