0

I'm instructed to start a new question about: Logging into Windows 10 OpenSSH server with Administrator account and public key

I've followed the suggestions here and I still get prompted for a password.

icacls %USERPROFILE%\.ssh\authorized_keys

and

icacls c:\programdata\ssh\administrators_authorized_keys

prints

C:\Users\someone\.ssh\authorized_keys NT AUTHORITY\SYSTEM:(F)
                                       BUILTIN\Administrators:(F)
                                       SOME\someone:(F)

The content of the two files is the same. They match the content of :

c:\Users\someone\.ssh\id_rsa.pub

c:\ProgramData\ssh\sshd_config (minus lines that are comments) contains

SyslogFacility LOCAL0
LogLevel DEBUG3
StrictModes yes
PubkeyAuthentication yes
AuthorizedKeysFile  .ssh/authorized_keys
PasswordAuthentication no
GSSAPIAuthentication no
Subsystem   sftp    sftp-server.exe

The results has been the same if I uncomment:

Match Group administrators
      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

With ssh -vvv someone@localhost

Nothing is logged after startup on the console from sshd, i.e. nothings is logged as a result of my trying to login.

ssh prints to the console:

OpenSSH_for_Windows_8.1p1, LibreSSL 2.9.2
debug1: Connecting to localhost [::1] port 22.
debug1: Connection established.
debug1: identity file C:\\Users\\some/.ssh/id_rsa type 0
debug1: identity file C:\\Users\\some/.ssh/id_rsa-cert type -1
debug1: identity file C:\\Users\\some/.ssh/id_dsa type -1
debug1: identity file C:\\Users\\some/.ssh/id_dsa-cert type -1
debug1: identity file C:\\Users\\some/.ssh/id_ecdsa type -1
debug1: identity file C:\\Users\\some/.ssh/id_ecdsa-cert type -1
debug1: identity file C:\\Users\\some/.ssh/id_ed25519 type -1
debug1: identity file C:\\Users\\some/.ssh/id_ed25519-cert type -1
debug1: identity file C:\\Users\\some/.ssh/id_xmss type -1
debug1: identity file C:\\Users\\some/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
debug1: Remote protocol version 2.0, remote software version MS_1.100
debug1: no match: MS_1.100
debug1: Authenticating to localhost:22 as 'some'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:pAdLIZxB6Ekw2II8ZtBIrIfXBItei16i4164bQSpdSA
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in C:\\Users\\some/.ssh/known_hosts:1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug1: Will attempt key: C:\\Users\\some/.ssh/id_rsa RSA SHA256:gQP7gu2KaoJVtwxeYpBeqyi/EshC3uaPtnzd2avi0pI
debug1: Will attempt key: C:\\Users\\some/.ssh/id_dsa
debug1: Will attempt key: C:\\Users\\some/.ssh/id_ecdsa
debug1: Will attempt key: C:\\Users\\some/.ssh/id_ed25519
debug1: Will attempt key: C:\\Users\\some/.ssh/id_xmss
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: gssapi-with-mic,password
debug1: Next authentication method: password
debug1: read_passphrase: can't open /dev/tty: No such file or directory
some@localhost's password:

Here is the output of sshd -d

debug1: sshd version OpenSSH_for_Windows_8.1, LibreSSL 2.9.2
debug1: private host key #0: ssh-rsa SHA256:oKN60O0yPPCOhZhrx5ofoPvjlKST+Sp4U2FDBXFlbR0
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:3nDlWzmbKh7y/VOf+SmFNQkb9vIQv4mA76RS3GZ6EaI
debug1: private host key #2: ssh-ed25519 SHA256:Qsrp2KAHkstmi+3eBdeeEhKb9pnAjvl3nTSLoVplucs
debug1: rexec_argv[0]='C:\\Program Files\\OpenSSH\\sshd.exe'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.

What can I do?

Shawken X
  • 21
  • Is gQP7gu2KaoJVtwxeYpBeqyi/EshC3uaPtnzd2avi0pI or pAdLIZxB6Ekw2II8ZtBIrIfXBItei16i4164bQSpdSA the correct hash for the certificate? I am 99% sure the public and private certificates should both have the same fingerprint. Please provide the entire configuration file. Please provide the output of sshd -d this should list the private keys fingerprints sshd demon detects. – Ramhound Mar 06 '20 at 01:27
  • Make you have followed the correct steps to configure OpenSSH. The Microsoft documentation has some errors, some scripts are broken, there is currently an answer at Stack Overflow that is correct – Ramhound Mar 06 '20 at 01:34
  • Verify this and this does not apply. – Ramhound Mar 06 '20 at 01:38
  • Did you check server-side log file? – Martin Prikryl Mar 06 '20 at 07:06
  • @Ramhound "Server host key" refers to server's public key and "Will attempt key" refers to user's/client's public key. They are completely different. + It's not a "certificate", but a "fingerprint" – Martin Prikryl Mar 06 '20 at 07:08
  • @Martin - I am aware and understand public and private key authentication – Ramhound Mar 06 '20 at 12:02
  • @Ramhound thanks for helping. The 2 hashes are the user's public key, which I get from ssh-keygen -lf on .ssh\id_rsa.pub authorized_keys and administrators_authorized_keys and the server host key.

    I included the entire sshd_config, above, without comments. I can't included output off sshd -d because of the character limit in comments.

     – Shawken X Mar 06 '20 at 19:52
  • @Ramhound sshd -d 
    debug1: private host key #0: ssh-rsa SHA256:oKN60O0yPPCOhZhrx5ofoPvjlKST+Sp4U2FDBXFlbR0

debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:3nDlWzmbKh7y/VOf+SmFNQkb9vIQv4mA76RS3GZ6EaI

debug1: private host key #2: ssh-ed25519 SHA256:Qsrp2KAHkstmi+3eBdeeEhKb9pnAjvl3nTSLoVplucs
    – Shawken X Mar 06 '20 at 19:54
  • The only difference from links was changes to permissions. I made those changes and the behavior is the same. – Shawken X Mar 06 '20 at 19:56
  • @MartinPrikryl I have not seen anything that would explain what I see, from sshd -d or output to log files. – Shawken X Mar 06 '20 at 20:02
  • @ShawkenX - Edit your question to include that information, but I really was asking you, to verify the information listed the correct fingerprint. – Ramhound Mar 07 '20 at 00:36
  • @Ramhound ok I've added the output of sshd -d. The 2 fingerprints are 1) the user's public key, the user's authorized_keys and administrators_authorized_keys, and 2) the server host key. I'm testing using the same account to run sshd and to login. – Shawken X Mar 09 '20 at 17:08

0 Answers0