Public Key Authentication Windows Port of OpenSSH

Wow. Just spent a couple of hours debugging this.

So, turn logging for the ssh server:

• Edit /ProgramData/ssh/sshd_config
  • Ensure you have SyslogFacility LOCAL0
  • Ensure you have LogLevel DEBUG3
• Restart the OpenSSH SSH Server in Services
  • CMD:
    C:> net stop sshd
    C:> net start sshd
  • GUI: a quick way to get to Services is to press the Windows+R key combo, and enter services.msc in the resulting Run dialog.

Now you will find full debug info is being written to /ProgramData/ssh/logs/sshd.log. Just look in the log file after you have attempted to ssh into the machine.

I had two problems:

Problem 1: The correct authorized_keys file

The debug log said:

2019-03-08 … debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys

Ah, so not .ssh/authorized_keys then. I am in the Administrators group, and sshd_config has a special stanza for us folks. I copied the contents of my .ssh/authorized_keys file to /ProgramData/ssh/administrators_authorized_keys, and restarted the server.

Problem 2: Loose permissions

Now I had

2019-03-08 … debug3: Bad permissions. Try removing permissions for user: S-1-9-22 on file C:/ProgramData/ssh/administrators_authorized_keys.

icacls said

C:\ProgramData\ssh> icacls administrators_authorized_keys
administrators_authorized_keys NT AUTHORITY\SYSTEM:(F)
                           BUILTIN\Administrators:(F)
                           NT AUTHORITY\SYSTEM:(I)(F)
                           BUILTIN\Administrators:(I)(F)
                           NT AUTHORITY\Authenticated Users:(I)(RX)

There's a lot of permissions inherited from the folder and above (that's what (I) signifies). Remove the inheritance. /inheritance:r is your friend here.

C:\ProgramData\ssh> icacls administrators_authorized_keys /inheritance:r
processed file: administrators_authorized_keys
Successfully processed 1 files; Failed processing 0 files

Looks good now:

C:\ProgramData\ssh> icacls administrators_authorized_keys
administrators_authorized_keys NT AUTHORITY\SYSTEM:(F)
                           BUILTIN\Administrators:(F)

So I restarted the server, and it's working. Sheesh.

Don't forget to undo your changes to LogLevel and SyslogFacility in sshd_config.

Edit

Of course, none of this detective work was needed if only I knew where the docs were. See

https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_server_configuration

Sigh.

Just wanted to add some quick notes to compliment @bobbogo's fantastic answer.

Per: https://github.com/PowerShell/Win32-OpenSSH/wiki/Security-protection-of-various-files-in-Win32-OpenSSH#administrators_authorized_keys

I was able to push my private key to a Workgroup (non-domain joined) workstation:

:From WSL(linux) --> Win10 machine
scp ./my/public/key someadmin@somedesktop:'C:\ProgramData\ssh\administrators_authorized_keys'

Then I ran the following via WinRM/PSRemoting (though ssh with password would probably have worked):

PS C:\> cd C:\programdata\ssh

PS C:\programdata\ssh>icacls administrators_authorized_keys /inheritance:r
PS C:\programdata\ssh>icacls administrators_authorized_keys /grant SYSTEM:`(F`)
PS C:\programdata\ssh>icacls administrators_authorized_keys /grant BUILTIN\Administrators:`(F`)

PS C:\programdata\ssh>net stop sshd
PS C:\programdata\ssh>net start sshd

I was then able to ssh with keyauth as expected.

Note: as this was not domain joined, on my first attempt I lost access as the first command removed inheritance, which disabled my stock 1909 OOBE admin's permission to the administrators_authorized_keys file. The next to grants and restarting the service made it work as expected.