当前位置:theitroad>使用公钥身份验证为 Windows 设置 OpenSSH

使用公钥身份验证为 Windows 设置 OpenSSH

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/16212816/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-09-09 10:27:56  来源:igfitidea点击:

Setting up OpenSSH for Windows using public key authentication

windowssshpublic-key-encryptionopensshpublic-key

提问by Cambolie

I am having issues setting up OpenSSH for Windows, using public key authentication.

我在使用公钥身份验证为 Windows 设置 OpenSSH 时遇到问题。

I have this working on my local desktop and can ssh with a key from Unix machines or other OpenSSH for Windows machines.

我在我的本地桌面上有这个工作,并且可以使用来自 Unix 机器或其他用于 Windows 机器的 OpenSSH 的密钥 ssh。

I have replicated the build onto a server, I can get password authentication working fine, but when I use the keys I get the following issue:

我已将构建复制到服务器上,密码身份验证可以正常工作,但是当我使用密钥时,出现以下问题:

debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /cygdrive/c/sshusers/jsadmint2232/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
Connection closed by 127.0.0.1

So for the purposes of testing, I have been just trying to SSH to localhost, but even when tried remotely I get the same issue.

因此,出于测试目的,我只是尝试通过 SSH 连接到 localhost,但即使远程尝试,我也遇到了同样的问题。

Even more strange, is that when I have both password & public key enabled in sshd_config, it will only attempt to use keys and then bomb out with the above message and won't even try to use password.

更奇怪的是,当我同时启用密码和公钥时sshd_config,它只会尝试使用密钥,然后用上述消息轰炸,甚至不会尝试使用密码。

Here are the steps I have taken:

以下是我采取的步骤:

  1. Install OpenSSH for Windows
  2. mkgroup -l >>..\etc\group (added local groups)
  3. mkgroup -d >>..\etc\group (added domain groups)
  4. mkpasswd -L -u openssh >>..\passwd (added my local user)
  5. mkpasswd -D -u jsadmint2232 >>..\passwd (added my domain user)
  6. Edited the homedir in passwd to point to c:\sshusers\%USER% - where %USER% is the user name
  7. Enabled password auth, disabled key auth
  8. Created ssh keys for both jsadmint2232 / openssh and ensured that the files were created in homedirs
  9. Added authorized_keys files into .ssh dirs for each user and added keys for incoming connecting users
  10. net stop opensshd / net start opensshd
  11. Test Password auth works both locally and remotely
  12. Updated sshd_config, to enabled key auth - restart opensshd
  13. Test connection and get above error, also doesn't even try password auth?
  14. Updated sshd_config, to disable password auth completely - restart opensshd
  15. Test connection and still get above error
  1. 为 Windows 安装 OpenSSH
  2. mkgroup -l >>..\etc\group(添加本地组)
  3. mkgroup -d >>..\etc\group(添加域组)
  4. mkpasswd -L -u openssh >>..\passwd(添加了我的本地用户)
  5. mkpasswd -D -u jsadmint2232 >>..\passwd(添加了我的域用户)
  6. 将 passwd 中的 homedir 编辑为指向 c:\sshusers\%USER% - 其中 %USER% 是用户名
  7. 启用密码验证,禁用密钥验证
  8. 为 jsadmint2232 / openssh 创建了 ssh 密钥,并确保文件是在 homedirs 中创建的
  9. 将authorized_keys 文件添加到每个用户的.ssh 目录中,并为传入的连接用户添加密钥
  10. 净停止 opensshd / 净启动 opensshd
  11. 测试密码身份验证在本地和远程均可使用
  12. 更新了 sshd_config,以启用密钥身份验证 - 重新启动 opensshd
  13. 测试连接并得到上述错误,甚至不尝试密码验证?
  14. 更新了 sshd_config,以完全禁用密码验证 - 重新启动 opensshd
  15. 测试连接仍然出现上述错误

It appears the server is killing the connection for some reason?

服务器似乎出于某种原因正在终止连接?

采纳答案by Cambolie

I have solved the issue...

我已经解决了这个问题...

It is related to the account that started the service - its was using the Local System account - this was stopping it accessing the pub key and authorized_keys file.

它与启动服务的帐户有关 - 它正在使用本地系统帐户 - 这阻止它访问 pub key 和 authorized_keys 文件。

Once I stopped the service and started as the user I was trying to connect into, it worked!

一旦我停止服务并以我试图连接的用户身份启动,它就起作用了!

So basically, you need to start with a service account and then external users connect in as that user.

所以基本上,您需要从服务帐户开始,然后外部用户以该用户身份连接。

回答by n0rd

Following are setup steps for OpenSSH shipped with Windows 10 v.1803 (April 2018 update. See comments to this post, it might not work with 1809).

以下是 Windows 10 v.1803(2018 年 4 月更新。请参阅此帖子的评论,它可能不适用于 1809)的 OpenSSH 的设置步骤。

Server setup (elevated powershell):

服务器设置(提升的 powershell):

  1. Install OpenSSH server: Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0.

  2. Start agent and sshd services: Start-Service ssh-agent; Start-Service sshd(this will generate host keys and default configuration automatically in $env:ProgramData\ssh).

  3. [Optional] Install OpenSSHUtils powershell module: Install-Module -Force OpenSSHUtils

  1. 安装 OpenSSH 服务器:Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0.

  2. 启动代理和 sshd 服务:(Start-Service ssh-agent; Start-Service sshd这将在 中自动生成主机密钥和默认配置$env:ProgramData\ssh)。

  3. [可选] 安装 OpenSSHUtils powershell 模块: Install-Module -Force OpenSSHUtils

Client setup (non-elevated powershell):

客户端设置(非提升的 powershell):

  1. Generate user key: cd $env:USERPROFILE\.ssh; ssh-keygen.exe, follow prompts, agree to the default suggested file location. This will create 2 files: id_rsaand id_rsa.pub;

  2. [Optional] add key to authentication agent, so you don't have to enter password each time you use it: ssh-add .\id_rsa(or whatever file was generated);

  1. 生成用户密钥:cd $env:USERPROFILE\.ssh; ssh-keygen.exe,按照提示,同意默认的建议文件位置。这将创建 2 个文件:id_rsaid_rsa.pub;

  2. [可选] 将密钥添加到身份验证代理,这样您每次使用时都不必输入密码:(ssh-add .\id_rsa或生成的任何文件);

Server setup continued (non-elevated powershell):

服务器设置继续(非提升的 powershell):

  1. Log in as a user, for which public key auth to be used
  2. cd $env:USERPROFILE; mkdir .ssh; cd .ssh; New-Item authorized_keys;
  3. Paste the contents of the id_rsa.pubfile from the client to the .ssh\authorized_keysfile from the previous step.
  4. Setup permissions properly (important!!!):
    1. Run start .to open explorer with the current folder ($env:USERPROFILE\.ssh);
    2. Right click authorized_keys, go to Properties -> Security -> Advanced
    3. Click "Disable inheritance";
    4. Choose "Convert inherited permissions into explicit permissions on this object" when prompted;
    5. (really, really important) Remove all permissions on file except for the SYSTEMand yourself. There must be exactly twopermission entries on the file. Some guides suggest running the Repair-AuthorizedKeyPermission $env:USERPROFILE\.ssh\authorized_keys- this will try to add the sshduser to the permission list and it willbreak the authentication, so, don't do that, or at least do not agree on adding the sshduser). Both SYSTEMand yourself should have full control over the file.
  5. If your Windows build is 1809 or later, it is required to comment out the following lines in C:\ProgramData\ssh\sshd_configfile. Then restart the sshdservice. 
    # Match Group administrators                                                    
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
  1. 以用户身份登录,使用公钥认证
  2. cd $env:USERPROFILE; mkdir .ssh; cd .ssh; New-Item authorized_keys;
  3. id_rsa.pub将客户端中的.ssh\authorized_keys文件内容粘贴到上一步中的文件中。
  4. 正确设置权限(重要!!!):
    1. 运行start .以使用当前文件夹 ( $env:USERPROFILE\.ssh)打开资源管理器;
    2. 右键单击authorized_keys,转到Properties -> Security -> Advanced
    3. 点击“禁用继承”;
    4. 出现提示时选择“将继承的权限转换为此对象的显式权限”;
    5. (真的,真的很重要)删除文件上的所有权限,除了SYSTEM你自己。该文件必须正好有两个权限条目。一些指南建议运行Repair-AuthorizedKeyPermission $env:USERPROFILE\.ssh\authorized_keys- 这将尝试将sshd用户添加到权限列表,并且破坏身份验证,因此,不要这样做,或者至少不同意添加sshd用户)。您SYSTEM和您都应该完全控制该文件。
  5. 如果您的 Windows 版本是 1809 或更高版本,则需要将C:\ProgramData\ssh\sshd_config文件中的以下几行注释掉。然后重启sshd服务。 
    # Match Group administrators                                                    
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Client:

客户:

  1. Run ssh <serverusername>@<serverhostname>. It should work at this point.
  1. 运行ssh <serverusername>@<serverhostname>。它应该在这一点上工作。

Tried that with Windows 10 as server and both itself and a Debian Linux as a client.

尝试使用 Windows 10 作为服务器,并将其本身和 Debian Linux 作为客户端。

回答by Dustin

If you are using mls-software.com's version of OpenSSH here is another note.

如果您使用 mls-software.com 的 OpenSSH 版本,请注意这里。

If you install using the SSHD_SERVER account and privilege separation you will be able to use public key authentication (per http://www.mls-software.com/opensshd-pki.html). However if UAC is enable you will not be successful with the install. The user(s) will not be created properly and the service will not be created. Manually trying to get these items up after the fact is very difficult. Simply disabling UAC before installation will allow the installation process to properly create the user(s) and the service. After installation you can re-enable UAC.

如果您使用 SSHD_SERVER 帐户和权限分离进行安装,您将能够使用公钥身份验证(根据http://www.mls-software.com/opensshd-pki.html)。但是,如果启用了 UAC,您将无法成功安装。将不会正确创建用户,也不会创建服务。事后手动尝试获取这些项目非常困难。在安装前简单地禁用 UAC 将允许安装过程正确创建用户和服务。安装后,您可以重新启用 UAC。

When I created the SSHD_SERVER account manually authentication succeed when using password authentication but the client termination the connection with "/bin/bash: Operation not permitted". Authentication with public keys was closed by the server (original error posted by Cambolie).

当我手动创建 SSHD_SERVER 帐户时,使用密码身份验证成功,但客户端使用“/bin/bash: Operation not allowed”终止连接。服务器关闭了使用公钥的身份验证(Cambolie 发布的原始错误)。

回答by Mikhail Orlov

I solved it by:

我通过以下方式解决了它:

  1. Installing in SSHD_SERVER + privilege separation mode. I also set privilege separation to "yes" in the config manually. This didn't work for me for a lot time, the user didn't get created. Then it worked, I don't know why. I only went to user accounts in control panel to check that UAC is off. I also had /var/empty with full access for everyone.
  2. For C:\openssh\var\empty I've set "attributes get/set" permissions to Everyone and myself and "full" permissions to .\sshd_server. I also made it the owner.
  1. 以SSHD_SERVER+权限分离模式安装。我还在配置中手动将权限分离设置为“是”。这对我不起作用很长时间,用户没有被创建。然后它起作用了,我不知道为什么。我只去控制面板中的用户帐户检查 UAC 是否关闭。我也有/var/empty,每个人都可以完全访问。
  2. 对于 C:\openssh\var\empty,我已将“属性获取/设置”权限设置为每个人和我自己,并将“完全”权限设置为 .\sshd_server。我也把它变成了主人。

回答by BSalita

I've thoroughly tested n0rd's solution on multiple Windows Pro 1809 and 2004 computers. I concur with most of his steps.

我已经在多台 Windows Pro 1809 和 2004 计算机上彻底测试了 n0rd 的解决方案。我同意他的大部分步骤。

Server setup (elevated powershell): Agree with all.

Client setup (non-elevated powershell): Agree with all.

Server setup continued (non-elevated powershell): Steps 1,2,3: Agree

Server setup continued (non-elevated powershell): Step 4: Do NOT perform anything in step 4.

Server setup continued (non-elevated powershell): Step 5: Agree

Server setup continued (non-elevated powershell): Step 6: (added) Uncomment (remove #) from C:\ProgramData\ssh\sshd_config: #PasswordAuthentication yes

Server setup continued (non-elevated powershell): Step 7: (added) In Services, restart OpenSSH SSH Server.

服务器设置(提升的powershell):同意所有。

客户端设置(非提升的 powershell):同意所有。

服务器设置继续(非提升的 powershell):步骤 1、2、3:同意

服务器设置继续(非提升的 powershell):第 4 步:不要在第 4 步中执行任何操作。

服务器设置继续(非提升的 powershell):第 5 步:同意

服务器设置继续(非提升的 powershell):第 6 步:(添加)从 C:\ProgramData\ssh\sshd_config 取消注释(删除 #):#PasswordAuthentication yes

服务器设置继续(非提升的 powershell): 第 7 步:(添加)在服务中,重新启动 OpenSSH SSH 服务器。

I did not find any issues, with any file, regarding security, permissions or Unicode. They were all correct OOB.

我没有发现任何文件有关于安全性、权限或 Unicode 的任何问题。他们都是正确的OOB。

相关推荐

windows 使用脚本/批处理文件在窗口中自动单击鼠标

windows 使用脚本/批处理文件在窗口中自动单击鼠标

windows 安装 cygwin:http://mirrors.kernel.org 中缺少 setup.ini

windows 安装 cygwin:http://mirrors.kernel.org 中缺少 setup.ini

适用于 Windows 的 SourceTree 无法正常工作

适用于 Windows 的 SourceTree 无法正常工作

windows 如何在 BATCH 文件中记录所有 ECHO 命令?

windows 如何在 BATCH 文件中记录所有 ECHO 命令?

相关推荐
最近更新
标签