我一直在尝试让公钥认证与OpenSSH 的 PowerShell 端口到运行 Windows Server 2012 R2 的 VM 上。
我忠实地遵循安装说明并确保我的文件权限是正确的.ssh\authorized_keys。(无法发布 Win32-OpenSSH wiki 中具体说明的链接,因为我太小,无法发布两个以上的链接,请参阅下面的评论)。
我可以按预期使用用户名/密码从 Linux 主机登录到 Windows 主机。但是,密钥身份验证却没有成功。
本地(Linux 主机)配置
我的当地的 .ssh/config文件包含:
Host remotehostname
HostName remotehostname
User remoteuser
Port 22
IdentityFile /home/myusername/.ssh/id_dsa
本地目录中的权限.ssh看起来正确:
[[email protected]]$ ls -ltrh
total 56K
-rw------- 1 cengadmin cengadmin 1.6K Sep 11 10:01 known_hosts
-r-------- 1 cengadmin cengadmin 672 Sep 11 10:06 id_dsa
-r-------- 1 cengadmin cengadmin 580 Sep 11 10:13 config
远程(Windows 主机)配置
.ssh我的目录偏僻的主机如下:
Directory of C:\Users\REMOTEUSER\.ssh
09/11/2017 10:07 AM <DIR> .
09/11/2017 10:07 AM <DIR> ..
09/11/2017 10:07 AM 623 authorized_keys
09/11/2017 10:05 AM 672 id_dsa
09/11/2017 10:05 AM 623 id_dsa.pub
5 File(s) 4,012 bytes
2 Dir(s) 10,752,004,096 bytes free
C:\Users\REMOTEUSER\.ssh>icacls authorized_keys
authorized_keys NT SERVICE\sshd:(R)
NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
FOODOM1\REMOTEUSER:(F)
C:\Users\REMOTEUSER\.ssh>icacls id_dsa
id_dsa BUILTIN\Administrators:(F)
NT AUTHORITY\SYSTEM:(F)
DHDOM1\REMOTEUSER:(R,W)
我的authorized_keys文件仅包含的输出type id_dsa.pub > authorized_keys。
C:\Users\REMOTEUSER\.ssh>fc id_dsa.pub authorized_keys
Comparing files id_dsa.pub and AUTHORIZED_KEYS
FC: no differences encountered
sshd_config 已PubkeyAuthentication启用
PubkeyAuthentication yes
在我看来,配置和权限都合理。然而,missing begin marker当我弄错权限时,总是会出现这种常见的错误。
sshd.log
我懂了:
debug2: key not found
这通常意味着我输入了错误的密钥,authorized_keys但我认为上述差异可以证明这个问题是不存在的。
线索?温柔一点,近 10 年来,我从未在愤怒的情况下使用过 Windows。
ssh -v 输出
(请注意,我在这个目录中还有其他 rsa 密钥,为了清楚起见,上面没有包括)
$ ssh -v -i .ssh/id_dsa myhostname
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /home/localuser/.ssh/config
debug1: /home/localuser/.ssh/config line 21: Applying options for raleys-etl
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Hostname has changed; re-reading configuration
debug1: Reading configuration data /home/localuser/.ssh/config
debug1: /home/localuser/.ssh/config line 15: Applying options for remotehostname
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to remotehostname [00:00:00:00] port 22.
debug1: Connection established.
debug1: identity file /home/localuser/.ssh/id_dsa type -1
debug1: identity file /home/localuser/.ssh/id_dsa-cert type -1
debug1: identity file /home/localuser/.ssh/ssis_rsa type -1
debug1: identity file /home/localuser/.ssh/ssis_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.5
debug1: match: OpenSSH_7.5 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: kex: [email protected] need=20 dh_need=20
debug1: kex: [email protected] need=20 dh_need=20
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA e7:aa:c8:d4:8b:02:58:da:64:e6:18:26:d3:be:6a:b2
debug1: Host 'remotehostname' is known and matches the ECDSA host key.
debug1: Found key in /home/localuser/.ssh/known_hosts:5
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: [email protected]
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering RSA public key: [email protected]
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering RSA public key: [email protected]
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/localuser/.ssh/id_dsa
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type DSA
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Received disconnect from 00:00:00:00: 2: Too many authentication failures
答案1
哇。我花了几个小时调试这个。
因此,打开 ssh 服务器的日志记录:
- 编辑
/ProgramData/ssh/sshd_config- 确保您已
SyslogFacility LOCAL0 - 确保您已
LogLevel DEBUG3
- 确保您已
- 重新启动OpenSSH SSH 服务器在服务
- 命令:
C:>net stop sshd
C:>net start sshd - GUI:一种快速到达的方式服务是按下
Windows+R组合键,然后输入services.msc结果跑步对话。
- 命令:
现在你会发现完整的调试信息正在写入/ProgramData/ssh/logs/sshd.log。尝试后,只需查看日志文件即可远程控制放入机器。
我遇到了两个问题:
问题 1:正确的 authorized_keys 文件
调试日志说:
2019-03-08 … debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys
啊,那就不是了.ssh/authorized_keys。我在管理员组,并且sshd_config为我们大家准备了一个特殊的节。我将文件的内容复制.ssh/authorized_keys到/ProgramData/ssh/administrators_authorized_keys,然后重新启动服务器。
问题 2:权限松散
现在我有了
2019-03-08 … debug3: Bad permissions. Try removing permissions for user: S-1-9-22 on file C:/ProgramData/ssh/administrators_authorized_keys.
伊卡克尔斯说
C:\ProgramData\ssh> icacls administrators_authorized_keys
administrators_authorized_keys NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
NT AUTHORITY\Authenticated Users:(I)(RX)
有很多权限继承自文件夹及其上级(这就是所(I)表示的意思)。删除继承。/inheritance:r是您的朋友。
C:\ProgramData\ssh> icacls administrators_authorized_keys /inheritance:r
processed file: administrators_authorized_keys
Successfully processed 1 files; Failed processing 0 files
现在看起来不错:
C:\ProgramData\ssh> icacls administrators_authorized_keys
administrators_authorized_keys NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
所以我重启了服务器,现在它又能正常工作了。天哪。
不要忘记撤消对日志级别和系统日志工具在sshd_config。
编辑
当然,只要我知道文件在哪里,这些侦探工作就不需要了。见
https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_server_configuration
叹。
答案2
只是想添加一些简短的注释来赞美@bobbogo 的精彩回答。
我能够将我的私钥推送到工作组(未加入域)工作站:
:From WSL(linux) --> Win10 machine
scp ./my/public/key someadmin@somedesktop:'C:\ProgramData\ssh\administrators_authorized_keys'
然后我通过 WinRM/PSRemoting 运行以下命令(尽管使用密码的 ssh 可能也可以运行):
PS C:\> cd C:\programdata\ssh
PS C:\programdata\ssh>icacls administrators_authorized_keys /inheritance:r
PS C:\programdata\ssh>icacls administrators_authorized_keys /grant SYSTEM:`(F`)
PS C:\programdata\ssh>icacls administrators_authorized_keys /grant BUILTIN\Administrators:`(F`)
PS C:\programdata\ssh>net stop sshd
PS C:\programdata\ssh>net start sshd
然后我就能像预期的那样使用 keyauth 进行 ssh 了。
注意:由于这未加入域,在第一次尝试时,我失去了访问权限,因为第一个命令删除了继承,这禁用了我的 1909 OOBE 管理员对 Administrators_authorized_keys 文件的权限。接下来授予并重新启动服务使其按预期工作。
答案3
修改 sshd 配置(C:\ProgramData\ssh\sshd_config)
注释掉这些行(应该是 sshd_config 的最后几行)
#Match Group administrators
# AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
此后,像往常一样添加您的公钥__HOME__/.ssh/authorized_keys。
答案4
除了其他答案之外,我刚刚还发现了另一个值得添加到此主题的“陷阱”:如果您尝试以在 Linux 中执行的方式在 Powershell/CMD 中创建文件(例如echo "mypublickeyoisjoisjsfsj" > admin_authorized_keys),这将创建一个 UTF-16 编码的文件。但是,sshd需要 UTF-8,因此即使文件看起来完全正常,您也会收到“不允许使用 RSA 密钥”警告。
如果您有 GUI,您可以在记事本的右下角检查编码。如果显示UTF-16,则需要更正编码(最简单的方法是删除文件并从记事本中保存一个新文件)。
感谢这条评论帮助我们弄清楚了这一点:https://github.com/PowerShell/Win32-OpenSSH/issues/1434#issuecomment-522658936