'Server refused our key' upon attempted connection to Windows Server

I'm attempting to use PuTTY to securely connect my remote desktop from my laptop to my desktop computer, and so far I have been successful in tunneling through the proper ports WITHOUT A KEY, just by using my username and password. These are both Windows machines, running Windows 10.

I generated a key using PuTTYGen, and each time I would copy and paste the public key into C:\Users\Chris\.ssh\authorized_keys (on the server) like so:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQBl8kTxv8cxW5tSvNjId+qrype1ZA+zEO3Qag+BHhlMvvtrx/faZp8XMXbSqulZVqXNFnN0ADAaAv2hMltP+rft4R8X9qaJSIlYdPo8F3BmV5G2mu+AQKnOrGooLfwc2oa4qOfHJMqzciFqVVTAOjo3BQ3ZtZnN23os1WfiRCcwlNZgrRlgpUPkA/CgaWTDnlDpxvNZp3fVia8pDvLlqVIIn+Fu7UEJi/pNDUiexrky7nR0JzIL3ZAPAu6U26WLJA7fYw7nlySzz/BuxiPyIzeRT+qiHQuwf2yOkCXNIeQQjgLsbw0eS67TWC7pa6NbLa0KqmgDChdSNsSB5aKTMh3T rsa-key-20190410

Then, on the client, I select the private key file in Settings > Connection > SSH > Auth > Private key file for Authentication > C:\Users\Chris\Desktop\SSH-KEY\key1.ppk

I have double and triple checked: the public key that I pasted into authorized_keys corresponds to the private key that is loaded into PuTTY.

When I attempt to connect the session, I get this error:

Using username "Chris".
Server refused our key
[email protected]'s password:

I am able to find no further documentation or error codes.

There is no log file present, but when I enabled logging manually and opened it up after connection, this was present in the file for the client:

Using username "Chris".
Server refused our key
[email protected]'s password:

I have tried both using Chris and chris, in addition to generating and using key pairs generated from the server, and from the client.

I later found an additional log file for the server in C:\ProgramData\ssh\logs\sshd.log:

1184 2019-04-10 12:38:48.995 Server listening on :: port 22.
1184 2019-04-10 12:38:48.995 Server listening on 0.0.0.0 port 22.
13568 2019-04-10 12:39:00.943 Authentication refused.
13568 2019-04-10 12:39:04.395 Connection closed by authenticating user chris my.pub.lic.ip port 54460 [preauth]

I've seen several suggestions about using chmod, and checking /var/log/secure, both of which are useless to me as they are linux commands and directories, and both of these machines are Windows.

I'll admit: I've kind of been losing my marbles over this. I'm doing everything that every tutorial anywhere suggests, and nothing is working.


Solution 1:

I think I'm facing the same problem... Any luck since then? Have you found the reason/solution?

EDIT:

OK, I found the cause of the issue on my side... It could be the same for you too, Chris, if you're SSH'ing with an administrator account:

Actually, a comment in this post pointed out to the issue: https://stackoverflow.com/questions/20864224/putty-getting-server-refused-our-key-error

"the main fact that as an Administrator there is a bug that only looks in the administrators_authorized_keys file and not the expected Users .ssh folder for authorized_keys (everybody's point of grief running sshd on Windows)"

Solution:

At the end / bottom of the sshd_config file that's in %programdata%\ssh you need to comment out (or remove) the last two lines:

Match Group Administrators
    AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

The SSH server needs to be restarted to take it into account.

Another (maybe more secure) way would be to create such "administrators_authorized_keys" file under %programdata%\ssh and add the clients' public keys in there in those are indeed admin users.

Solution 2:

I had the same issue. In short, this resulted from two separate "misconfigurations" from my side.

  1. You need to use the "administrators_authorized_keys" in the case of an admin user.
  2. The authorized_keys file needs to be of specific permissions to be used.

Make sure to create the file:

%PROGRAMDATA%\ssh\administrators_authorized_keys

Insert your SSH public key into it, and then make sure it has the right permissions by running the following command in powershell:

icacls.exe "C:\ProgramData\ssh\administrators_authorized_keys" /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F"

This seems to have solved the problem for me. Assuming your user isn't an admin user, try only the permission part on your authorized_keys file. Perhaps it will solve it.

This solution is based on https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement under the "Administrative User" part