The public key login with an AD user is denied by OpenSSH for Windows

Question

1.22K viewsApril 30, 2023Windows Usersopenssh sftp ssh windows windows-10

1

HAL 5.94K March 16, 2022 0 Comments

I am attempting to establish a remote connection to a Windows 10, v 1903 system using OpenSSH for Windows v 8.0.0.0 and a public key. Although the username and password authentication process works well, when using the SecureFX SFTP client, it immediately terminates the connection with a TCP error after reporting AUTH_SUCCESS with Public Key.

Upon checking the SSH server logs, it reveals a fatal error during the forking of an unprivileged child. It occurs right after the system fails to locate the login user, potentially in the Active Directory.

14036 2019-09-26 13:06:28.265 debug1: trying public key file C:\\Users\\abc\\.ssh/authorized_keys
14036 2019-09-26 13:06:28.265 debug1: C:\\Users\\abc\\.ssh/authorized_keys:5: matching key found: RSA SHA256:ajHmaaQPXU3VIPnMFJcz8ce2pwHZodRfudLtdLLmgJg
14036 2019-09-26 13:06:28.265 debug1: C:\\Users\\abc\\.ssh/authorized_keys:5: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
14036 2019-09-26 13:06:28.265 Accepted key RSA SHA256:ajHmaaQPXU3VIPnMFJcz8ce2pwHZodRfudLtdLLmgJg found at C:\\Users\\abc\\.ssh/authorized_keys:5
14036 2019-09-26 13:06:28.265 debug3: mm_answer_keyallowed: publickey authentication: RSA key is allowed
14036 2019-09-26 13:06:28.265 debug3: mm_request_send entering: type 23
14036 2019-09-26 13:06:28.265 debug3: mm_sshkey_verify entering [preauth]
14036 2019-09-26 13:06:28.265 debug3: mm_request_send entering: type 24 [preauth]
14036 2019-09-26 13:06:28.265 debug3: mm_sshkey_verify: waiting for MONITOR_ANS_KEYVERIFY [preauth]
14036 2019-09-26 13:06:28.265 debug3: mm_request_receive_expect entering: type 25 [preauth]
14036 2019-09-26 13:06:28.265 debug3: mm_request_receive entering [preauth]
14036 2019-09-26 13:06:28.265 debug3: mm_request_receive entering
14036 2019-09-26 13:06:28.265 debug3: monitor_read: checking request 24
14036 2019-09-26 13:06:28.265 debug3: mm_answer_keyverify: publickey 00000252D826D600 signature verified
14036 2019-09-26 13:06:28.265 debug1: auth_activate_options: setting new authentication options
14036 2019-09-26 13:06:28.265 debug3: mm_request_send entering: type 25
14036 2019-09-26 13:06:28.265 Accepted publickey for abc from 127.0.0.1 port 62042 ssh2: RSA SHA256:ajHmaaQPXU3VIPnMFJcz8ce2pwHZodRfudLtdLLmgJg
14036 2019-09-26 13:06:28.265 debug1: monitor_child_preauth: abc has been authenticated by privileged process
14036 2019-09-26 13:06:28.265 debug3: mm_get_keystate: Waiting for new keys
14036 2019-09-26 13:06:28.265 debug3: mm_request_receive_expect entering: type 26
14036 2019-09-26 13:06:28.265 debug3: mm_request_receive entering
14036 2019-09-26 13:06:28.280 debug3: mm_get_keystate: GOT new keys
14036 2019-09-26 13:06:28.280 debug1: auth_activate_options: setting new authentication options [preauth]
14036 2019-09-26 13:06:28.280 debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa [preauth]
14036 2019-09-26 13:06:28.280 debug3: user_specific_delay: user specific delay 0.000ms [preauth]
14036 2019-09-26 13:06:28.280 debug3: ensure_minimum_time_since: elapsed 0.000ms, delaying 8.339ms (requested 8.339ms) [preauth]
14036 2019-09-26 13:06:28.280 debug3: send packet: type 52 [preauth]
14036 2019-09-26 13:06:28.280 debug3: mm_request_send entering: type 26 [preauth]
14036 2019-09-26 13:06:28.280 debug3: mm_send_keystate: Finished sending state [preauth]
14036 2019-09-26 13:06:28.280 debug1: monitor_read_log: child log fd closed
14036 2019-09-26 13:06:28.280 error: lookup_principal_name: User principal name lookup failed for user 'abc\\def' (explicit: 1355, implicit: 1355)
14036 2019-09-26 13:06:28.280 debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'abc\\def' Status: 0xC0000062 SubStatus 0.
14036 2019-09-26 13:06:28.280 debug3: get_user_token - unable to generate token for user abc\\def
14036 2019-09-26 13:06:28.280 error: lookup_principal_name: User principal name lookup failed for user 'abc\\def' (explicit: 1355, implicit: 1355)
14036 2019-09-26 13:06:28.280 debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'abc\\def' Status: 0xC0000062 SubStatus 0.
14036 2019-09-26 13:06:28.280 error: get_user_token - unable to generate token on 2nd attempt for user abc\\def
14036 2019-09-26 13:06:28.280 error: unable to get security token for user abc\\def
14036 2019-09-26 13:06:28.280 fatal: fork of unprivileged child failed
14036 2019-09-26 13:06:28.280 debug1: do_cleanup

Even though I installed the most recent version, the problem persists. I’m unsure if this is a distinct issue or if there’s a setting that I need to activate on my end.

Askify Moderator Edited question April 30, 2023

1 Answer

Sorted by:

score 0 · Answer 1 · 2023-03-16T14:30:02+00:00

OpenSSH for Windows: Public Key Login Denied with AD User

OpenSSH for Windows is a popular tool that allows users to connect to remote systems securely using the SSH protocol. It is an open-source implementation of SSH that is available for Windows systems. However, users may encounter issues while attempting to connect to a Windows system using public key authentication. In this blog post, we will discuss one such issue where the public key login with an AD user is denied by OpenSSH for Windows.

Problem Description

On a Windows 10, v 1903 system, OpenSSH for Windows v 8.0.0.0 is running, and a user is trying to connect to it from a remote location using public key authentication. However, the connection is immediately closed with a TCP error. Although username and password authentication works fine, the SSH server logs indicate a fatal error with forking an unprivileged child, immediately after it fails to find the login user, possibly in the Active directory.

Solution

The issue mentioned above can be resolved by following the below steps:

1. Check if the SSH server is running as a service, and if it is configured to run as an AD user. If it is, then ensure that the user has sufficient privileges to execute the SSH server and its components.

2. Check if the SSH server is running with the correct permissions. Ensure that the SSH server has the required permissions to read the authorized_keys file and verify the public key.

3. Check if the authorized_keys file is in the correct location and has the correct permissions. By default, the authorized_keys file is located in the .ssh directory of the user’s home directory. Ensure that the file has the correct permissions to be read by the SSH server.

4. Check if the public key is in the correct format. The public key should be in the OpenSSH format and should not contain any additional characters or spaces. Ensure that the public key is copied correctly to the authorized_keys file.

5. Check if the user is a member of the correct group. If the user is not a member of the correct group, then the SSH server may not be able to authenticate the user using public key authentication.

Conclusion

In conclusion, OpenSSH for Windows is a powerful tool that allows users to connect to remote systems securely. However, users may encounter issues while attempting to connect to a Windows system using public key authentication. The issue mentioned in this blog post, where the public key login with an AD user is denied by OpenSSH for Windows, can be resolved by following the steps mentioned above. By ensuring that the SSH server is running with the correct permissions, and the authorized_keys file is in the correct location with the correct permissions, users will be able to connect to the Windows system using public key authentication.