在 Windows 10 1809 上,我已启用内置 SSH 服务器并对其进行了配置。
在另一台机器上,我使用 WinSCP 和 PuTTy 生成器生成了身份验证密钥。我复制了公钥部分并将其附加到.ssh\authorized_keys我的 SSH 服务器用户的文件中。我根据需要将文件权限固定为仅我的用户(即登录用户)才能访问密钥文件。
在客户端机器上,我使用 .PPK 私钥和 WinSCP 尝试连接到我的服务器的 SFTP 会话,但我收到一条消息,提示服务器拒绝了我选择的密钥。
我可以使用密码进行身份验证,但密钥对不起作用。查看sshd服务器上生成的日志后,我看到以下内容:
10200 2019-06-07 01:38:16.376 debug1: attempt 1 failures 0 [preauth]
10200 2019-06-07 01:38:16.376 debug2: input_userauth_request: try method publickey [preauth]
10200 2019-06-07 01:38:16.376 debug1: userauth_pubkey: test pkalg ssh-rsa pkblob RSA SHA256:B6s0omPbz6HJB2cIZf3+5MKHU42wp+JfOTyAM+EVqoY [preauth]
10200 2019-06-07 01:38:16.376 debug2: userauth_pubkey: disabled because of invalid user [preauth]
我不确定这里发生了什么,也不知道这是否是拒绝连接的原因。防火墙不可能是问题,因为我能够使用密码验证登录服务器。客户端计算机和 WinScp 正在服务器上被识别,只是服务器拒绝提供的密钥。
这两个地方都不支持 PuTTy 生成的密钥(或使用公钥复制的密钥内容)吗?密钥没有关联的密码,但我认为这不是问题。
服务器计算机上只有一个用户,即登录用户。sshd服务在帐户下运行LOCAL SYSTEM。它是否应该在用户帐户下运行(我试过,但服务根本没有启动,事件日志抱怨缺少权限...)
编辑-更多信息
我注释掉了以下内容sshd_config:
#Match Group administrators
# AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
但是现在,连接尝试会抱怨authorized_keys权限错误。机器只有一个用户,并且authorized_keys该用户的 .ssh 文件夹中只有该用户可访问。我尝试使用Repair-AuthorizedKeyPermission密钥文件,将 SYSTEM 和 sshd(NT 服务用户)添加为密钥文件的用户,sshd 具有读取权限。但是现在,连接尝试会抱怨为用户设置了权限错误,该用户与 添加的S-1-5-80权限相同。删除此用户的读取权限(仅权限)再次出现旧错误,提示。NT Service user sshdRepair-AutorizedKeyFileAccess Denied
编辑-sshd.exe 来自连接尝试的日志:
> 2696 2019-06-10 03:57:09.020 debug2: fd 3 setting O_NONBLOCK
>
> 2696 2019-06-10 03:57:09.020 debug3: sock_set_v6only: set socket 3
> IPV6_V6ONLY
>
> 2696 2019-06-10 03:57:09.020 debug1: Bind to port 22 on ::.
>
> 2696 2019-06-10 03:57:09.020 Server listening on :: port 22.
>
> 2696 2019-06-10 03:57:09.020 debug2: fd 4 setting O_NONBLOCK
>
> 2696 2019-06-10 03:57:09.020 debug1: Bind to port 22 on 0.0.0.0.
>
> 2696 2019-06-10 03:57:09.020 Server listening on 0.0.0.0 port 22.
>
> 2696 2019-06-10 03:57:35.475 debug3: fd 5 is not O_NONBLOCK
>
> 2696 2019-06-10 03:57:35.477 debug3: spawning
> "C:\\WINDOWS\\System32\\OpenSSH\\sshd.exe" "-R"
>
> 2696 2019-06-10 03:57:35.483 debug3: send_rexec_state: entering fd = 8
> config len 287
>
> 2696 2019-06-10 03:57:35.484 debug3: ssh_msg_send: type 0
>
> 2696 2019-06-10 03:57:35.485 debug3: send_rexec_state: done
>
> 9428 2019-06-10 03:57:35.556 debug1: inetd sockets after dupping: 3, 3
>
> 9428 2019-06-10 03:57:35.556 Connection from 130.147.168.135 port
> 64534 on 161.85.17.107 port 22
>
> 9428 2019-06-10 03:57:35.556 debug1: Client protocol version 2.0;
> client software version WinSCP_release_5.15.2
>
> 9428 2019-06-10 03:57:35.556 debug1: no match: WinSCP_release_5.15.2
>
> 9428 2019-06-10 03:57:35.556 debug1: Local version string
> SSH-2.0-OpenSSH_for_Windows_7.7
>
> 9428 2019-06-10 03:57:35.556 debug2: fd 3 setting O_NONBLOCK
>
> 9428 2019-06-10 03:57:35.568 debug3: spawning
> "C:\\WINDOWS\\System32\\OpenSSH\\sshd.exe" "-y"
>
> 9428 2019-06-10 03:57:35.572 debug2: Network child is on pid 6944
>
> 9428 2019-06-10 03:57:35.573 debug3: send_rexec_state: entering fd = 6
> config len 287
>
> 9428 2019-06-10 03:57:35.573 debug3: ssh_msg_send: type 0
>
> 9428 2019-06-10 03:57:35.575 debug3: send_rexec_state: done
>
> 9428 2019-06-10 03:57:35.575 debug3: ssh_msg_send: type 0
>
> 9428 2019-06-10 03:57:35.576 debug3: ssh_msg_send: type 0
>
> 9428 2019-06-10 03:57:35.576 debug3: preauth child monitor started
>
> 9428 2019-06-10 03:57:35.607 debug1: list_hostkey_types:
> ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
> [preauth]
>
> 9428 2019-06-10 03:57:35.607 debug3: send packet: type 20 [preauth]
>
> 9428 2019-06-10 03:57:35.607 debug1: SSH2_MSG_KEXINIT sent [preauth]
>
> 9428 2019-06-10 03:57:35.794 debug3: receive packet: type 20 [preauth]
>
> 9428 2019-06-10 03:57:35.794 debug1: SSH2_MSG_KEXINIT received
> [preauth]
>
> 9428 2019-06-10 03:57:35.795 debug2: local server KEXINIT proposal
> [preauth]
>
> 9428 2019-06-10 03:57:35.796 debug2: KEX algorithms:
> curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
> [preauth]
>
> 9428 2019-06-10 03:57:35.797 debug2: host key algorithms:
> ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
> [preauth]
>
> 9428 2019-06-10 03:57:35.798 debug2: ciphers ctos:
> [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
> [preauth]
>
> 9428 2019-06-10 03:57:35.798 debug2: ciphers stoc:
> [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
> [preauth]
>
> 9428 2019-06-10 03:57:35.798 debug2: MACs ctos:
> [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
> [preauth]
>
> 9428 2019-06-10 03:57:35.798 debug2: MACs stoc:
> [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
> [preauth]
>
> 9428 2019-06-10 03:57:35.798 debug2: compression ctos: none [preauth]
>
> 9428 2019-06-10 03:57:35.798 debug2: compression stoc: none [preauth]
>
> 9428 2019-06-10 03:57:35.799 debug2: languages ctos: [preauth]
>
> 9428 2019-06-10 03:57:35.799 debug2: languages stoc: [preauth]
>
> 9428 2019-06-10 03:57:35.799 debug2: first_kex_follows 0 [preauth]
>
> 9428 2019-06-10 03:57:35.799 debug2: reserved 0 [preauth]
>
> 9428 2019-06-10 03:57:35.799 debug2: peer client KEXINIT proposal
> [preauth]
>
> 9428 2019-06-10 03:57:35.799 debug2: KEX algorithms:
> [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1
> [preauth]
>
> 9428 2019-06-10 03:57:35.799 debug2: host key algorithms:
> ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
>
> 9428 2019-06-10 03:57:35.799 debug2: ciphers ctos:
> aes256-ctr,aes256-cbc,[email protected],aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,[email protected],blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128
> [preauth]
>
> 9428 2019-06-10 03:57:35.800 debug2: ciphers stoc:
> aes256-ctr,aes256-cbc,[email protected],aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,[email protected],blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128
> [preauth]
>
> 9428 2019-06-10 03:57:35.800 debug2: MACs ctos:
> hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,[email protected],[email protected],[email protected],[email protected] [preauth]
>
> 9428 2019-06-10 03:57:35.800 debug2: MACs stoc:
> hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,[email protected],[email protected],[email protected],[email protected] [preauth]
>
> 9428 2019-06-10 03:57:35.800 debug2: compression ctos: none,zlib
> [preauth]
>
> 9428 2019-06-10 03:57:35.800 debug2: compression stoc: none,zlib
> [preauth]
>
> 9428 2019-06-10 03:57:35.800 debug2: languages ctos: [preauth]
>
> 9428 2019-06-10 03:57:35.800 debug2: languages stoc: [preauth]
>
> 9428 2019-06-10 03:57:35.800 debug2: first_kex_follows 0 [preauth]
>
> 9428 2019-06-10 03:57:35.800 debug2: reserved 0 [preauth]
>
> 9428 2019-06-10 03:57:35.801 debug1: kex: algorithm:
> [email protected] [preauth]
>
> 9428 2019-06-10 03:57:35.801 debug1: kex: host key algorithm:
> ssh-ed25519 [preauth]
>
> 9428 2019-06-10 03:57:35.801 debug1: kex: client->server cipher:
> aes256-ctr MAC: hmac-sha2-256 compression: none [preauth]
>
> 9428 2019-06-10 03:57:35.801 debug1: kex: server->client cipher:
> aes256-ctr MAC: hmac-sha2-256 compression: none [preauth]
>
> 9428 2019-06-10 03:57:35.801 debug1: expecting SSH2_MSG_KEX_ECDH_INIT
> [preauth]
>
> 9428 2019-06-10 03:57:35.834 debug3: receive packet: type 30 [preauth]
>
> 9428 2019-06-10 03:57:35.843 debug3: mm_key_sign entering [preauth]
>
> 9428 2019-06-10 03:57:35.843 debug3: mm_request_send entering: type 6
> [preauth]
>
> 9428 2019-06-10 03:57:35.843 debug3: mm_key_sign: waiting for
> MONITOR_ANS_SIGN [preauth]
>
> 9428 2019-06-10 03:57:35.843 debug3: mm_request_receive_expect
> entering: type 7 [preauth]
>
> 9428 2019-06-10 03:57:35.843 debug3: mm_request_receive entering
> [preauth]
>
> 9428 2019-06-10 03:57:35.843 debug3: mm_request_receive entering
>
> 9428 2019-06-10 03:57:35.843 debug3: monitor_read: checking request 6
>
> 9428 2019-06-10 03:57:35.843 debug3: mm_answer_sign
>
> 9428 2019-06-10 03:57:35.846 debug3: mm_answer_sign: hostkey proof
> signature 0000029369ED8600(83)
>
> 9428 2019-06-10 03:57:35.846 debug3: mm_request_send entering: type 7
>
> 9428 2019-06-10 03:57:35.846 debug2: monitor_read: 6 used once,
> disabling now
>
> 9428 2019-06-10 03:57:35.846 debug3: send packet: type 31 [preauth]
>
> 9428 2019-06-10 03:57:35.846 debug3: send packet: type 21 [preauth]
>
> 9428 2019-06-10 03:57:35.846 debug2: set_newkeys: mode 1 [preauth]
>
> 9428 2019-06-10 03:57:35.846 debug1: rekey after 4294967296 blocks
> [preauth]
>
> 9428 2019-06-10 03:57:35.846 debug1: SSH2_MSG_NEWKEYS sent [preauth]
>
> 9428 2019-06-10 03:57:35.846 debug1: expecting SSH2_MSG_NEWKEYS
> [preauth]
>
> 9428 2019-06-10 03:57:36.356 debug3: receive packet: type 21 [preauth]
>
> 9428 2019-06-10 03:57:36.356 debug1: SSH2_MSG_NEWKEYS received
> [preauth]
>
> 9428 2019-06-10 03:57:36.356 debug2: set_newkeys: mode 0 [preauth]
>
> 9428 2019-06-10 03:57:36.356 debug1: rekey after 4294967296 blocks
> [preauth]
>
> 9428 2019-06-10 03:57:36.356 debug1: KEX done [preauth]
>
> 9428 2019-06-10 03:57:36.399 debug3: receive packet: type 5 [preauth]
>
> 9428 2019-06-10 03:57:36.399 debug3: send packet: type 6 [preauth]
>
> 9428 2019-06-10 03:57:36.435 debug3: receive packet: type 50 [preauth]
>
> 9428 2019-06-10 03:57:36.435 debug1: userauth-request for user
> TestUser service ssh-connection method none [preauth]
>
> 9428 2019-06-10 03:57:36.435 debug1: attempt 0 failures 0 [preauth]
>
> 9428 2019-06-10 03:57:36.435 debug3: mm_getpwnamallow entering
> [preauth]
>
> 9428 2019-06-10 03:57:36.436 debug3: mm_request_send entering: type 8
> [preauth]
>
> 9428 2019-06-10 03:57:36.436 debug3: mm_getpwnamallow: waiting for
> MONITOR_ANS_PWNAM [preauth]
>
> 9428 2019-06-10 03:57:36.436 debug3: mm_request_receive_expect
> entering: type 9 [preauth]
>
> 9428 2019-06-10 03:57:36.436 debug3: mm_request_receive entering
> [preauth]
>
> 9428 2019-06-10 03:57:36.436 debug3: mm_request_receive entering
>
> 9428 2019-06-10 03:57:36.436 debug3: monitor_read: checking request 8
>
> 9428 2019-06-10 03:57:36.436 debug3: mm_answer_pwnamallow
>
> 9428 2019-06-10 03:57:36.439 debug2: parse_server_config: config
> reprocess config len 287
>
> 9428 2019-06-10 03:57:36.439 debug3: checking match for 'Group
> administrators' user TestUser host 130.147.168.135 addr
> 130.147.168.135 laddr 161.85.17.107 lport 22
>
> 9428 2019-06-10 03:57:36.446 debug3: LsaLogonUser Succeeded
> (Impersonation: 0)
>
> 9428 2019-06-10 03:57:36.448 debug1: user TestUser matched group list
> administrators at line 84
>
> 9428 2019-06-10 03:57:36.448 debug3: match found
>
> 9428 2019-06-10 03:57:36.448 debug3: reprocess config:85 setting
> AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
>
> 9428 2019-06-10 03:57:36.449 debug3: mm_answer_pwnamallow: sending
> MONITOR_ANS_PWNAM: 1
>
> 9428 2019-06-10 03:57:36.449 debug3: mm_request_send entering: type 9
>
> 9428 2019-06-10 03:57:36.450 debug2: monitor_read: 8 used once,
> disabling now
>
> 9428 2019-06-10 03:57:36.450 debug2: input_userauth_request: setting
> up authctxt for TestUser [preauth]
>
> 9428 2019-06-10 03:57:36.450 debug3: mm_inform_authserv entering
> [preauth]
>
> 9428 2019-06-10 03:57:36.450 debug3: mm_request_send entering: type 4
> [preauth]
>
> 9428 2019-06-10 03:57:36.451 debug3: mm_request_receive entering
>
> 9428 2019-06-10 03:57:36.451 debug3: monitor_read: checking request 4
>
> 9428 2019-06-10 03:57:36.451 debug3: mm_answer_authserv:
> service=ssh-connection, style=
>
> 9428 2019-06-10 03:57:36.451 debug2: monitor_read: 4 used once,
> disabling now
>
> 9428 2019-06-10 03:57:36.451 debug2: input_userauth_request: try
> method none [preauth]
>
> 9428 2019-06-10 03:57:36.452 debug3: userauth_finish: failure
> partial=0 next methods="publickey,password,keyboard-interactive"
> [preauth]
>
> 9428 2019-06-10 03:57:36.452 debug3: send packet: type 51 [preauth]
>
> 9428 2019-06-10 03:57:36.453 debug3: receive packet: type 50 [preauth]
>
> 9428 2019-06-10 03:57:36.453 debug1: userauth-request for user
> TestUser service ssh-connection method publickey [preauth]
>
> 9428 2019-06-10 03:57:36.453 debug1: attempt 1 failures 0 [preauth]
>
> 9428 2019-06-10 03:57:36.454 debug2: input_userauth_request: try
> method publickey [preauth]
>
> 9428 2019-06-10 03:57:36.454 debug1: userauth_pubkey: test pkalg
> ssh-rsa pkblob RSA SHA256:ospJEFHH81sy96YBMFEySGGUokk1KZHV+AbgNTFRrjE
> [preauth]
>
> 9428 2019-06-10 03:57:36.455 debug3: mm_key_allowed entering [preauth]
>
> 9428 2019-06-10 03:57:36.455 debug3: mm_request_send entering: type 22
> [preauth]
>
> 9428 2019-06-10 03:57:36.455 debug3: mm_request_receive entering
>
> 9428 2019-06-10 03:57:36.455 debug3: monitor_read: checking request 22
>
> 9428 2019-06-10 03:57:36.456 debug3: mm_answer_keyallowed entering
>
> 9428 2019-06-10 03:57:36.456 debug3: mm_answer_keyallowed:
> key_from_blob: 0000029369F0D8B0
>
> 9428 2019-06-10 03:57:36.456 debug1: trying public key file
> __PROGRAMDATA__/ssh/administrators_authorized_keys
>
> 9428 2019-06-10 03:57:36.456 debug3: Failed to open
> file:C:/ProgramData/ssh/administrators_authorized_keys error:2
>
> 9428 2019-06-10 03:57:36.456 debug1: Could not open authorized keys
> '__PROGRAMDATA__/ssh/administrators_authorized_keys': No such file or
> directory
>
> 9428 2019-06-10 03:57:36.456 debug3: mm_answer_keyallowed: publickey
> authentication test: RSA key is not allowed
>
> 9428 2019-06-10 03:57:36.456 Failed publickey for TestUser from
> 130.147.168.135 port 64534 ssh2: RSA SHA256:ospJEFHH81sy96YBMFEySGGUokk1KZHV+AbgNTFRrjE
>
> 9428 2019-06-10 03:57:36.456 debug3: mm_request_send entering: type 23
>
> 9428 2019-06-10 03:57:36.457 debug3: mm_key_allowed: waiting for
> MONITOR_ANS_KEYALLOWED [preauth]
>
> 9428 2019-06-10 03:57:36.457 debug3: mm_request_receive_expect
> entering: type 23 [preauth]
>
> 9428 2019-06-10 03:57:36.457 debug3: mm_request_receive entering
> [preauth]
>
> 9428 2019-06-10 03:57:36.457 debug2: userauth_pubkey: authenticated 0
> pkalg ssh-rsa [preauth]
>
> 9428 2019-06-10 03:57:36.457 debug3: userauth_finish: failure
> partial=0 next methods="publickey,password,keyboard-interactive"
> [preauth]
>
> 9428 2019-06-10 03:57:36.457 debug3: send packet: type 51 [preauth]
>
> 9428 2019-06-10 03:57:36.482 debug3: receive packet: type 50 [preauth]
>
> 9428 2019-06-10 03:57:36.482 debug1: userauth-request for user
> TestUser service ssh-connection method keyboard-interactive [preauth]
>
> 9428 2019-06-10 03:57:36.482 debug1: attempt 2 failures 1 [preauth]
>
> 9428 2019-06-10 03:57:36.482 debug2: input_userauth_request: try
> method keyboard-interactive [preauth]
>
> 9428 2019-06-10 03:57:36.482 debug1: keyboard-interactive devs
> [preauth]
>
> 9428 2019-06-10 03:57:36.483 debug1: auth2_challenge: user=TestUser
> devs= [preauth]
>
> 9428 2019-06-10 03:57:36.483 debug1: kbdint_alloc: devices ''
> [preauth]
>
> 9428 2019-06-10 03:57:36.483 debug2: auth2_challenge_start: devices
> [preauth]
>
> 9428 2019-06-10 03:57:36.483 debug3: userauth_finish: failure
> partial=0 next methods="publickey,password,keyboard-interactive"
> [preauth]
>
> 9428 2019-06-10 03:57:36.483 debug3: send packet: type 51 [preauth]
答案1
从 Windows 10 v1809 开始,默认配置(位于%ProgramData%/ssh/sshd_config)AuthorizedKeysFile为管理员用户定义了单独的配置:
Match Group administrators
AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
这意味着属于特殊 WindowsAdministrators组 (SID S-1-5-32-544) 的任何用户都不会查看该%UserProfile%/.ssh/authorized_keys文件,而是查看%ProgramData%/ssh/administrators_authorized_keys。
您有以下几种选择:
- 使用非管理员用户,或
- 注释掉底部的这两行
sshd_config,然后将恢复为默认的每个用户AuthorizedKeysFile,或者 - 将您的密钥添加到(全局!)
administrators_authorized_keys文件中
我的建议是尽可能使用非管理员用户,或者以其他方式修改配置。接受的全局密钥任何组中的帐户Administrators听起来有点不必要的复杂性。1
1在默认配置中,始终可以从管理员用户模拟任何其他用户,因为管理员用户通常意味着root在 Windows 中拥有完全级别的控制权。这可能是他们采用这种默认配置的理由。但当然,这会使多用户系统的配置变得相当混乱,其中一些(非管理员)用户在标准位置拥有自己的授权密钥,而其他(管理员)用户必须共享单个非标准授权密钥列表。
我认为这种配置除了明显表明所有管理员都可以互相冒充外,没有任何安全优势。
未来版本可能会在 下创建用户特定的文件夹%ProgramData/ssh。
这里对此进行了一些探讨:https://github.com/PowerShell/Win32-OpenSSH/issues/1324
答案2
Windows 10 上的 OpenSSH 需要额外的配置才能识别authorized_keys:
- 保存到没有扩展名的
authorized_keys文件中C:\ProgramData\ssh\administrators_authorized_keys - 使用以下 PowerShell 脚本为文件设置正确的权限
$acl = Get-Acl C:\ProgramData\ssh\administrators_authorized_keys
$acl.SetAccessRuleProtection($true, $false)
$administratorsRule = New-Object system.security.accesscontrol.filesystemaccessrule("Administrators","FullControl","Allow")
$systemRule = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","Allow")
$acl.SetAccessRule($administratorsRule)
$acl.SetAccessRule($systemRule)
$acl | Set-Acl
这实际上授予和administrators_authorized_keys对该文件的完全控制权限。AdministratorsSYSTEM
如果您不这样做,而只是将文件放在.ssh用户的文件夹中,则系统会提示您输入密码(而不是使用密钥文件),或者您的连接将因“身份验证尝试次数过多”而失败。
参考:
答案3
尝试在这里提供更多详细信息,如果有人在 Windows 10(版本 1809 或更高版本,或 Server 2016)中安装了内置程序openssh server,无论是否遵循 Microsoft 的文档:安装,配置和密钥管理。看起来它们相当旧了或者有些不完整,需要更新。
安装此服务后,启动它,您应该通过 从本地主机连接它ssh username@localhost,假设您的 Windows 登录名是username。但我们希望基于密钥的身份验证,并且我们必须仅根据上面列出的 Microsoft 文档失败:
- 我们不能依赖
Repair-AuthorizedKeyPermission修复的权限,因为我们现在authorized_keys无法安装模块。OpenSSHUtils原因在这里,看来签名已经过时了。 sshd_config正如@Bob 指出的,如果我们没有为管理员设置密钥对,我们必须发表评论。
如果只想使用单个用户的基于密钥的身份验证,我们只需执行以下操作(需要管理员权限,全部基于默认内置的 openssh 服务器安装):
- 由于我们无法安装
OpenSSHUtils模块,我们手动设置权限。检查authorized_keys的所有权和权限:
PS C:\>(get-acl .\users\username\.ssh\authorized_keys).owner
username
PS C:\>icacls .\users\username\.ssh\authorized_keys
ssh_host_dsa_key BUILTIN\Administrators:(F)
username:(F)
otheruser1:(IR)
otheruser2:(R)
- 设置正确的所有权和权限
authorized_keys:
PS C:\>icacls .\users\username\.ssh\authorized_keys /inheritance:r
PS C:\>icacls .\users\username\.ssh\authorized_keys /remove otheruser2
- 在以下位置搜索并评论群组匹配政策
sshd_config:
#Match Group administrators
# AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
- (可选)启用基于密钥的身份验证。搜索并将文本更改为:
PubkeyAuthentication yes
- (可选)禁用基于密码的身份验证。搜索并将文本更改为:
PasswordAuthentication no
- 将用户的公钥复制并粘贴到
authorized_keys您想要连接的用户中。 - 重启
sshd服务。现在您应该使用密钥认证连接到该主机。
更详细的内容请参考以下链接(本答案来自):
答案4
感谢@user159960 提供的链接,我发现我没有启用 ssh-agent,启用该链接可以使基于密钥的登录正常工作。
Set-Service -Name ssh-agent -StartupType ‘Automatic’
Set-Service -Name sshd -StartupType ‘Automatic’
Start-Service ssh-agent
Start-Service sshd
我还注意到我的C:\ProgramData\ssh\administrators_authorized_keys所有者不是管理员,一旦我更正后,我就可以通过 ssh 进入我的管理员帐户。