PublicKey Auth Fail

[Zu5e]

Hi,
I tired to connect from a linux client to windows server with OpenSSH and public key authetication.

Here is the debug from the server:

PS C:\Program Files\OpenSSH> ./sshd.exe -d
debug1: sshd version OpenSSH_7.1, OpenSSL 1.0.2d 9 Jul 2015
[Build May 30 2016 09:56:31]
debug1: open - handle:000000EC, io:0130DED0, fd:3
debug1: ReadFileEx() ERROR:38, io:0130DED0
debug1: read - no more data, io:0130DED0
debug1: ReadFileEx() ERROR:38, io:0130DED0
debug1: read - no more data, io:0130DED0
debug1: close - io:0130DED0, type:2, fd:3, table_index:3
debug1: open - handle:000000EC, io:0130DED0, fd:3
debug1: close - io:0130DED0, type:2, fd:3, table_index:3
debug1: private host key #0: ssh-rsa SHA256:ZZmZQSnpiL6/5TtDwUCFrgsRZvOoSGDqRKhchWNmy9A
debug1: open - handle:000000EC, io:0130DED0, fd:3
debug1: ReadFileEx() ERROR:38, io:0130DED0
debug1: read - no more data, io:0130DED0
debug1: ReadFileEx() ERROR:38, io:0130DED0
debug1: read - no more data, io:0130DED0
debug1: close - io:0130DED0, type:2, fd:3, table_index:3
debug1: open - handle:000000EC, io:0130DED0, fd:3
debug1: close - io:0130DED0, type:2, fd:3, table_index:3
debug1: private host key #1: ssh-dss SHA256:/isgEZgvZttmmMLRn0R1T1ueNO+/ydXEa/4gHtusfys
debug1: open - handle:000000EC, io:0130DED0, fd:3
debug1: ReadFileEx() ERROR:38, io:0130DED0
debug1: read - no more data, io:0130DED0
debug1: ReadFileEx() ERROR:38, io:0130DED0
debug1: read - no more data, io:0130DED0
debug1: close - io:0130DED0, type:2, fd:3, table_index:3
debug1: open - handle:000000EC, io:0130DED0, fd:3
debug1: close - io:0130DED0, type:2, fd:3, table_index:3
debug1: private host key #2: ecdsa-sha2-nistp256 SHA256:SelcardwxGqViPv1hr02qrz6dm+eVwUx5vLFYwNB374
debug1: open - handle:000000EC, io:01328698, fd:3
debug1: ReadFileEx() ERROR:38, io:01328698
debug1: read - no more data, io:01328698
debug1: ReadFileEx() ERROR:38, io:01328698
debug1: read - no more data, io:01328698
debug1: close - io:01328698, type:2, fd:3, table_index:3
debug1: open - handle:000000F4, io:01328698, fd:3
debug1: close - io:01328698, type:2, fd:3, table_index:3
debug1: private host key #3: ssh-ed25519 SHA256:rCWG16CA73J/a8K901KEOHOIxuUnjH9jjgqaiwuonIs
debug1: socket:244, io:01328698, fd:3
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: socket:272, io:0132A7E0, fd:4
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: socket:284, io:0130F368, fd:5
debug1: pipe - read end: handle:00000120, io:0130F3E8, fd:6
debug1: pipe - write end: handle:00000124, io:0130F468, fd:7
debug1: Server will not fork when running in debugging mode.
debug1: close - io:01328698, type:1, fd:3, table_index:3
debug1: close - io:0132A7E0, type:1, fd:4, table_index:4
debug1: close - io:0130F3E8, type:2, fd:6, table_index:6
debug1: close - io:0130F468, type:2, fd:7, table_index:7
Connection from 10.50.14.97 port 37510 on 10.50.14.109 port 22
debug1: Client protocol version 2.0; client software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH_6.6.1* compat 0x04000000
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.1p1 Microsoft_Win32_port_with_VS
debug1: list_hostkey_types: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: client->server cipher: aes128-ctr MAC: [email protected] compression: none
debug1: kex: server->client cipher: aes128-ctr MAC: [email protected] compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_INIT
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user Administrator service ssh-connection method none
debug1: attempt 0 failures 0
Failed none for Administrator from 10.50.14.97 port 37510 ssh2
debug1: userauth-request for user Administrator service ssh-connection method publickey
debug1: attempt 1 failures 0
debug1: test whether pkalg/pkblob are acceptable
Postponed publickey for Administrator from 10.50.14.97 port 37510 ssh2
debug1: userauth-request for user Administrator service ssh-connection method publickey
debug1: attempt 2 failures 0
debug1: auth agent did not authorize client Administrator
debug1: close - io:013233E0, type:2, fd:4, table_index:4
Failed publickey for Administrator from 10.50.14.97 port 37510 ssh2: RSA SHA256:9bsZjgmBblfeuGQYBqD4MUvI7G1b/2agkQqfopUc
U7g
debug1: userauth-request for user Administrator service ssh-connection method keyboard-interactive
debug1: attempt 3 failures 1
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=Administrator devs=
debug1: kbdint_alloc: devices ''
Failed keyboard-interactive for Administrator from 10.50.14.97 port 37510 ssh2
Connection closed by 10.50.14.97
debug1: do_cleanup

Here is the debug from the client:

OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 10.50.14.109 [10.50.14.109] port 22.
debug1: Connection established.
debug1: identity file id_rsa type 1
debug1: identity file id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.1p1 Microsoft_Win32_port_with_VS
debug1: match: OpenSSH_7.1p1 Microsoft_Win32_port_with_VS pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA c7:04:60:c6:1d:af:2d:2b:9d:31:ee:22:0f:c7:b8:f1
debug1: Host '10.50.14.109' is known and matches the ECDSA host key.
debug1: Found key in /home/max/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
Permission denied (publickey,keyboard-interactive).

Something about my sshd_config:
The "authorized_keys" text file with the id_rsa public key from the linux client is in C:/Users/Administrator/.ssh/

Here the sshd_config:

#   $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

RSAAuthentication yes
PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile  C:/Users/Administrator/.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no

# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem   sftp    C:/Program Files/OpenSSH/sftp-server.exe

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   ForceCommand cvs server
PubkeyAcceptedKeyTypes ssh-ed25519*,ssh-rsa*,ssh-dss*,ecdsa-sha2*

I hope you can help me
Thank you

[TraGicCode]

I am having the same issue when using PasswordAuthentication no and PublicKey authentication only. Any help is greatly appreciated

[manojampalam]

https://github.com/PowerShell/Win32-OpenSSH/wiki/Troubleshooting%20Steps

Check and dump ssh-agent.log, it should have info on why key based auth failed

[TraGicCode]

Thanks @manojampalam Ill give it a shot this weekend when i have the time :)

[TraGicCode]

I seem to be getting unable to generate user token from the sshd application in the logs. Any ideas?

[manojampalam]

Is the user account local or domain? If local, ensure that ssh-lsa is installed. Follow steps in wiki.

[TraGicCode]

I am logging in with the local Administrator account. Also Keep in mind i'm installing the software on the server using chocolatey. @DarwinJS

[DarwinJS]

It is possible that the new method of using the scheduler (rather than psexec) is not properly able to register the keys. Can anyone confirm or give me the steps to confirm when the keys are being registered properly by ssh-add ?

[TraGicCode]

I was able to get public key auth working doing a manual installation steps according to the wiki. The chocolatey package installation is the one that gives me the above issue. Sounds like an issue with the choco package installation scripts

[gumbo2k]

@TraGicCode Did you find out the difference between the chocolatey package installation and the manual one? I have tried the manual installation first and failed at a different stage. (Didn't get sshd to start as a service) Thus I tried the chocolatey packages and those installed fine (with some tweaking) but I can't get public key authentication to work.

[TraGicCode]

No I never got it to work.  I'm waiting for the next chocolatey release :/ maybe that will work!

Sent via the Samsung GALAXY S® 5, an AT&T 4G LTE smartphone

-------- Original message --------
From: gumbo2k [email protected]
Date: 7/19/2016 1:48 PM (GMT-06:00)
To: PowerShell/Win32-OpenSSH [email protected]
Cc: Michael Fyffe [email protected], Mention [email protected]
Subject: Re: [PowerShell/Win32-OpenSSH] PublicKey Auth Fail (#253)

@TraGicCode Did you find out the difference between the chocolatey package installation and the manual one? I have tried the manual installation first and failed at a different stage. (Didn't get sshd to start as a service) Thus I tried the chocolatey packages and those installed fine (with some tweaking) but I can't get public key authentication to work.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

[alex3305]

Probably related to DarwinJS/ChocoPackages#8

[categulario]

@TraGicCode which release did you use for manual installation? I just installed 5_30_2016 but key auth is not working for me

[hbjastad]

I installed manually, following the instructions, and I am having the same problem. Issue #175 has been closed without a solution.
The ssh-agent.log is not very clear (to me):

3984 17:40:44 643 debug1: iocp error: 109 on 000000FB1212DBE0

3984 17:40:44 643 debug1: connection 000000FB1212DBE0 clean up
3984 17:40:44 643 debug1: iocp error: 6 on 0000000000000000

[DarwinJS]

This should be working now in the latest release (still in moderation). You can try it with:

choco install -y win32-openssh -version 2016.05.30.20160902 --params='/SSHServerFeature /KeyBasedAuthenticationFeature /UseNTRights'

[discodance1]

I have done a manual install of latest release on sep 17 and i am getting similar issue during public key auth.
How do i check if ssh-add has added keys properly for public auth to work ?

In the ssh-agent log i see error:

debug1: connection io 000000B1C61EEEF0 #bytes:0 state:0
debug1: connection io 000000B1C61EEEF0 #bytes:4 state:1
debug1: connection io 000000B1C61EEEF0 #bytes:978 state:2
debug1: client type: 1
debug1: LsaRegisterLogonProcess failed
debug1: unable to generate token for user
debug1: connection 000000B1C61EEEF0 clean up
debug1: iocp error: 6 on 0000000000000000
debug1: iocp error: 109 on 0000000E19FDEEF0

[rbertoche]

I'm having this issue too.
I'm running the zip package version.

debug2: input_userauth_request: try method publickey
debug2: write - io:00000285FBEE7770
debug2: WriteCB - pio:00000285FBEE7770, pending_state:1, error:0, transferred:4 of remaining: 4
debug2: write - reporting 4 bytes written, io:00000285FBEE7770
debug2: write - io:00000285FBEE7770
debug2: WriteCB - pio:00000285FBEE7770, pending_state:1, error:0, transferred:950 of remaining: 950
debug2: write - reporting 950 bytes written, io:00000285FBEE7770
debug2: ReadFileEx io:00000285FBEE7770
debug2: ReadCB pio:00000285FBEE7770, pending_state:1, error:0, received:5
debug2: read - io:00000285FBEE7770 read: 4 remaining: 1
debug2: read - io:00000285FBEE7770 read: 1 remaining: 0
debug1: auth agent did not authorize client Julia
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
Failed publickey for Julia from 127.0.0.1 port 55710 ssh2: RSA SHA256:iBY3uZjAuYSMGvLLtjcGoLiTyL+MYhrGPe0vKi+mitM
debug2: send - io:00000285FBF01B20
debug2: send - WSASend() returned 0, APC scheduled io:00000285FBF01B20
debug2: WSASendCB - io:00000285FBF01B20, pending_state:1, error:0, sent:68 of remaining:68
debug2: on_select - io:00000285FBF01B20 type:1 rd:1
debug2: WSARecv - reported IO pending
debug2: WSARecvCompletionCB - io:00000285FBF01B20, pending_state:1, flags:0, error:0, received:100
debug2: recv - returning 100 bytes from prior completed IO, remaining:0, io:00000285FBF01B20
debug1: userauth-request for user Julia service ssh-connection method keyboard-interactive
debug1: attempt 3 failures 1
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=Julia devs=
debug1: kbdint_alloc: devices ''
debug2: auth2_challenge_start: devices
Failed keyboard-interactive for Julia from 127.0.0.1 port 55710 ssh2
debug2: send - io:00000285FBF01B20
debug2: send - WSASend() returned 0, APC scheduled io:00000285FBF01B20
debug2: WSASendCB - io:00000285FBF01B20, pending_state:1, error:0, sent:68 of remaining:68
debug2: on_select - io:00000285FBF01B20 type:1 rd:1
debug2: WSARecv - reported IO pending
debug2: WSARecvCompletionCB - io:00000285FBF01B20, pending_state:1, flags:0, error:0, received:0
debug2: recv - connection closed, io:00000285FBF01B20
Connection closed by 127.0.0.1

And, thats really off topic in this issue, but I can't install it from choco as DarwinJS suggested, as it gives out:

Including LSA DLL Feature.
ERROR: Method invocation failed because [System.Boolean] does not contain a method named 'split'.
The install of win32-openssh was NOT successful.
Error while running 'C:\ProgramData\chocolatey\lib\win32-openssh\tools\chocolateyinstall.ps1'.

[DarwinJS]

@rbertoche - you seem to be using the old package id. Please use the id "openssh" like this:

choco install openssh -confirm -params '"/SSHServerFeature"'

[discodance1]

I have verified on my server that i am ssh'ing into 'NT Service\sshd' account is added to local security policy to replace primary servcie tokens but i still get the error.
debug1: LsaRegisterLogonProcess failed
debug1: unable to generate token for use

[discodance1]

I have installed the latest build (openssh -64 bits) on win2012 R2.
I have verified on my server that i am ssh'ing into 'NT Service\sshd'
account is added to local security policy to replace primary servcie tokens
but i still get the error.
debug1: LsaRegisterLogonProcess failed
debug1: unable to generate token for use

I try to ssh from my linux server to windows 2012 R2 server: using command
ssh -i <private_key> user@host_fqdn
Am i missing something, obvious?

On Mon, Oct 3, 2016 at 3:54 AM Darwin [email protected] wrote:

@rbertoche https://github.com/rbertoche - you seem to be using the old
package id. Please use the id "openssh" like this:

choco install openssh -confirm -params '"/SSHServerFeature"'

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#253 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ATl5hRL1UFWBEARzjEfDwB8-qBv8cc4Sks5qwN7ngaJpZM4JAGYh
.

[discodance1]

This is the sshd.log

debug2: input_userauth_request: try method publickey
debug3: w32_write fd:4
debug2: write - io:00000065D2BEDA60
debug3: wait() on 0 events and 0 childres
debug2: WriteCB - pio:00000065D2BEDA60, pending_state:1, error:0, transferred:4 of remaining: 4
debug2: write - reporting 4 bytes written, io:00000065D2BEDA60
debug3: w32_write fd:4
debug2: write - io:00000065D2BEDA60
debug3: wait() on 0 events and 0 childres
debug2: WriteCB - pio:00000065D2BEDA60, pending_state:1, error:0, transferred:978 of remaining: 978
debug2: write - reporting 978 bytes written, io:00000065D2BEDA60
debug3: w32_read fd:4
debug3: read - io:00000065D2BEDA60 remaining:0
debug2: ReadFileEx io:00000065D2BEDA60
debug3: wait() on 0 events and 0 childres
debug2: ReadCB pio:00000065D2BEDA60, pending_state:1, error:109, received:0
debug2: read - (2) no more data, io:00000065D2BEDA60
debug1: auth agent did not authorize client
debug3: w32_close fd:4
debug1: close - io:00000065D2BEDA60, type:2, fd:4, table_index:4
debug2: fileclose - pio:00000065D2BEDA60
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
Failed publickey for from 2620:0:10c1:1056:: port 39101 ssh2: RSA SHA256:lXw1wLkgAWuJGECJpaqN8He/iABPz
aUJttgzXaY
debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive"
debug3: w32_write fd:5
debug2: send - io:00000065D2BF5D00
debug2: send - WSASend() returned 0, APC scheduled io:00000065D2BF5D00
debug2: WSASendCB - io:00000065D2BF5D00, pending_state:1, error:0, sent:76 of remaining:76
debug3: w32_select fd:5
debug3: Total in fds:1

[felippo]

I don't see the full ssh client command you used, but I had a similar problem. In my configuration the "Log on as" sshd service property was set as "Local system account".
Everything worked using:
ssh 'DOMAIN\user'@host

Perhaps it should be suggested explicitly in the documentation (Install Instructions or Troubleshooting or SSH Usage Examples) to try the 'DOMAIN\user' combination, when in trouble. I think it would save some headaches.

[JINXz]

@felippo that really helped and is now working for me using pubkey authentication to automatically sign in. I agree that this should be explicitly stated somewhere in the documentation. I need to also note using user@host works with password authentication.

[DarwinJS]

If you used the chocolatey package to do this install, then the lack of public key auth was likely the fault of the chocolatey package - it was not properly copying the ssh-lsa.dll on new installs.

It is fixed in version 0.0.9.20170308, which as of this moment is still in moderation. It can be pulled before moderation is complete by specifying the version on your chocolately install or upgrade command line.

[manojampalam]

@JINXz both following formats should work for both password and key based auth.

Can you please share sshd.log and ssh-agent.log for success and failure cases?

[mayo]

I'm seeing the same problem with the latest 0.0.11.0. Looking at the logs below, the key is found and matches, but it's not accepted. I assume this is due to the token generation failure in the agent.

Agent log:

3052 12:07:29 380 agent_start pid:3052, dbg:0, child:0, pipe:0
3052 12:07:41 160 client pid 392 connected
3052 12:07:41 160 debug1: spawned worker 1396 for agent client pid 392 
1396 12:07:41 176 agent_start pid:1396, dbg:0, child:1, pipe:408
1396 12:07:41 349 debug1: process agent request type 200
1396 12:07:41 349 debug1: LsaLogonUser failed 1
1396 12:07:41 349 debug1: unable to generate token for user user

openssh log:

1628 12:07:41 105 debug1: Forked child 392.
392 12:07:41 160 error: Couldn't create pid file "./sshd.pid": Permission denied
392 12:07:41 160 debug1: child socket: 440
392 12:07:41 160 debug1: child startup_pipe: 444
392 12:07:41 160 Connection from 10.96.64.49 port 38810 on 10.96.80.142 port 22
392 12:07:41 160 debug1: Client protocol version 2.0; client software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
392 12:07:41 160 debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 pat OpenSSH_6.6.1* compat 0x04000000
392 12:07:41 160 debug1: Local version string SSH-2.0-OpenSSH_7.5
392 12:07:41 160 debug1: Enabling compatibility mode for protocol 2.0
392 12:07:41 160 debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
392 12:07:41 160 debug1: SSH2_MSG_KEXINIT sent
392 12:07:41 160 debug1: SSH2_MSG_KEXINIT received
392 12:07:41 160 debug1: kex: algorithm: [email protected]
392 12:07:41 160 debug1: kex: host key algorithm: ecdsa-sha2-nistp256
392 12:07:41 160 debug1: kex: client->server cipher: aes128-ctr MAC: [email protected] compression: none
392 12:07:41 160 debug1: kex: server->client cipher: aes128-ctr MAC: [email protected] compression: none
392 12:07:41 160 debug1: expecting SSH2_MSG_KEX_ECDH_INIT
392 12:07:41 176 debug1: rekey after 4294967296 blocks
392 12:07:41 176 debug1: SSH2_MSG_NEWKEYS sent
392 12:07:41 176 debug1: expecting SSH2_MSG_NEWKEYS
392 12:07:41 192 debug1: SSH2_MSG_NEWKEYS received
392 12:07:41 192 debug1: rekey after 4294967296 blocks
392 12:07:41 192 debug1: KEX done
392 12:07:41 254 debug1: userauth-request for user user service ssh-connection method none
392 12:07:41 254 debug1: attempt 0 failures 0
392 12:07:41 333 Failed none for user from 10.96.64.49 port 38810 ssh2
392 12:07:41 333 debug1: userauth-request for user user service ssh-connection method publickey
392 12:07:41 333 debug1: attempt 1 failures 0
392 12:07:41 333 debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:un5BKdZypyGubEWUkUm0aZviyj51a3gLAq5esppTTIY
392 12:07:41 333 debug1: trying public key file C:\\Users\\user/.ssh/authorized_keys
392 12:07:41 333 debug1: matching key found: file C:\\Users\\user/.ssh/authorized_keys, line 1 RSA SHA256:un5BKdZypyGubEWUkUm0aZviyj51a3gLAq5esppTTIY
392 12:07:41 333 Postponed publickey for user from 10.96.64.49 port 38810 ssh2
392 12:07:41 349 debug1: userauth-request for user user service ssh-connection method publickey
392 12:07:41 349 debug1: attempt 2 failures 0
392 12:07:41 349 debug1: auth agent did not authorize client user
392 12:07:41 349 Failed publickey for user from 10.96.64.49 port 38810 ssh2: RSA SHA256:un5BKdZypyGubEWUkUm0aZviyj51a3gLAq5esppTTIY
392 12:07:41 349 debug1: userauth-request for user user service ssh-connection method keyboard-interactive
392 12:07:41 349 debug1: attempt 3 failures 1
392 12:07:41 349 debug1: keyboard-interactive devs 
392 12:07:41 349 debug1: auth2_challenge: user=user devs=
392 12:07:41 349 debug1: kbdint_alloc: devices ''
392 12:07:41 349 Failed keyboard-interactive for user from 10.96.64.49 port 38810 ssh2
392 12:08:07 119 debug1: userauth-request for user user service ssh-connection method password
392 12:08:07 119 debug1: attempt 4 failures 2
392 12:08:07 119 Failed password for user from 10.96.64.49 port 38810 ssh2
392 12:08:07 844 Connection closed by authenticating user user 10.96.64.49 port 38810
392 12:08:07 844 debug1: do_cleanup

[pSatishC]

I'm having the same issue with v0.0.11.0

ssh-agent.log (from 'node1' - ssh server)

5904 10:31:14 432 agent_start pid:5904, dbg:0, child:1, pipe:396
5904 10:31:14 666 debug1: iocp error: 109 on 004D0D18 \n
5904 10:31:14 666 debug1: connection 004D0D18 clean up
5904 10:31:14 666 debug1: iocp error: 6 on 00000000 \n

sshd.log (w/ DEBUG) (from 'node1' - ssh server)

5340 10:31:14 308 debug1: Forked child 5504.
5504 10:31:14 401 debug1: child socket: 344
5504 10:31:14 401 debug1: child startup_pipe: 348
5504 10:31:14 417 Connection from 146.145.409.54 port 62749 on 146.145.229.108 port 22
5504 10:31:14 417 debug1: Client protocol version 2.0; client software version OpenSSH_7.3
5504 10:31:14 417 debug1: match: OpenSSH_7.3 pat OpenSSH* compat 0x04000000
5504 10:31:14 417 debug1: Local version string SSH-2.0-OpenSSH_7.5
5504 10:31:14 417 debug1: Enabling compatibility mode for protocol 2.0
5504 10:31:14 417 debug2: fd 3 setting O_NONBLOCK
5504 10:31:14 417 debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
5504 10:31:14 417 debug1: SSH2_MSG_KEXINIT sent
5504 10:31:14 417 debug1: SSH2_MSG_KEXINIT received
5504 10:31:14 417 debug2: local server KEXINIT proposal
5504 10:31:14 417 debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
5504 10:31:14 417 debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
5504 10:31:14 417 debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr
5504 10:31:14 417 debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr
5504 10:31:14 417 debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
5504 10:31:14 417 debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
5504 10:31:14 417 debug2: compression ctos: none
5504 10:31:14 417 debug2: compression stoc: none
5504 10:31:14 417 debug2: languages ctos: 
5504 10:31:14 417 debug2: languages stoc: 
5504 10:31:14 417 debug2: first_kex_follows 0 
5504 10:31:14 417 debug2: reserved 0 
5504 10:31:14 417 debug2: peer client KEXINIT proposal
5504 10:31:14 417 debug2: KEX algorithms: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
5504 10:31:14 417 debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
5504 10:31:14 417 debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
5504 10:31:14 417 debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
5504 10:31:14 417 debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
5504 10:31:14 417 debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
5504 10:31:14 417 debug2: compression ctos: none,[email protected],zlib
5504 10:31:14 417 debug2: compression stoc: none,[email protected],zlib
5504 10:31:14 417 debug2: languages ctos: 
5504 10:31:14 417 debug2: languages stoc: 
5504 10:31:14 417 debug2: first_kex_follows 0 
5504 10:31:14 417 debug2: reserved 0 
5504 10:31:14 417 debug1: kex: algorithm: [email protected]
5504 10:31:14 417 debug1: kex: host key algorithm: ecdsa-sha2-nistp256
5504 10:31:14 417 debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
5504 10:31:14 417 debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
5504 10:31:14 417 debug1: expecting SSH2_MSG_KEX_ECDH_INIT
5504 10:31:14 432 debug2: set_newkeys: mode 1
5504 10:31:14 432 debug1: rekey after 134217728 blocks
5504 10:31:14 432 debug1: SSH2_MSG_NEWKEYS sent
5504 10:31:14 432 debug1: expecting SSH2_MSG_NEWKEYS
5504 10:31:14 448 debug1: SSH2_MSG_NEWKEYS received
5504 10:31:14 448 debug2: set_newkeys: mode 0
5504 10:31:14 448 debug1: rekey after 134217728 blocks
5504 10:31:14 448 debug1: KEX done
5504 10:31:14 666 debug1: userauth-request for user winuser service ssh-connection method none
5504 10:31:14 666 debug1: attempt 0 failures 0
5504 10:31:14 666 debug2: parse_server_config: config reprocess config len 372
5504 10:31:14 666 debug2: input_userauth_request: setting up authctxt for winuser
5504 10:31:14 666 debug2: input_userauth_request: try method none
5504 10:31:14 666 Failed none for winuser from 146.145.409.54 port 62749 ssh2
5504 10:31:14 666 debug1: userauth-request for user winuser service ssh-connection method keyboard-interactive
5504 10:31:14 666 debug1: attempt 1 failures 0
5504 10:31:14 666 debug2: input_userauth_request: try method keyboard-interactive
5504 10:31:14 666 debug1: keyboard-interactive devs 
5504 10:31:14 666 debug1: auth2_challenge: user=winuser devs=
5504 10:31:14 666 debug1: kbdint_alloc: devices ''
5504 10:31:14 666 debug2: auth2_challenge_start: devices 
5504 10:31:14 666 Failed keyboard-interactive for winuser from 146.145.409.54 port 62749 ssh2
5504 10:31:14 666 Connection closed by authenticating user winuser 146.145.409.54 port 62749
5504 10:31:14 666 debug1: do_cleanup

ssh verbose output from 'node2' - ssh client

xfght@node2 MINGW64 /c/users/xfght/ssh-client
$ ssh -v winuser@node1
OpenSSH_7.3p1, OpenSSL 1.0.2k  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to node1 [146.145.229.108] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /u/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /u/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /u/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /u/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /u/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /u/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /u/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /u/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.5
debug1: match: OpenSSH_7.5 pat OpenSSH* compat 0x04000000
debug1: Authenticating to node1:22 as 'winuser'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:OUJCJ6P8rT9NuEOKU8x95KR5iv+PTK3gR8T4eFsW/qw
debug1: Host 'node1' is known and matches the ECDSA host key.
debug1: Found key in /u/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /u/.ssh/id_rsa
debug1: Trying private key: /u/.ssh/id_dsa
debug1: Trying private key: /u/.ssh/id_ecdsa
debug1: Trying private key: /u/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
Permission denied (publickey,keyboard-interactive).

[manojampalam]

I'm guessing the above problems are due to ssh-lsa.dll not being installed.

Can you try out 0.0.12.0 (that does not require ssh-lsa.dll anymore)?

[mayo]

@manojampalam I've installed 0.0.12.0, but I still have the same problem. SSHd log is identical, but agent log error is slightly different (the LsaLogonUser line now includes NTSTATUS):

1208 09:20:54 078 agent_start pid:1208, dbg:0, child:0, pipe:0
1208 09:21:30 115 client pid 3056 connected
1208 09:21:30 115 debug1: spawned worker 2088 for agent client pid 3056 
2088 09:21:30 115 agent_start pid:2088, dbg:0, child:1, pipe:408
2088 09:21:30 366 debug1: process agent request type 200
2088 09:21:30 381 debug1: LsaLogonUser failed NTSTATUS: 1
2088 09:21:30 381 debug1: unable to generate token for user user

[manojampalam]

Is it a work group account or a domain account?
What's the ssh command line you are using?

[mayo]

It's a domain account. Command line is ssh user@ssh-host.

[pSatishC]

For my env (domain controlled ssh-host but user account is local to that machine), installing 0.0.12.0 worked. Thanks a ton @manojampalam

[manojampalam]

@mayo, if its a domain account, you need to specify the domain prefix, you can use any of the following formats
ssh -l user@domain ssh-host
or
ssh user@domain@ssh-host
or
ssh domain\user@ssh-host

[mayo]

@manojampalam Thanks, works like charm!

[rbertoche]

Thanks for this info I'll try it once I'm back home How can I tell whether the account I'm currently logged on Windows is a domain account? I'm still using homegroups, do they count as a domain? I guess not, but I used be unable to login I'll update and try again later with those syntaxes, thanks again! Em 19 de abr de 2017 13:28, "Manoj Ampalam" <[email protected]> escreveu: @mayo <https://github.com/mayo>, if its a domain account, you need to specify the domain prefix, you can use any of the following formats ssh -l user@domain ssh-host or ssh user@domain@ssh-host or ssh domain\user@ssh-host — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#253 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAc3Lj94HChMXSiC9ZpzDZoxRnXg9RpCks5rxjYSgaJpZM4JAGYh> .

[amassaroRC]

I'm having issues with domain authentication. Is there anything that needs to be configured in the ssh_config to authenticate to the domain?

My debug is below
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=user@DOMAIN devs=
debug1: kbdint_alloc: devices ''
Failed keyboard-interactive for invalid user user@DOMAIN from 172.2.1.1 port 38552 ssh2
debug1: userauth-request for user user@DOMAINservice ssh-connection method password
debug1: attempt 2 failures 1
debug1: auth agent did not authorize client user@DOMAIN
Failed password for invalid user user@DOMAIN from 172.2.1.1 port 38552 ssh2
Connection closed by invalid user user@DOMAIN 172.2.1.1 port 38552
debug1: do_cleanup

Please help.

[bravo-kernel]

Using [email protected]@targetserver works for me 👍

[manojampalam]

Reopen a new issues if you see any more issues with public key authentication.