AW: AW: OpenSSH public key authentication does not work from Windows client if private key was added to SSH agent

Damien Miller djm at mindrot.org
Mon Jun 24 22:43:05 AEST 2019


Here's the failure:

debug3: mm_answer_keyverify: publickey 000002179BBC60C0 signature unverified

This indicates that your ssh-agent is returning a bad signature for some
reason. I guess you using the Microsoft OpenSSH for Windows port, so I suggest
you file an issue with them https://github.com/PowerShell/Win32-OpenSSH/issues

You might want to try the latest 8.0.0 version from them first though.

On Mon, 24 Jun 2019, Steinforth, Patrick wrote:

> Hi,
> 
> I pasted two server connection logs at https://pastebin.com/vJb5tnTL. First a successful one and second an unsuccessful one.
> 
> Patrick
> 
> -----Ursprüngliche Nachricht-----
> Von: Damien Miller <djm at mindrot.org>
> Gesendet: Samstag, 22. Juni 2019 10:43
> An: Steinforth, Patrick <Steinforth at osnabrueck.de>
> Cc: openssh-unix-dev at mindrot.org
> Betreff: Re: AW: OpenSSH public key authentication does not work from Windows client if private key was added to SSH agent
> 
> I don't understand why the server is rejecting the key; from the perspective of the client, it tried to use the key in both cases and the only difference visible from the client is that it was unsuccessful in the case where the agent was used.
> 
> Are you able to obtain logs from the server? It might offer some clue - try to run the server in debug mode if you can "sshd -ddd"
> 
> Also, it seems that you're using OpenSSH for Windows. You should check with the Microsoft developers first for that product.
> 
> -d
> 
> On Fri, 21 Jun 2019, Steinforth, Patrick wrote:
> 
> > Hey Damien,
> >
> > thank you for your reply. I posted the debug information at https://pastebin.com/40esNPED and replaced some sensitive information before (usernames, servernames, domainnames, IP addresses). In addition I commented some lines with a message like "### <my message> ###".
> >
> > Patrick
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Damien Miller <djm at mindrot.org>
> > Gesendet: Freitag, 21. Juni 2019 06:40
> > An: Steinforth, Patrick <Steinforth at osnabrueck.de>
> > Cc: openssh-unix-dev at mindrot.org
> > Betreff: Re: OpenSSH public key authentication does not work from
> > Windows client if private key was added to SSH agent
> >
> > On Wed, 19 Jun 2019, Steinforth, Patrick wrote:
> >
> > > Hey guys,
> > >
> > > I installed OpenSSH 7.9p1 on Windows Server 2016 and generated a SSH key pair with ssh-keygen on my Windows 10 Client (OpenSSH 7.6p1). I can connect to the server with "ssh user at domain@servername -i id_rsa". But as soon as I add the private key to the SSH agent by "ssh-add id_rsa" this does not work anymore and aborts with the message "Permission denied (publickey,keyboard-interactive)". The ssh command without "-i id_rsa" leads to the same error. As soon as I remove the private key from the ssh agent, public key authentication works again like a charm.
> > > If I add the public key on my Ubuntu Server 18.04 LTS to the SSH agent and establish a connection, this works without any problems. SSH client version on Ubuntu is also OpenSSH 7.6p1.
> > > I noticed further, if I add my key id_rsa to the SSH agent on Windows and copy the key file to id_rsa_new the connection can be established by "ssh user at domain@servername -i id_rsa_new" without any problems, but not with "-i id_rsa".
> > > I think this is strange and not the expected behavior. Any ideas what's wrong?
> >
> > Could you send the output of ssh with debugging enabled for both a working and failing connection? I.e. "ssh -vvv host"
> >
> > It should show what is going on.
> >
> > -d
> >
> > Ich weise Sie darauf hin, dass Ihnen gem. Art. 13
> > Datenschutz-Grundverordnung verschiedene Rechte als betroffene Person bei der Verarbeitung von personenbezogenen Daten durch die Stadt Osnabrück zustehen. Eine ausführliche Information, welche Rechte dies im Einzelnen sind und wie Ihre Daten verarbeitet werden, können Sie unter folgenden Link abrufen: https://www.osnabrueck.de/datenschutz.html
> Ich weise Sie darauf hin, dass Ihnen gem. Art. 13 Datenschutz-Grundverordnung verschiedene Rechte als betroffene Person bei der Verarbeitung von personenbezogenen Daten durch die Stadt Osnabrück zustehen. Eine ausführliche Information, welche Rechte dies im Einzelnen sind und wie Ihre Daten verarbeitet werden, können Sie unter folgenden Link abrufen: https://www.osnabrueck.de/datenschutz.html


More information about the openssh-unix-dev mailing list