byt3
asked on
Public Key Authentication for Win32-OpenSSH on WIndow Server 2012 R2
I have never setup up public key authentication on Linux, so this could be why I have a hard time figuring out how to make it work on SSH in windows.
I have installed Win32-OpenSSH and can SSH into windows using username and password. The part I am unclear on is how to allow root user from a Linux machine to SSH into windows without the need for a password (public key authentication).
I followed this guide: https://winscp.net/eng/doc s/guide_pu blic_key . Which was linked to from the guide for installing Win32-OpenSSH: https://winscp.net/eng/doc s/guide_wi ndows_open ssh_server
The only thing I've managed to accomplish is for the Linux box to request the passphrase for /root/.ssh/id_dsa and give warnings about the Windows dsa host key every time I SSH into the windows machine. I am also prompted for the windows user password, before logging in.
Thanks for the assistance.
I have installed Win32-OpenSSH and can SSH into windows using username and password. The part I am unclear on is how to allow root user from a Linux machine to SSH into windows without the need for a password (public key authentication).
I followed this guide: https://winscp.net/eng/doc
The only thing I've managed to accomplish is for the Linux box to request the passphrase for /root/.ssh/id_dsa and give warnings about the Windows dsa host key every time I SSH into the windows machine. I am also prompted for the windows user password, before logging in.
Thanks for the assistance.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
sshd_config is the server config. Perhaps your entry was a typo. ssh_config is the default client config.
If it was #publicAuthentication yes that points to the default behavior.
The difficulty with the windows as the destination deals with where the .ssh/authorizaed_keys are for the user
Does it let you login into the Administrator account with a password?
when attempting connection from the linux into the windows use the -vvvv option so that you can see the connection debug messages to confirm whether the remote openssh running on windows is actually attempting to check the authorized_keys file for public keys.
It might be looking for the entry in a different location.
see if you can use a non-administrative user and see if it experiences the same issue or you can login without an issue there.
If it was #publicAuthentication yes that points to the default behavior.
The difficulty with the windows as the destination deals with where the .ssh/authorizaed_keys are for the user
Does it let you login into the Administrator account with a password?
when attempting connection from the linux into the windows use the -vvvv option so that you can see the connection debug messages to confirm whether the remote openssh running on windows is actually attempting to check the authorized_keys file for public keys.
It might be looking for the entry in a different location.
see if you can use a non-administrative user and see if it experiences the same issue or you can login without an issue there.
ASKER
I can login using a password.
I looked at the ssh_config and saw that the .ssh/authorized_keys line and thought maybe that isn't appended to the user profile directory. I have to reinstall windows server a new VM, because I had given up on it for the server it was intended for and am attempting to use freesshd on that one.
I looked at the ssh_config and saw that the .ssh/authorized_keys line and thought maybe that isn't appended to the user profile directory. I have to reinstall windows server a new VM, because I had given up on it for the server it was intended for and am attempting to use freesshd on that one.
Ssh_config is usually the ssh client config, do you have an sshd_config file in the same location, and foes it have public key enabled?
What about the debug? What did it display
ssh -vvvv user@win32_host
What about the debug? What did it display
ssh -vvvv user@win32_host
ASKER
I was editing sshd_confg. That was a typo on my part. I just got Windows Server up and running and am doing testing right now.
I am going to look into that .ssh/authorized_keys directive
I am going to look into that .ssh/authorized_keys directive
ASKER
Here's the output of the ssh client:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp b0:12:d2:38:99:80:90:04:82:1b:43:bd:db:31:ea:70
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering DSA public key: /root/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 433
debug2: input_userauth_pk_ok: fp 65:6a:5e:47:9d:1b:73:01:d6:af:de:3f:a7:c5:e6:bf
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type DSA
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
Look at line 14 of your upload, it indicates the private key you transferred is malformed missing info. Rendering it invalid which is why it fails.
Does the public key auth work from the original server? How are you transferring from the original to each obe, are you scp transfer? Or are you copying and pasting?
Does the public key auth work from the original server? How are you transferring from the original to each obe, are you scp transfer? Or are you copying and pasting?
ASKER
I'm copying and pasting. I'll
cat id_DSA.pub > ../tmp/authorized_keys
then copy that file from the Linux server to the .SSH folder for on Windows.
What about the private key?
The issue is that the originating server in the connection lacks the private key..
The issue is that the originating server in the connection lacks the private key..
ASKER
The linux server has a private key. I setup it and another Linux server to do public key authentication and it worked like a charm. The Windows one is less charming.
ASKER
Figured it out. The authorized_keys file must be encoded in ASCII. I should have known.
After copying the authorized_keys file I created on the Linux server to windows in the C:\Users\Administrator\.ss h folder the public key authentication worked. I found a powershell script on the internet to help me determine what text encoding type the file uses then tried another copy paste, but saving as ASCII and it worked.
If someone ever needs to create a text file with ASCII encoding I did it this way:
After copying the authorized_keys file I created on the Linux server to windows in the C:\Users\Administrator\.ss
If someone ever needs to create a text file with ASCII encoding I did it this way:
echo "[i]< paste dsa public key info here >[/i]" | Out-File -Path authorized_keys -Encoding ASCII -Append
ASKER
The key for me was the ' more id_dsa.pub >> authorized_keys ' part of the first solution given by arnold. Rather than have to copy this file from the linux server after making it I just used powershell to create the text file and make sure the encoding is in ASCII.
' echo "<id_dsa.pub contents>" | Out-File -FilePath ~\.ssh\authorized_keys -Append -Encoding ASCII '
' echo "<id_dsa.pub contents>" | Out-File -FilePath ~\.ssh\authorized_keys -Append -Encoding ASCII '
ASKER
I did the following steps:
I still get prompted for a password for the administrator account. I will try setting this up in linux to make sure I understand the process and on a system where I know it does work.