Public Key Authentication for Win32-OpenSSH on WIndow Server 2012 R2

byt3
byt3 used Ask the Experts™
on
I have never setup up public key authentication on Linux, so this could be why I have a hard time figuring out how to make it work on SSH in windows.

I have installed Win32-OpenSSH and can SSH into windows using username and password. The part I am unclear on is how to allow root user from a Linux machine to SSH into windows without the need for a password (public key authentication).

I followed this guide: https://winscp.net/eng/docs/guide_public_key . Which was linked to from the guide for installing Win32-OpenSSH: https://winscp.net/eng/docs/guide_windows_openssh_server

The only thing I've managed to accomplish is for the Linux box to request the passphrase for /root/.ssh/id_dsa and give warnings about the Windows dsa host key every time I SSH into the windows machine. I am also prompted for the windows user password, before logging in.

Thanks for the assistance.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017
Commented:
On the Linux machine, you would need to use ssh-keygen -t <key type> -b bit_length
Options for key type are:
Rsa1 - should not be used
RSA
Dsa

To secure the publickeys one has to setup a passphrase on the key.
So while you will not be promoted for a password, you will be prompted for the key passphrase when setup.

Now the result from running ssh-keygen results in two file the private key and the public key portion. Id_<key type> private key and id_<key type>.pub  the public portion is used to encrypt any data. Only the person who poses the access to the private key can decrypt that data.

Now the .pub files have to be copied to the remote system in the home directory of the user to which the connection will be made in case of root (usually, root is configured not to be allowed login via ssh to avoid brute force attacks as it is a known account) it would be
homedir/.ssh/authorized_keys have to have the public keys added. Note copy and paste might not work.
Best option is to more public_key.pub >> authorized_keys.

The most important part is to make sure that your windows based OpenSSH is configured to allow PublicKeyAuthentication by looking into the sshd_config file to confirm. That is also where the allowrootlogin is set, but since you already logging in with password, that is answered...


A simple excersise to familiarize yourself is to create a second account on your Linux system and setup the process outlined above to make sure you can use public key authentication to ssh from one Linux account into the other....

Author

Commented:
Sorry for the delay in reply. Projects and busy-ness and all that.

I did the following steps:
added public key from /root/.ssh/id_dsa.pub to c:\users\administrator\.ssh\authorized_keys
ssh'd into linux machine from windows machine so the linux box will be in the known_hosts file
un-commented the line 'PubkeyAuthentication yes' in the ssh_config file on the windows machine and restarted the sshd service

I still get prompted for a password for the administrator account. I will try setting this up in linux to make sure I understand the process and on a system where I know it does work.
Distinguished Expert 2017

Commented:
sshd_config is the server config.  Perhaps your entry was a typo. ssh_config is the default client config.

If it was #publicAuthentication yes that points to the default behavior.

The difficulty with the windows as the destination deals with where the .ssh/authorizaed_keys are for the user

Does it let you login into the Administrator account with a password?

when attempting connection from the linux into the windows use the -vvvv option so that you can see the connection debug messages to confirm whether the remote openssh running on windows is actually attempting to check the authorized_keys file for public keys.
It might be looking for the entry in a different location.

see if you can use a non-administrative user and see if it experiences the same issue or you can login without an issue there.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
I can login using a password.

I looked at the ssh_config and saw that the .ssh/authorized_keys line and thought maybe that isn't appended to the user profile directory. I have to reinstall windows server a new VM, because I had given up on it for the server it was intended for and am attempting to use freesshd on that one.
Distinguished Expert 2017

Commented:
Ssh_config is usually the ssh client config, do you have an sshd_config file in the same location, and foes it have public key enabled?
What about the debug? What did it display

ssh -vvvv user@win32_host

Author

Commented:
I was editing sshd_confg. That was a typo on my part. I just got Windows Server up and running and am doing testing right now.

I am going to look into that .ssh/authorized_keys directive

Author

Commented:
Here's the output of the ssh client:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp b0:12:d2:38:99:80:90:04:82:1b:43:bd:db:31:ea:70
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering DSA public key: /root/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 433
debug2: input_userauth_pk_ok: fp 65:6a:5e:47:9d:1b:73:01:d6:af:de:3f:a7:c5:e6:bf
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type DSA
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: Next authentication method: password

Open in new window

Distinguished Expert 2017

Commented:
Look at line 14  of your upload, it indicates the private key you transferred is malformed missing info.  Rendering it invalid which is why it fails.
Does the public key auth work from the original server? How are you transferring from the original to each obe, are you scp transfer? Or are you copying and pasting?

Author

Commented:
I'm copying and pasting. I'll
cat id_DSA.pub > ../tmp/authorized_keys

Open in new window

then copy that file from the Linux server to the .SSH folder for on Windows.
Distinguished Expert 2017

Commented:
What about the private key?
The issue is that the originating server in the connection lacks the private key..

Author

Commented:
The linux server has a private key. I setup it and another Linux server to do public key authentication and it worked like a charm. The Windows one is less charming.

Author

Commented:
Figured it out. The authorized_keys file must be encoded in ASCII. I should have known.

After copying the authorized_keys file I created on the Linux server to windows in the C:\Users\Administrator\.ssh folder the public key authentication worked. I found a powershell script on the internet to help me determine what text encoding type the file uses then tried another copy paste, but saving as ASCII and it worked.

If someone ever needs to create a text file with ASCII encoding I did it this way:

echo "[i]< paste dsa public key info here >[/i]" | Out-File -Path authorized_keys -Encoding ASCII -Append

Open in new window

Author

Commented:
The key for me was the ' more id_dsa.pub >> authorized_keys ' part of the first solution given by arnold. Rather than have to copy this file from the linux server after making it I just used powershell to create the text file and make sure the encoding is in ASCII.

' echo "<id_dsa.pub contents>" | Out-File -FilePath ~\.ssh\authorized_keys -Append -Encoding ASCII '

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial