sshd refuses public key even though matched in authorized_keys

I'm using openSSH for windows (32-bit), and have setup sshd for public key authentication. I'm quite positive all file permissions are set correctly, and I've added the correct public key to the authorized_keys file. However when the client tries to authenticate it's public key, it fails. Debug output is as follows: (public key replaced with xxxxxxx)

debug1: userauth-request for user X service ssh-connection method publickey debug1: attempt 2 failures 0 debug2: input_userauth_request: try method publickey debug3: userauth_pubkey: have signature for RSA SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx debug1: trying public key file C:\\Users\\X\\authorized_keys debug1: matching key found: file C:\\Users\\X\\authorized_keys, line 2 RSA SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx debug3: socket:0, socktype:1, io:00986788, fd:3 debug3: unable to connect to pipe \\\\.\\pipe\\openssh-ssh-agent, error: 2 debug3: close - io:00986788, type:2, fd:3, table_index:3 debug1: get_priv_agent_sock: unable to connect to privileged agent, errno:2 debug2: userauth_pubkey: authenticated 0 pkalg rsa-sha2-512 Failed publickey for X from ::1 port 63175 ssh2: RSA SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive"

I wonder if the unable to connect to pipe \\\\.\\pipe\\openssh-ssh-agent, error: 2 might be the cause of this. If it is - is there a way to disable this functionality, and just use the authorized_keys?

EDIT: Turns out that the unable to connect to pipe \\\\.\\pipe\\openssh-ssh-agent, error: 2 error has disappeared by using Jakuje's suggestion, however the public key authentication still fails with:

Failed publickey for X from ::1 port 63175 ssh2: RSA SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive"

EDIT2: It might be worth mentioning that I don't run a typical setup. The openSSH executables, config files and keyfiles are not located in the user's home directory, but in the user's ProgramData directory.


Solution 1:

debug3: unable to connect to pipe \\\\.\\pipe\\openssh-ssh-agent, error: 2
debug3: close - io:00986788, type:2, fd:3, table_index:3
debug1: get_priv_agent_sock: unable to connect to privileged agent, errno:2

The key is found, but the server needs to contact authentication agent to get create your session. It either did not start or failed. You can try to find it, restart the sshd server and so on. What all the Windows modification are and do is discussed in this pull request:

https://github.com/openssh/openssh-portable/pull/63

Solution 2:

This problem happened to me when I updated OpenSSH from 0.6.0 to 0.20.0 by simply overwriting the files. In fact, as pointed by @Jakuje, there have been a few changes in the architecture and now sshd requires a separate agent, ssh-agent, which did not exist in previous versions.

You need to reinstall OpenSSH by doing:

PS C:\OpenSSH-Win64> net stop sshd

The sshd service was stopped successfully.

PS C:\OpenSSH-Win64> .\uninstall-sshd.ps1
sshd successfully uninstalled
ssh-agent service is not installed
PS C:\OpenSSH-Win64> .\install-sshd.ps1
[SC] SetServiceObjectSecurity SUCCESS
[SC] ChangeServiceConfig SUCCESS
[SC] ChangeServiceConfig2 SUCCESS
sshd and ssh-agent services successfully installed
PS C:\OpenSSH-Win64> net start sshd

The sshd service was started successfully.

Fixing permissions using Fix{Host|User}FilePermissions.ps1 may be needed as well.