Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to connect with public key #175

Closed
MrStenz opened this issue Apr 1, 2016 · 12 comments
Closed

Unable to connect with public key #175

MrStenz opened this issue Apr 1, 2016 · 12 comments

Comments

@MrStenz
Copy link

MrStenz commented Apr 1, 2016

I'm new to OpenSSH - followed the documentation, but I'm unable to get public key accepted. I'm able to log in locally and remotely using the users password, so functionality is fine, it's just the public key auth that is not working. This is a Windows 2012 R2 server with the latest build OpenSSH (using 1.1 because other version resulted in service not starting)

When I use SSH - it prompts for passphrase for private key, but then moves on to ask for user password. The log states:

Cannot logon using LSA package (err = 1300, ntStat = c0000041)

If I try and use WinSCP, I get the message after entering the passphrase: 'Server refused public-key signature despite accepting key' with the same corresponding error being logged:

Cannot logon using LSA package (err = 1300, ntStat = c0000041)

Right now, I'm using an admin privileged user (I've tried running service as admin and local system). This is not a part of a domain.

RSAAuthentication and PubkeyAuthentication set to yes (and uncommented)

Issue similar to this post - #87 - but I do not have any active policies set.

@manojampalam
Copy link
Contributor

What's the key type? Currently only RSA keys work for client key-based authentication.

@MrStenz
Copy link
Author

MrStenz commented Apr 5, 2016

I ran the keygen -t RSA command which created the id_rsa and id_rsa.pub. For WinSCP I did have to run the Putty conversion, but again, still resulted in the same error.

Seems permissions related, but I'm unsure where to begin when I'm using local admin.

@manojampalam
Copy link
Contributor

error 1300 maps to "Not all privileges or groups referenced are assigned to the caller."

I believe you are trying to run sshd.exe interactively. Instead try installing it as a service (see wiki for instructions). That should fix your issue.

@MrStenz
Copy link
Author

MrStenz commented Apr 6, 2016

I am running it as a service. As Local System (default when installing as service), I receive this error:

SSH-LSA package not found. (err = 0, ntStat = c00000fe).

When I switch service to Local Admin, I'm receiving the OP error:

Cannot logon using LSA package (err = 1300, ntStat = c0000041)

This is a brand new deployed 2012R2 server, nothing else loaded and fully patched. I'm just confused that it seems permissions related, but local admin has all the rights that I can see. Clearly I'm missing something, but followed wiki line by line. I also just deployed the latest package, but still the exact same error.

@linickx
Copy link

linickx commented Apr 25, 2016

+1 Can't seem to figure this out.

If I was on a *nix system I would chmod 700 ~/.ssh then chmod 600 ~/.ssh/authorized_keys ... I did a kinda similar by changing the NTFS permissions of the equivalent folder to that of my user account but no joy.

I installed release 4_5_2016 today on a Windows7 64bit laptop.

Attached are my client & server debugs; any ideas/suggestions?

@Ch-Fr
Copy link

Ch-Fr commented Apr 27, 2016

Well, I was also unable to connect using the public key method. Copied the public key %systemdrive%\users\user.ssh\authorized_keys and tried to connect but public key auth was skipped and password auth was taken.

Then I found a hint on the net stating that this is because of the sshd being started as a service by Local System account which can't read the users authorized_keys file. Solution: stop the service and start sshd by hand as that user who tries to log into the machine. That's what I successfully did.

That does not seem like a good solution but maybe it helps on fixing that problem for devs and users ...

@SkyRider64
Copy link

After many hours of trying to get public key authentication working and seeing the same error "SSH-LSA package not found" I have finally made it. The problem was, that I have installed (unpacked) the zip to C:\OpenSSH-Win32 and not to the recommended 'Program Files'. I did follow all the other installation steps and the installation was succesfull, except for the key authentication not working. I have checked the registry and the ssh-lsa part was where it was supposed to be, ssh-lsa.dll was in c:\windows\system32, everything seemed to be OK... but it didn't work. The simple solution was to uninstall everything and reinstall to C:\Program Files\OpenSSH-Win64, with the required reboot after installation of sshlsa.

@manojampalam
Copy link
Contributor

Reopen if you still see issues with latest release. Now domain accounts too are supported.

@linickx
Copy link

linickx commented May 17, 2016

Hi, this is still failing for me in (5_15_2016); but the log message (.\sshd.exe -D -d) looks a bit more "helpful".

Connection from 192.168.36.122 port 64653 on 192.168.6.235 port 22
debug1: Client protocol version 2.0; client software version OpenSSH_6.9
debug1: match: OpenSSH_6.9 pat OpenSSH* compat 0x04000000
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.1p1 Microsoft_Win32_port_with_VS
debug1: list_hostkey_types: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_INIT
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user username@domain.local service ssh-connection method none
debug1: attempt 0 failures 0
Failed none for username@domain.local from 192.168.36.122 port 64653 ssh2
debug1: userauth-request for user username@domain.local service ssh-connection method publickey
debug1: attempt 1 failures 0
debug1: test whether pkalg/pkblob are acceptable
Postponed publickey for username@domain.local from 192.168.36.122 port 64653 ssh2
debug1: userauth-request for user username@domain.local service ssh-connection method publickey
debug1: attempt 2 failures 0
debug1: auth agent did not authorize client username@domain.local
debug1: close - io:0000000000477E50, type:2, fd:4, table_index:4
Failed publickey for username@domain.local from 192.168.36.122 port 64653 ssh2: RSA SHA256:xxx/wkxx/UHE
debug1: userauth-request for user username@domain.local service ssh-connection method keyboard-interactive
debug1: attempt 3 failures 1
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=username@domain.local devs=
debug1: kbdint_alloc: devices ''
Failed keyboard-interactive for username@domain.local from 192.168.36.122 port 64653 ssh2
Connection closed by 192.168.36.122
debug1: do_cleanup

Any ideas to why auth agent did not authorise client ???

Basic checks completed:

  • c:\users\username\.ssh\authorized_keys exists
  • C:\Program Files\OpenSSH-Win64\sshd_config has the following enable:
    • AuthorizedKeysFile .ssh/authorized_keys
    • RSAAuthentication yes
    • PubkeyAuthentication yes
  • c:\windows\system32\ssh-lsa.dll exists. (from 64bit package on 64bit system)

Footnote: I ctl-c to kill the connection at the password prompt since pub key had already failed. Password auth works fine with domain credentials when running sshd as a service, when running sshd in debug mode ssh-shellhost.exe cannot be created, but that I guess that is to be expected.

@hbjastad
Copy link

hbjastad commented Aug 5, 2016

I have the same problem, and I think I've gone through the same verification steps as above.
Can we reopen this issue, or should we create a new?

@hbjastad
Copy link

hbjastad commented Aug 5, 2016

#253 Seems like a new issue was already created

@larsimmisch
Copy link

For the record: I could fix my public key authentication problems following the suggestion from @SkyRider64 and reinstalling Win32-OpenSSH in c:\Program Files\OpenSSH-Win64

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants