I am having issues setting up OpenSSH for Windows, using public key authentication.
I have this working on my local desktop and can ssh with a key from Unix machines or other OpenSSH for Windows machines.
I have replicated the build onto a server, I can get password authentication working fine, but when I use the keys I get the following issue:
debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /cygdrive/c/sshusers/jsadmint2232/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply Connection closed by 127.0.0.1
So for the purposes of testing, I have been just trying to SSH to localhost, but even when tried remotely I get the same issue.
Even more strange, is that when I have both password and public key enabled in sshd_config
, it will only attempt to use keys and then bomb out with the above message and won't even try to use password.
Here are the steps I have taken:
mkgroup -l >>..\etc\group
(added local groups)mkgroup -d >>..\etc\group
(added domain groups)mkpasswd -L -u openssh >>..\passwd
(added my local user)mkpasswd -D -u jsadmint2232 >>..\passwd
(added my domain user)net stop opensshd
/ net start opensshd
It appears the server is killing the connection for some reason.
An SSH key relies upon the use of two related keys, a public key and a private key, that together create a key pair that is used as the secure access credential. The private key is secret, known only to the user, and should be encrypted and stored safely.
The public part of the key is saved in the id_rsa. pub file, while the private part is saved in the id_rsa file. Both files can be accessed from this location using Explorer: C:\Users\[your user name]\. ssh .
Following are setup steps for OpenSSH shipped with Windows 10 v.1803 (April 2018 update. See comments to this post, it might not work with 1809).
Server setup (elevated powershell):
Install OpenSSH server: Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
.
Start agent and sshd services: Start-Service ssh-agent; Start-Service sshd
(this will generate host keys and default configuration automatically in $env:ProgramData\ssh
).
[Optional] Install OpenSSHUtils powershell module: Install-Module -Force OpenSSHUtils
Client setup (non-elevated powershell):
Generate user key: cd $env:USERPROFILE\.ssh; ssh-keygen.exe
, follow prompts, agree to the default suggested file location. This will create 2 files: id_rsa
and id_rsa.pub
;
[Optional] add key to authentication agent, so you don't have to enter password each time you use it: ssh-add .\id_rsa
(or whatever file was generated);
Server setup continued (non-elevated powershell):
cd $env:USERPROFILE; mkdir .ssh; cd .ssh; New-Item authorized_keys
;id_rsa.pub
file from the client to the .ssh\authorized_keys
file from the previous step.start .
to open explorer with the current folder ($env:USERPROFILE\.ssh
);authorized_keys
, go to Properties -> Security -> Advanced
SYSTEM
and yourself. There must be exactly two permission entries on the file. Some guides suggest running the Repair-AuthorizedKeyPermission $env:USERPROFILE\.ssh\authorized_keys
- this will try to add the sshd
user to the permission list and it will break the authentication, so, don't do that, or at least do not agree on adding the sshd
user). Both SYSTEM
and yourself should have full control over the file.C:\ProgramData\ssh\sshd_config
file. Then restart the sshd
service. # Match Group administrators # AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
Client:
ssh <serverusername>@<serverhostname>
. It should work at this point.Tried that with Windows 10 as server and both itself and a Debian Linux as a client.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With