Categories

See More
Popular Forum

MBA (4887) B.Tech (1769) Engineering (1486) Class 12 (1030) Study Abroad (1004) Computer Science and Engineering (988) Business Management Studies (865) BBA (846) Diploma (746) CAT (651) B.Com (648) B.Sc (643) JEE Mains (618) Mechanical Engineering (574) Exam (525) India (462) Career (452) All Time Q&A (439) Mass Communication (427) BCA (417) Science (384) Computers & IT (Non-Engg) (383) Medicine & Health Sciences (381) Hotel Management (373) Civil Engineering (353) MCA (349) Tuteehub Top Questions (348) Distance (340) Colleges in India (334)
See More

Windows 10 sshd - passwordless incoming ssh demands a password

General Tech Bugs & Fixes

Max. 2000 characters
Replies

usr_profile.png

User

( 6 months ago )

 

I am attempting to set up passwordless, passphraseless ssh from a Linux Mint 19.1 host to a Windows 10 host. The Windows 10 host has OpenSSH_for_Windows_7.7p1 on it. This is Microsoft's OpenSSH port.

I am able to set this up for administrator accounts, but unprivileged accounts are not working for me. Administrator accounts are done differently.

I've tried a large number of different things, but here's the one I feel should work, and what goes wrong with it:

I create a /Users/Alden Stromberg/.ssh/authorized_keys file with mkdir and echo > (or mkdir and cygwin vi - same result).

Then I use OpenSSHUtils to attempt to set the correct permissions:

PS C:\Users\Alden Stromberg\.ssh> Import-Module 'C:\Program Files\WindowsPowerShell\Modules\OpenSSHUtils\0.0.2.0\OpenSSHUtils.psd1'

PS C:\Users\Alden Stromberg\.ssh> Repair-AuthorizedKeyPermission .\authorized_keys                                                   
  [*] .\authorized_keys 

'NT AUTHORITY\SYSTEM' has the following access to '.\authorized_keys': 'Deny'-'ExecuteFile'.
Shall I make it Allow FullControl?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):  
Exception calling "SetAccessRule" with "1" argument(s): "This access control list is not in canonical form and therefore cannot be  
modified."
At C:\Program Files\WindowsPowerShell\Modules\OpenSSHUtils\0.0.2.0\OpenSSHUtils.psm1:399 char:17
+                 $acl.SetAccessRule($ace)
+                 ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : InvalidOperationException

'NT AUTHORITY\SYSTEM' now has FullControl access to '.\authorized_keys'. 

'DESKTOP-A31M9SV\None' should not have access to '.\authorized_keys'..
Shall I remove this access?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):
Exception calling "RemoveAccessRule" with "1" argument(s): "This access control list is not in canonical form and therefore cannot  
be modified."
At C:\Program Files\WindowsPowerShell\Modules\OpenSSHUtils\0.0.2.0\OpenSSHUtils.psm1:490 char:20
+                 if(-not ($acl.RemoveAccessRule($ace)))
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : InvalidOperationException


'Everyone' should not have access to '.\authorized_keys'..
Shall I remove this access?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):  
Exception calling "RemoveAccessRule" with "1" argument(s): "This access control list is not in canonical form and therefore cannot  
be modified."
At C:\Program Files\WindowsPowerShell\Modules\OpenSSHUtils\0.0.2.0\OpenSSHUtils.psm1:490 char:20
+                 if(-not ($acl.RemoveAccessRule($ace)))
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : InvalidOperationException


'NT SERVICE\sshd' needs Read access to '.\authorized_keys'.
Shall I make the above change?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):
Exception calling "AddAccessRule" with "1" argument(s): "This access control list is not in canonical form and therefore cannot be  
modified."
At C:\Program Files\WindowsPowerShell\Modules\OpenSSHUtils\0.0.2.0\OpenSSHUtils.psm1:564 char:21
+                     $acl.AddAccessRule($ace)
+                     ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : InvalidOperationException

'NT SERVICE\sshd' now has Read access to '.\authorized_keys'.
Set-Acl : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.
At C:\Program Files\WindowsPowerShell\Modules\OpenSSHUtils\0.0.2.0\OpenSSHUtils.psm1:582 char:9 
+         Set-Acl -Path $FilePath -AclObject $acl -Confirm:$false
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Users\Alden ...authorized_keys:String) [Set-Acl], PrivilegeNotHeldException      
    + FullyQualifiedErrorId : System.Security.AccessControl.PrivilegeNotHeldException,Microsoft.PowerShell.Commands.SetAclCommand    

      Repaired permissions

Hoping to fix the noncanonical ACL, I tried:

icacls.exe .\authorized_keys /reset /T /C /L /Q

...but subsequently rerunning Repair-AuthorizedKeyPermission produces no joy.

What am I doing wrong? Is 0.0.2.0\OpenSSHUtils.psm1 out of date?

For the sake of completeness, here's what worked for administrator accounts:

get-acl c:\ProgramData\ssh\ssh_host_dsa_key | set-acl c:\ProgramData\ssh\administrators_authorized_keys

Thanks!

usr_profile.png

User

( 6 months ago )

One way of getting passwordless authentication working for non-administrator accounts, is described at: https://www.techpaste.com/2015/06/windows-ssh-server-setup-and-configuration/

In short, put these in your sshd_config, uncommenting preexisting entries as needed, found under c:\ProgramData\ssh\ PermitRootLogin yes StrictModes no RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys IgnoreUserKnownHosts yes

Then "net stop sshd" and "net start sshd".

This probably means that your authorized_keys is readable by everyone on the computer, but at least it works.

what's your interest


forum_ban8_5d8c5fd7cf6f7.gif