Logging into Windows 10 OpenSSH server with Administrator account and public key

I am unable to log into a Windows 10 OpenSSH Server from a CentOS OpenSSH client via public key. My password is always requested (and is accepted).

I've found many posts about setting the permissions properly on the server side for:

  • Directory C:\Users\username\.ssh
  • File C:\Users\username\.ssh\authorized_keys

I believe I've done everything required in terms of permissions. But to rule a permissions problem out, I set StrictModes=no on the server as a test and restarted the server. I found that I still must enter my password.

What else might be preventing me from logging in via public key?


Solution 1:

Your comments and requests for relevant information led me to the answer. In case anybody else hits this, the problem was...

My user is an administrator, and the following appears in sshd_config:

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

So, by placing my public key in my own user's .ssh/authorized_keys, it was not getting picked up. Once I placed it in the file called out in sshd_config, things worked fine.

Solution 2:

    Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

I just ended up #commenting out these two lines in sshd_config. It was driving me UP THE WALL trying to figure out why none of the keys were being accepted.

If you comment them out, it will just use the keys in your %User%/.ssh folder, like every other SSH program in existence.

I literally spent 4 hours trying to figure out why it wasn't accepting my keys. I'm so mad at those two lines of code right now.

Solution 3:

To resolve this for me I needed to use Martins answer and Nick comment. So final solution was

StrictModes no
Match Group administrators
   AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys    

in sshd_config

EDIT: As Martin pointed there are security risks to this, strictmodes is there to protect your system when it is deemed that certain file permission are too relaxed and so this setting is there as an added security measure. Here's a good article explaining -

https://www.ibm.com/support/knowledgecenter/SS7K4U_liberty/com.ibm.websphere.wlp.zseries.doc/ae/tagt_wlp_collective_zos_ssh.html

In my case, this config is for a test automation server with no critical data on it that runs for less than 15mins at a time, a couple of times a week.