Como ativar o sensor de impressão digital no domínio e no diretório ativo do Linux

Question

user1173240

Asked: 2019-06-08 01:34:30 +0800 CST2019-06-08 01:34:30 +0800 CST 2019-06-08 01:34:30 +0800 CST

O servidor SSH do Windows recusa a autenticação baseada em chave do cliente

772

No Windows 10 1809, habilitei o servidor SSH integrado e o configurei.

Em outra máquina, usei o gerador WinSCP e PuTTy para gerar uma chave de autenticação. Copiei a parte da chave pública e a anexei ao .ssh\authorized_keysarquivo do usuário do meu servidor SSH. Corrigi as permissões de arquivo conforme necessário, apenas para meu usuário, ou seja, o usuário conectado, para o arquivo de chave.

Na máquina cliente, usei a chave privada .PPK, com WinSCP para tentar conectar em uma sessão SFTP com meu servidor, mas recebo uma mensagem de que o servidor recusou a chave que eu havia selecionado.

Consigo autenticar usando senha, mas o par de chaves não está funcionando. Vasculhando os sshdlogs gerados no servidor, vejo isto:

10200 2019-06-07 01:38:16.376 debug1: attempt 1 failures 0 [preauth]
10200 2019-06-07 01:38:16.376 debug2: input_userauth_request: try method publickey [preauth]
10200 2019-06-07 01:38:16.376 debug1: userauth_pubkey: test pkalg ssh-rsa pkblob RSA SHA256:B6s0omPbz6HJB2cIZf3+5MKHU42wp+JfOTyAM+EVqoY [preauth]
10200 2019-06-07 01:38:16.376 debug2: userauth_pubkey: disabled because of invalid user [preauth]

Não tenho certeza do que aconteceu aqui e se esse é o motivo pelo qual a conexão foi recusada. O firewall não pode ser um problema, pois consigo fazer login no servidor usando a autenticação por senha. A máquina cliente e o WinScp estão sendo reconhecidos no servidor, só que o servidor recusa a chave fornecida.

A chave gerada pelo PuTTy (ou o conteúdo da chave copiado com a chave pública) não é suportada em nenhum dos lugares? Não há senha associada à chave, mas não acho que isso deva ser um problema.

Há apenas um usuário na máquina do servidor, que é o usuário logado. O sshdserviço está sendo executado na LOCAL SYSTEMconta. Deve ser executado em uma conta de usuário (eu tentei isso, mas o serviço não inicia, os logs de eventos reclamam de um privilégio ausente ...)

EDITAR - Mais informações

Comentei o seguinte em sshd_config:

 #Match Group administrators  
 #      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Mas agora, uma tentativa de conexão reclama que authorized_keystem permissão ruim. A máquina só tem um usuário, e authorized_keysdentro da pasta .ssh desse usuário só esse usuário acessa. Tentei usar Repair-AuthorizedKeyPermissionno arquivo de chave, que adicionou SYSTEM e sshd (usuário do serviço NT) como usuários ao arquivo de chave, sshd tendo acesso de leitura. Mas agora, uma tentativa de conexão reclama que uma permissão incorreta foi definida para o usuário S-1-5-80, que é o mesmo NT Service user sshdadicionado por Repair-AutorizedKeyFile. Remover a permissão de leitura (somente permissão) para este usuário novamente dá o erro antigo, dizendo Access Denied.

EDIT - sshd.exe Logs de uma tentativa de conexão:

> 2696 2019-06-10 03:57:09.020 debug2: fd 3 setting O_NONBLOCK
> 
> 2696 2019-06-10 03:57:09.020 debug3: sock_set_v6only: set socket 3
> IPV6_V6ONLY
> 
> 2696 2019-06-10 03:57:09.020 debug1: Bind to port 22 on ::.
> 
> 2696 2019-06-10 03:57:09.020 Server listening on :: port 22.
> 
> 2696 2019-06-10 03:57:09.020 debug2: fd 4 setting O_NONBLOCK
> 
> 2696 2019-06-10 03:57:09.020 debug1: Bind to port 22 on 0.0.0.0.
> 
> 2696 2019-06-10 03:57:09.020 Server listening on 0.0.0.0 port 22.
> 
> 2696 2019-06-10 03:57:35.475 debug3: fd 5 is not O_NONBLOCK
> 
> 2696 2019-06-10 03:57:35.477 debug3: spawning
> "C:\\WINDOWS\\System32\\OpenSSH\\sshd.exe" "-R"
> 
> 2696 2019-06-10 03:57:35.483 debug3: send_rexec_state: entering fd = 8
> config len 287
> 
> 2696 2019-06-10 03:57:35.484 debug3: ssh_msg_send: type 0
> 
> 2696 2019-06-10 03:57:35.485 debug3: send_rexec_state: done
> 
> 9428 2019-06-10 03:57:35.556 debug1: inetd sockets after dupping: 3, 3
> 
> 9428 2019-06-10 03:57:35.556 Connection from 130.147.168.135 port
> 64534 on 161.85.17.107 port 22
> 
> 9428 2019-06-10 03:57:35.556 debug1: Client protocol version 2.0;
> client software version WinSCP_release_5.15.2
> 
> 9428 2019-06-10 03:57:35.556 debug1: no match: WinSCP_release_5.15.2
> 
> 9428 2019-06-10 03:57:35.556 debug1: Local version string
> SSH-2.0-OpenSSH_for_Windows_7.7
> 
> 9428 2019-06-10 03:57:35.556 debug2: fd 3 setting O_NONBLOCK
> 
> 9428 2019-06-10 03:57:35.568 debug3: spawning
> "C:\\WINDOWS\\System32\\OpenSSH\\sshd.exe" "-y"
> 
> 9428 2019-06-10 03:57:35.572 debug2: Network child is on pid 6944
> 
> 9428 2019-06-10 03:57:35.573 debug3: send_rexec_state: entering fd = 6
> config len 287
> 
> 9428 2019-06-10 03:57:35.573 debug3: ssh_msg_send: type 0
> 
> 9428 2019-06-10 03:57:35.575 debug3: send_rexec_state: done
> 
> 9428 2019-06-10 03:57:35.575 debug3: ssh_msg_send: type 0
> 
> 9428 2019-06-10 03:57:35.576 debug3: ssh_msg_send: type 0
> 
> 9428 2019-06-10 03:57:35.576 debug3: preauth child monitor started
> 
> 9428 2019-06-10 03:57:35.607 debug1: list_hostkey_types:
> ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
> [preauth]
> 
> 9428 2019-06-10 03:57:35.607 debug3: send packet: type 20 [preauth]
> 
> 9428 2019-06-10 03:57:35.607 debug1: SSH2_MSG_KEXINIT sent [preauth]
> 
> 9428 2019-06-10 03:57:35.794 debug3: receive packet: type 20 [preauth]
> 
> 9428 2019-06-10 03:57:35.794 debug1: SSH2_MSG_KEXINIT received
> [preauth]
> 
> 9428 2019-06-10 03:57:35.795 debug2: local server KEXINIT proposal
> [preauth]
> 
> 9428 2019-06-10 03:57:35.796 debug2: KEX algorithms:
> curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
> [preauth]
> 
> 9428 2019-06-10 03:57:35.797 debug2: host key algorithms:
> ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
> [preauth]
> 
> 9428 2019-06-10 03:57:35.798 debug2: ciphers ctos:
> [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
> [preauth]
> 
> 9428 2019-06-10 03:57:35.798 debug2: ciphers stoc:
> [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
> [preauth]
> 
> 9428 2019-06-10 03:57:35.798 debug2: MACs ctos:
> [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
> [preauth]
> 
> 9428 2019-06-10 03:57:35.798 debug2: MACs stoc:
> [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
> [preauth]
> 
> 9428 2019-06-10 03:57:35.798 debug2: compression ctos: none [preauth]
> 
> 9428 2019-06-10 03:57:35.798 debug2: compression stoc: none [preauth]
> 
> 9428 2019-06-10 03:57:35.799 debug2: languages ctos:  [preauth]
> 
> 9428 2019-06-10 03:57:35.799 debug2: languages stoc:  [preauth]
> 
> 9428 2019-06-10 03:57:35.799 debug2: first_kex_follows 0  [preauth]
> 
> 9428 2019-06-10 03:57:35.799 debug2: reserved 0  [preauth]
> 
> 9428 2019-06-10 03:57:35.799 debug2: peer client KEXINIT proposal
> [preauth]
> 
> 9428 2019-06-10 03:57:35.799 debug2: KEX algorithms:
> [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1
> [preauth]
> 
> 9428 2019-06-10 03:57:35.799 debug2: host key algorithms:
> ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
> 
> 9428 2019-06-10 03:57:35.799 debug2: ciphers ctos:
> aes256-ctr,aes256-cbc,[email protected],aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,[email protected],blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128
> [preauth]
> 
> 9428 2019-06-10 03:57:35.800 debug2: ciphers stoc:
> aes256-ctr,aes256-cbc,[email protected],aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,[email protected],blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128
> [preauth]
> 
> 9428 2019-06-10 03:57:35.800 debug2: MACs ctos:
> hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,[email protected],[email protected],[email protected],[email protected] [preauth]
> 
> 9428 2019-06-10 03:57:35.800 debug2: MACs stoc:
> hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,[email protected],[email protected],[email protected],[email protected] [preauth]
> 
> 9428 2019-06-10 03:57:35.800 debug2: compression ctos: none,zlib
> [preauth]
> 
> 9428 2019-06-10 03:57:35.800 debug2: compression stoc: none,zlib
> [preauth]
> 
> 9428 2019-06-10 03:57:35.800 debug2: languages ctos:  [preauth]
> 
> 9428 2019-06-10 03:57:35.800 debug2: languages stoc:  [preauth]
> 
> 9428 2019-06-10 03:57:35.800 debug2: first_kex_follows 0  [preauth]
> 
> 9428 2019-06-10 03:57:35.800 debug2: reserved 0  [preauth]
> 
> 9428 2019-06-10 03:57:35.801 debug1: kex: algorithm:
> [email protected] [preauth]
> 
> 9428 2019-06-10 03:57:35.801 debug1: kex: host key algorithm:
> ssh-ed25519 [preauth]
> 
> 9428 2019-06-10 03:57:35.801 debug1: kex: client->server cipher:
> aes256-ctr MAC: hmac-sha2-256 compression: none [preauth]
> 
> 9428 2019-06-10 03:57:35.801 debug1: kex: server->client cipher:
> aes256-ctr MAC: hmac-sha2-256 compression: none [preauth]
> 
> 9428 2019-06-10 03:57:35.801 debug1: expecting SSH2_MSG_KEX_ECDH_INIT
> [preauth]
> 
> 9428 2019-06-10 03:57:35.834 debug3: receive packet: type 30 [preauth]
> 
> 9428 2019-06-10 03:57:35.843 debug3: mm_key_sign entering [preauth]
> 
> 9428 2019-06-10 03:57:35.843 debug3: mm_request_send entering: type 6
> [preauth]
> 
> 9428 2019-06-10 03:57:35.843 debug3: mm_key_sign: waiting for
> MONITOR_ANS_SIGN [preauth]
> 
> 9428 2019-06-10 03:57:35.843 debug3: mm_request_receive_expect
> entering: type 7 [preauth]
> 
> 9428 2019-06-10 03:57:35.843 debug3: mm_request_receive entering
> [preauth]
> 
> 9428 2019-06-10 03:57:35.843 debug3: mm_request_receive entering
> 
> 9428 2019-06-10 03:57:35.843 debug3: monitor_read: checking request 6
> 
> 9428 2019-06-10 03:57:35.843 debug3: mm_answer_sign
> 
> 9428 2019-06-10 03:57:35.846 debug3: mm_answer_sign: hostkey proof
> signature 0000029369ED8600(83)
> 
> 9428 2019-06-10 03:57:35.846 debug3: mm_request_send entering: type 7
> 
> 9428 2019-06-10 03:57:35.846 debug2: monitor_read: 6 used once,
> disabling now
> 
> 9428 2019-06-10 03:57:35.846 debug3: send packet: type 31 [preauth]
> 
> 9428 2019-06-10 03:57:35.846 debug3: send packet: type 21 [preauth]
> 
> 9428 2019-06-10 03:57:35.846 debug2: set_newkeys: mode 1 [preauth]
> 
> 9428 2019-06-10 03:57:35.846 debug1: rekey after 4294967296 blocks
> [preauth]
> 
> 9428 2019-06-10 03:57:35.846 debug1: SSH2_MSG_NEWKEYS sent [preauth]
> 
> 9428 2019-06-10 03:57:35.846 debug1: expecting SSH2_MSG_NEWKEYS
> [preauth]
> 
> 9428 2019-06-10 03:57:36.356 debug3: receive packet: type 21 [preauth]
> 
> 9428 2019-06-10 03:57:36.356 debug1: SSH2_MSG_NEWKEYS received
> [preauth]
> 
> 9428 2019-06-10 03:57:36.356 debug2: set_newkeys: mode 0 [preauth]
> 
> 9428 2019-06-10 03:57:36.356 debug1: rekey after 4294967296 blocks
> [preauth]
> 
> 9428 2019-06-10 03:57:36.356 debug1: KEX done [preauth]
> 
> 9428 2019-06-10 03:57:36.399 debug3: receive packet: type 5 [preauth]
> 
> 9428 2019-06-10 03:57:36.399 debug3: send packet: type 6 [preauth]
> 
> 9428 2019-06-10 03:57:36.435 debug3: receive packet: type 50 [preauth]
> 
> 9428 2019-06-10 03:57:36.435 debug1: userauth-request for user
> TestUser service ssh-connection method none [preauth]
> 
> 9428 2019-06-10 03:57:36.435 debug1: attempt 0 failures 0 [preauth]
> 
> 9428 2019-06-10 03:57:36.435 debug3: mm_getpwnamallow entering
> [preauth]
> 
> 9428 2019-06-10 03:57:36.436 debug3: mm_request_send entering: type 8
> [preauth]
> 
> 9428 2019-06-10 03:57:36.436 debug3: mm_getpwnamallow: waiting for
> MONITOR_ANS_PWNAM [preauth]
> 
> 9428 2019-06-10 03:57:36.436 debug3: mm_request_receive_expect
> entering: type 9 [preauth]
> 
> 9428 2019-06-10 03:57:36.436 debug3: mm_request_receive entering
> [preauth]
> 
> 9428 2019-06-10 03:57:36.436 debug3: mm_request_receive entering
> 
> 9428 2019-06-10 03:57:36.436 debug3: monitor_read: checking request 8
> 
> 9428 2019-06-10 03:57:36.436 debug3: mm_answer_pwnamallow
> 
> 9428 2019-06-10 03:57:36.439 debug2: parse_server_config: config
> reprocess config len 287
> 
> 9428 2019-06-10 03:57:36.439 debug3: checking match for 'Group
> administrators' user TestUser host 130.147.168.135 addr
> 130.147.168.135 laddr 161.85.17.107 lport 22
> 
> 9428 2019-06-10 03:57:36.446 debug3: LsaLogonUser Succeeded
> (Impersonation: 0)
> 
> 9428 2019-06-10 03:57:36.448 debug1: user TestUser matched group list
> administrators at line 84
> 
> 9428 2019-06-10 03:57:36.448 debug3: match found
> 
> 9428 2019-06-10 03:57:36.448 debug3: reprocess config:85 setting
> AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
> 
> 9428 2019-06-10 03:57:36.449 debug3: mm_answer_pwnamallow: sending
> MONITOR_ANS_PWNAM: 1
> 
> 9428 2019-06-10 03:57:36.449 debug3: mm_request_send entering: type 9
> 
> 9428 2019-06-10 03:57:36.450 debug2: monitor_read: 8 used once,
> disabling now
> 
> 9428 2019-06-10 03:57:36.450 debug2: input_userauth_request: setting
> up authctxt for TestUser [preauth]
> 
> 9428 2019-06-10 03:57:36.450 debug3: mm_inform_authserv entering
> [preauth]
> 
> 9428 2019-06-10 03:57:36.450 debug3: mm_request_send entering: type 4
> [preauth]
> 
> 9428 2019-06-10 03:57:36.451 debug3: mm_request_receive entering
> 
> 9428 2019-06-10 03:57:36.451 debug3: monitor_read: checking request 4
> 
> 9428 2019-06-10 03:57:36.451 debug3: mm_answer_authserv:
> service=ssh-connection, style=
> 
> 9428 2019-06-10 03:57:36.451 debug2: monitor_read: 4 used once,
> disabling now
> 
> 9428 2019-06-10 03:57:36.451 debug2: input_userauth_request: try
> method none [preauth]
> 
> 9428 2019-06-10 03:57:36.452 debug3: userauth_finish: failure
> partial=0 next methods="publickey,password,keyboard-interactive"
> [preauth]
> 
> 9428 2019-06-10 03:57:36.452 debug3: send packet: type 51 [preauth]
> 
> 9428 2019-06-10 03:57:36.453 debug3: receive packet: type 50 [preauth]
> 
> 9428 2019-06-10 03:57:36.453 debug1: userauth-request for user
> TestUser service ssh-connection method publickey [preauth]
> 
> 9428 2019-06-10 03:57:36.453 debug1: attempt 1 failures 0 [preauth]
> 
> 9428 2019-06-10 03:57:36.454 debug2: input_userauth_request: try
> method publickey [preauth]
> 
> 9428 2019-06-10 03:57:36.454 debug1: userauth_pubkey: test pkalg
> ssh-rsa pkblob RSA SHA256:ospJEFHH81sy96YBMFEySGGUokk1KZHV+AbgNTFRrjE
> [preauth]
> 
> 9428 2019-06-10 03:57:36.455 debug3: mm_key_allowed entering [preauth]
> 
> 9428 2019-06-10 03:57:36.455 debug3: mm_request_send entering: type 22
> [preauth]
> 
> 9428 2019-06-10 03:57:36.455 debug3: mm_request_receive entering
> 
> 9428 2019-06-10 03:57:36.455 debug3: monitor_read: checking request 22
> 
> 9428 2019-06-10 03:57:36.456 debug3: mm_answer_keyallowed entering
> 
> 9428 2019-06-10 03:57:36.456 debug3: mm_answer_keyallowed:
> key_from_blob: 0000029369F0D8B0
> 
> 9428 2019-06-10 03:57:36.456 debug1: trying public key file
> __PROGRAMDATA__/ssh/administrators_authorized_keys
> 
> 9428 2019-06-10 03:57:36.456 debug3: Failed to open
> file:C:/ProgramData/ssh/administrators_authorized_keys error:2
> 
> 9428 2019-06-10 03:57:36.456 debug1: Could not open authorized keys
> '__PROGRAMDATA__/ssh/administrators_authorized_keys': No such file or
> directory
> 
> 9428 2019-06-10 03:57:36.456 debug3: mm_answer_keyallowed: publickey
> authentication test: RSA key is not allowed
> 
> 9428 2019-06-10 03:57:36.456 Failed publickey for TestUser from
> 130.147.168.135 port 64534 ssh2: RSA SHA256:ospJEFHH81sy96YBMFEySGGUokk1KZHV+AbgNTFRrjE
> 
> 9428 2019-06-10 03:57:36.456 debug3: mm_request_send entering: type 23
> 
> 9428 2019-06-10 03:57:36.457 debug3: mm_key_allowed: waiting for
> MONITOR_ANS_KEYALLOWED [preauth]
> 
> 9428 2019-06-10 03:57:36.457 debug3: mm_request_receive_expect
> entering: type 23 [preauth]
> 
> 9428 2019-06-10 03:57:36.457 debug3: mm_request_receive entering
> [preauth]
> 
> 9428 2019-06-10 03:57:36.457 debug2: userauth_pubkey: authenticated 0
> pkalg ssh-rsa [preauth]
> 
> 9428 2019-06-10 03:57:36.457 debug3: userauth_finish: failure
> partial=0 next methods="publickey,password,keyboard-interactive"
> [preauth]
> 
> 9428 2019-06-10 03:57:36.457 debug3: send packet: type 51 [preauth]
> 
> 9428 2019-06-10 03:57:36.482 debug3: receive packet: type 50 [preauth]
> 
> 9428 2019-06-10 03:57:36.482 debug1: userauth-request for user
> TestUser service ssh-connection method keyboard-interactive [preauth]
> 
> 9428 2019-06-10 03:57:36.482 debug1: attempt 2 failures 1 [preauth]
> 
> 9428 2019-06-10 03:57:36.482 debug2: input_userauth_request: try
> method keyboard-interactive [preauth]
> 
> 9428 2019-06-10 03:57:36.482 debug1: keyboard-interactive devs 
> [preauth]
> 
> 9428 2019-06-10 03:57:36.483 debug1: auth2_challenge: user=TestUser
> devs= [preauth]
> 
> 9428 2019-06-10 03:57:36.483 debug1: kbdint_alloc: devices ''
> [preauth]
> 
> 9428 2019-06-10 03:57:36.483 debug2: auth2_challenge_start: devices 
> [preauth]
> 
> 9428 2019-06-10 03:57:36.483 debug3: userauth_finish: failure
> partial=0 next methods="publickey,password,keyboard-interactive"
> [preauth]
> 
> 9428 2019-06-10 03:57:36.483 debug3: send packet: type 51 [preauth]

4 respostas

Voted

Bob · Answer 1 · 2019-06-11T20:04:11+08:00

A partir do Windows 10 v1809, a configuração padrão (encontrada em %ProgramData%/ssh/sshd_config) define um separado AuthorizedKeysFilepara usuários administradores:

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

This means any user who is in the special Windows Administrators group (SID S-1-5-32-544) will not look at the %UserProfile%/.ssh/authorized_keys file but will rather look at %ProgramData%/ssh/administrators_authorized_keys.

You have a few options:

Use a non-administrator user, or
Comment out those two lines from the bottom of sshd_config, which will then revert back to the default per-user AuthorizedKeysFile, or
Add your keys to the (global!) administrators_authorized_keys file

My recommendation is to use a non-admin user if possible, or modify the config otherwise. A global key that is accepted for any account in the Administrators group sounds like unnecessary complexity.¹

¹ In a default config it is always possible to impersonate any other user from an admin user, since an admin user generally implies full root-level control in Windows. That might be their rationale for this default. But of course it makes configuration of a multi-user system rather confusing, where some (non-admin) users have their own authorized keys in a standard location while other (admin) users must share a single nonstandard authorized key list.

I believe there are no security benefits to such a configuration, apart from making it obvious that all admins can impersonate each other.

A future release may create user-specific folders under %ProgramData/ssh.

This is somewhat explored here: https://github.com/PowerShell/Win32-OpenSSH/issues/1324

Stephen Quan · Answer 2 · 2020-11-26T13:27:04+08:00

OpenSSH on Windows 10 requires additional configuration to recognize authorized_keys:

Save your authorized_keys into the file C:\ProgramData\ssh\administrators_authorized_keys with no extension
Use the below PowerShell script to set the correct permissions on the file

    $acl = Get-Acl C:\ProgramData\ssh\administrators_authorized_keys
    $acl.SetAccessRuleProtection($true, $false)
    $administratorsRule = New-Object system.security.accesscontrol.filesystemaccessrule("Administrators","FullControl","Allow")
    $systemRule = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","Allow")
    $acl.SetAccessRule($administratorsRule)
    $acl.SetAccessRule($systemRule)
    $acl | Set-Acl

This, effectively, grants Full Control privileges to the administrators_authorized_keys file to both Administrators and SYSTEM.

If you don't do this, and instead only place the file in the .ssh folder for the user, you'll either get prompted for your password (instead of using the key file), or your connection will fail with "Too many authentication attempts".

References:

https://www.concurrency.com/blog/may-2019/key-based-authentication-for-openssh-on-windows

user159960 · Answer 3 · 2019-08-05T04:44:09+08:00

Try to put more details here, if anyone has installed a built-in openssh server in Windows 10 (build 1809 or later, or Server 2016), whether or not following Microsoft's documents: Installation, Configuration and Key management. Seems they're pretty old or sort of incomplete and need updating.

After installation of this service, start it, you should connect it from your localhost via ssh username@localhost, assuming your Windows login name is username. But we want key based authentications and we must fail only according to Microsoft documents listed above:

We can't rely on Repair-AuthorizedKeyPermission to fix authorized_keys's permission, since we can't install OpenSSHUtils module for now. Reason here, seems the signature is outdated.
As @Bob indicated, we have to comment something in sshd_config if we don't setup key pair for Administrators.

If you just want use a single user's key based authentication, we just have to do as follows (Administrator privilege is required, all based on default built-in openssh server installation):

Since we can't install OpenSSHUtils module, we set the permissions manually. Check authorized_keys's ownership and permissions:

PS C:\>(get-acl .\users\username\.ssh\authorized_keys).owner
username
PS C:\>icacls .\users\username\.ssh\authorized_keys
ssh_host_dsa_key   BUILTIN\Administrators:(F)
                   username:(F) 
                   otheruser1:(IR)
                   otheruser2:(R)

Set correct ownership and permissions for authorized_keys:

PS C:\>icacls .\users\username\.ssh\authorized_keys /inheritance:r
PS C:\>icacls .\users\username\.ssh\authorized_keys /remove otheruser2

Search for and comment group matching policy in sshd_config:

#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

(Optional) Enable key based authentication. Search for and change the text to:

PubkeyAuthentication yes

(Optional) Disable password based authentication. Search for and change the text to:

PasswordAuthentication no

Copy and paste the user's public key into authorized_keys who you want to connect as.
Restart sshd service. Now you should connect to this host with key authentications.

Consult following links for more detailed contents (this answer comes from):

Ed'ka · Answer 4 · 2021-04-24T01:30:58+08:00

Ed'ka

2021-04-24T01:30:58+08:002021-04-24T01:30:58+08:00

Just to help someone like me who might be struggling to make public key authentication work for Administrator.

Make sure that only Administrators and SYSTEM can access C:\ProgramData\ssh\administrators_authorized_keys.
Basically you need to have the following security settings on your file:

In my case the file had also inherited permissions (so Authenticated Users could also access it) and as a result I was getting Failed publickey for Administrator error in sshd logs and could only login via password. Lost a couple hours trying to figure out why it wasn't working :-/

2

O servidor SSH do Windows recusa a autenticação baseada em chave do cliente

O visualizador de fotos do Windows não pode ser executado porque não há memória suficiente?

Como faço para ativar o WindowsXP agora que o suporte acabou?

Área de trabalho remota congelando intermitentemente

Serviço do Windows 10 chamado AarSvc_70f961. O que é e como posso desativá-lo?

O que significa ter uma máscara de sub-rede /32?

Ponteiro do mouse movendo-se nas teclas de seta pressionadas no Windows?

O VirtualBox falha ao iniciar com VERR_NEM_VM_CREATE_FAILED

Os aplicativos não aparecem nas configurações de privacidade da câmera e do microfone no MacBook

ssl.SSLCertVerificationError: falha na verificação do certificado [SSL: CERTIFICATE_VERIFY_FAILED]: não foi possível obter o certificado do emissor local (_ssl.c:1056)

Como posso saber em qual unidade o Windows está instalado?

O servidor SSH do Windows recusa a autenticação baseada em chave do cliente

4 respostas

relate perguntas