Public Key Authentication for Win32-OpenSSH on WIndow Server 2012 R2

I have never setup up public key authentication on Linux, so this could be why I have a hard time figuring out how to make it work on SSH in windows.

I have installed Win32-OpenSSH and can SSH into windows using username and password. The part I am unclear on is how to allow root user from a Linux machine to SSH into windows without the need for a password (public key authentication).

I followed this guide: https://winscp.net/eng/docs/guide_public_key . Which was linked to from the guide for installing Win32-OpenSSH: https://winscp.net/eng/docs/guide_windows_openssh_server

The only thing I've managed to accomplish is for the Linux box to request the passphrase for /root/.ssh/id_dsa and give warnings about the Windows dsa host key every time I SSH into the windows machine. I am also prompted for the windows user password, before logging in.

Thanks for the assistance.
LVL 2
byt3Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
On the Linux machine, you would need to use ssh-keygen -t <key type> -b bit_length
Options for key type are:
Rsa1 - should not be used
RSA
Dsa

To secure the publickeys one has to setup a passphrase on the key.
So while you will not be promoted for a password, you will be prompted for the key passphrase when setup.

Now the result from running ssh-keygen results in two file the private key and the public key portion. Id_<key type> private key and id_<key type>.pub  the public portion is used to encrypt any data. Only the person who poses the access to the private key can decrypt that data.

Now the .pub files have to be copied to the remote system in the home directory of the user to which the connection will be made in case of root (usually, root is configured not to be allowed login via ssh to avoid brute force attacks as it is a known account) it would be
homedir/.ssh/authorized_keys have to have the public keys added. Note copy and paste might not work.
Best option is to more public_key.pub >> authorized_keys.

The most important part is to make sure that your windows based OpenSSH is configured to allow PublicKeyAuthentication by looking into the sshd_config file to confirm. That is also where the allowrootlogin is set, but since you already logging in with password, that is answered...


A simple excersise to familiarize yourself is to create a second account on your Linux system and setup the process outlined above to make sure you can use public key authentication to ssh from one Linux account into the other....

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
byt3Author Commented:
Sorry for the delay in reply. Projects and busy-ness and all that.

I did the following steps:
added public key from /root/.ssh/id_dsa.pub to c:\users\administrator\.ssh\authorized_keys
ssh'd into linux machine from windows machine so the linux box will be in the known_hosts file
un-commented the line 'PubkeyAuthentication yes' in the ssh_config file on the windows machine and restarted the sshd service

I still get prompted for a password for the administrator account. I will try setting this up in linux to make sure I understand the process and on a system where I know it does work.
arnoldCommented:
sshd_config is the server config.  Perhaps your entry was a typo. ssh_config is the default client config.

If it was #publicAuthentication yes that points to the default behavior.

The difficulty with the windows as the destination deals with where the .ssh/authorizaed_keys are for the user

Does it let you login into the Administrator account with a password?

when attempting connection from the linux into the windows use the -vvvv option so that you can see the connection debug messages to confirm whether the remote openssh running on windows is actually attempting to check the authorized_keys file for public keys.
It might be looking for the entry in a different location.

see if you can use a non-administrative user and see if it experiences the same issue or you can login without an issue there.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

byt3Author Commented:
I can login using a password.

I looked at the ssh_config and saw that the .ssh/authorized_keys line and thought maybe that isn't appended to the user profile directory. I have to reinstall windows server a new VM, because I had given up on it for the server it was intended for and am attempting to use freesshd on that one.
arnoldCommented:
Ssh_config is usually the ssh client config, do you have an sshd_config file in the same location, and foes it have public key enabled?
What about the debug? What did it display

ssh -vvvv user@win32_host
byt3Author Commented:
I was editing sshd_confg. That was a typo on my part. I just got Windows Server up and running and am doing testing right now.

I am going to look into that .ssh/authorized_keys directive
byt3Author Commented:
Here's the output of the ssh client:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp b0:12:d2:38:99:80:90:04:82:1b:43:bd:db:31:ea:70
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering DSA public key: /root/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 433
debug2: input_userauth_pk_ok: fp 65:6a:5e:47:9d:1b:73:01:d6:af:de:3f:a7:c5:e6:bf
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type DSA
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: Next authentication method: password

Open in new window

arnoldCommented:
Look at line 14  of your upload, it indicates the private key you transferred is malformed missing info.  Rendering it invalid which is why it fails.
Does the public key auth work from the original server? How are you transferring from the original to each obe, are you scp transfer? Or are you copying and pasting?
byt3Author Commented:
I'm copying and pasting. I'll
cat id_DSA.pub > ../tmp/authorized_keys

Open in new window

then copy that file from the Linux server to the .SSH folder for on Windows.
arnoldCommented:
What about the private key?
The issue is that the originating server in the connection lacks the private key..
byt3Author Commented:
The linux server has a private key. I setup it and another Linux server to do public key authentication and it worked like a charm. The Windows one is less charming.
byt3Author Commented:
Figured it out. The authorized_keys file must be encoded in ASCII. I should have known.

After copying the authorized_keys file I created on the Linux server to windows in the C:\Users\Administrator\.ssh folder the public key authentication worked. I found a powershell script on the internet to help me determine what text encoding type the file uses then tried another copy paste, but saving as ASCII and it worked.

If someone ever needs to create a text file with ASCII encoding I did it this way:

echo "[i]< paste dsa public key info here >[/i]" | Out-File -Path authorized_keys -Encoding ASCII -Append

Open in new window

byt3Author Commented:
The key for me was the ' more id_dsa.pub >> authorized_keys ' part of the first solution given by arnold. Rather than have to copy this file from the linux server after making it I just used powershell to create the text file and make sure the encoding is in ASCII.

' echo "<id_dsa.pub contents>" | Out-File -FilePath ~\.ssh\authorized_keys -Append -Encoding ASCII '
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.