Cannot connect with public key + LSA error

[OhSoGood]

Thanks a lot for your port of openssh to windows!

I have been using copssh for a while (and sshd on linux...) and tried to use the 2015-11-09 release of your project. With yours, I manage to connect with password but never with public key.

You'll find attached my sshd log file ( sshd_log.txt ). My authorized_keys file seems correct (actually it works well with copssh and a linux sshd) and is located in c:\users(myuser).ssh as expected... If you need more info, don't hesitate!

I have this error msg in the log:
debug1: LsaRegisterLogonProcess()...
debug1: Cannot logon using LSA package (err = 1300, ntStat = c0000041).
Can it be the cause of it?

Thanks a log for your help!

[nachfuellbar]

I don't know the error but could this be some error like this: #81 (missing ssh-lsa.dll in c:\windows\system32)

[OhSoGood]

Thanks for the quick answer but I've already checked the right x64 dll had been correctly copied to windows\system32.
Any other idea?

[OhSoGood]

Further search on the net say that c0000041 could mean a denied access (STATUS_PORT_CONNECTION_REFUSED as per
http://usaid.blogspot.fr/2006/12/windows-ntstatus-list-from.htm ). This error msg would mean ( https://msdn.microsoft.com/en-us/library/windows/desktop/aa378318%28v=vs.85%29.aspx ): "The caller does not have the SeTcbPrivilege privilege, which is required to call this function. You can set this privilege by calling LsaAddAccountRights ( https://msdn.microsoft.com/en-us/library/windows/desktop/ms721786(v=vs.85).aspx )". SeTcbPrivilege gives service privilege to act as part of the operating system.
Any idea?

[manojampalam]

Yes, key authentication requires sshd to run with special privileges. Try installing it as a service (see wiki for instructions).

[OhSoGood]

Actually, I was running sshd with the command line (as admin) because when using the service, it also fails but c:\windows\system32\sshd.log shows no trace of my connection (whereas I set LogLevel DEBUG in sshd_config). What do I miss for the log?

[OhSoGood]

I found my problem! And there could be room for improvement for OpenSSH-Win32 here.

With CopSSH, the connection to the local account is considered as a local connection - and so for security purpose we had activated the windows security policy "deny access to this computer from the network". But with openssh-win32, the connection is considered as a remote connection... What's you view on this?

Please note my question on how to set the log remains... I still don't see how to config sshd to see traces of connections in the log.

[quamrulmina]

Logging happens but the log file is in c:\ root drive at c:\sshd.log ; this problem has now been fixed and that sshd.log will be in the directory where sshd.exe binary is located in future builds.

[manojampalam]

@OhSoGood, ssh connections need to be considered as network logon to play well with rest of Windows security.

[danarcari]

@OhSoGood Can you elaborate on the fix you found for this problem? I'm receiving a similar error ("Cannot logon using LSA package (err = 0, ntStat = c0000041)."

[OhSoGood]

@danarcari, it was rather a config change than a fix: with our previous ssh server (copssh), connections were considered as local connections and so we had explicitly denied remote connections (in windows security policy editor). We had not changed that setting when we tried openssh-server, and that was the reason for the error - allowing again remote connections solved it.

[linickx]

@OhSoGood any chance of a screenshot on what you changed? (Could be related to #175 )

[OhSoGood]

Screenshot would be in French :)
It was in windows' local security strategy applet - section "user rights management" - item "Fordid access to this computer from network" - we had added the user there and simply removed it to allow ssh connection.