OpenSSH public key authentication does not work from Windows client if private key was added to SSH agent
Ron Frederick
ronf at timeheart.net
Tue Jun 25 00:18:50 AEST 2019
One problem I’m seen is that the Windows SSH agent doesn’t seem to respect the flags requesting RSA SHA-2 signatures. I had to disable the negotiation of these signature algorithms to get key negotiation to work properly with RSA keys on Windows 10 when its built-in SSH agent was used. It looks like it always returns a SHA-1 signature.
> On Jun 24, 2019, at 5:43 AM, Damien Miller <djm at mindrot.org> wrote:
>
> Here's the failure:
>
> debug3: mm_answer_keyverify: publickey 000002179BBC60C0 signature unverified
>
> This indicates that your ssh-agent is returning a bad signature for some
> reason. I guess you using the Microsoft OpenSSH for Windows port, so I suggest
> you file an issue with them https://github.com/PowerShell/Win32-OpenSSH/issues
>
> You might want to try the latest 8.0.0 version from them first though.
>
> On Mon, 24 Jun 2019, Steinforth, Patrick wrote:
>
>> Hi,
>>
>> I pasted two server connection logs at https://pastebin.com/vJb5tnTL. First a successful one and second an unsuccessful one.
>>
>> Patrick
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Damien Miller <djm at mindrot.org>
>> Gesendet: Samstag, 22. Juni 2019 10:43
>> An: Steinforth, Patrick <Steinforth at osnabrueck.de>
>> Cc: openssh-unix-dev at mindrot.org
>> Betreff: Re: AW: OpenSSH public key authentication does not work from Windows client if private key was added to SSH agent
>>
>> I don't understand why the server is rejecting the key; from the perspective of the client, it tried to use the key in both cases and the only difference visible from the client is that it was unsuccessful in the case where the agent was used.
>>
>> Are you able to obtain logs from the server? It might offer some clue - try to run the server in debug mode if you can "sshd -ddd"
>>
>> Also, it seems that you're using OpenSSH for Windows. You should check with the Microsoft developers first for that product.
>>
>> -d
>>
>> On Fri, 21 Jun 2019, Steinforth, Patrick wrote:
>>
>>> Hey Damien,
>>>
>>> thank you for your reply. I posted the debug information at https://pastebin.com/40esNPED and replaced some sensitive information before (usernames, servernames, domainnames, IP addresses). In addition I commented some lines with a message like "### <my message> ###".
>>>
>>> Patrick
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Damien Miller <djm at mindrot.org>
>>> Gesendet: Freitag, 21. Juni 2019 06:40
>>> An: Steinforth, Patrick <Steinforth at osnabrueck.de>
>>> Cc: openssh-unix-dev at mindrot.org
>>> Betreff: Re: OpenSSH public key authentication does not work from
>>> Windows client if private key was added to SSH agent
>>>
>>> On Wed, 19 Jun 2019, Steinforth, Patrick wrote:
>>>
>>>> Hey guys,
>>>>
>>>> I installed OpenSSH 7.9p1 on Windows Server 2016 and generated a SSH key pair with ssh-keygen on my Windows 10 Client (OpenSSH 7.6p1). I can connect to the server with "ssh user at domain@servername -i id_rsa". But as soon as I add the private key to the SSH agent by "ssh-add id_rsa" this does not work anymore and aborts with the message "Permission denied (publickey,keyboard-interactive)". The ssh command without "-i id_rsa" leads to the same error. As soon as I remove the private key from the ssh agent, public key authentication works again like a charm.
>>>> If I add the public key on my Ubuntu Server 18.04 LTS to the SSH agent and establish a connection, this works without any problems. SSH client version on Ubuntu is also OpenSSH 7.6p1.
>>>> I noticed further, if I add my key id_rsa to the SSH agent on Windows and copy the key file to id_rsa_new the connection can be established by "ssh user at domain@servername -i id_rsa_new" without any problems, but not with "-i id_rsa".
>>>> I think this is strange and not the expected behavior. Any ideas what's wrong?
>>>
>>> Could you send the output of ssh with debugging enabled for both a working and failing connection? I.e. "ssh -vvv host"
>>>
>>> It should show what is going on.
>>>
>>> -d
>>>
>>> Ich weise Sie darauf hin, dass Ihnen gem. Art. 13
>>> Datenschutz-Grundverordnung verschiedene Rechte als betroffene Person bei der Verarbeitung von personenbezogenen Daten durch die Stadt Osnabrück zustehen. Eine ausführliche Information, welche Rechte dies im Einzelnen sind und wie Ihre Daten verarbeitet werden, können Sie unter folgenden Link abrufen: https://www.osnabrueck.de/datenschutz.html
>> Ich weise Sie darauf hin, dass Ihnen gem. Art. 13 Datenschutz-Grundverordnung verschiedene Rechte als betroffene Person bei der Verarbeitung von personenbezogenen Daten durch die Stadt Osnabrück zustehen. Eine ausführliche Information, welche Rechte dies im Einzelnen sind und wie Ihre Daten verarbeitet werden, können Sie unter folgenden Link abrufen: https://www.osnabrueck.de/datenschutz.html
--
Ron Frederick
ronf at timeheart.net
More information about the openssh-unix-dev
mailing list