Eu tenho tentado obter a Autenticação de chave pública funcionando com a porta do OpenSSH do PowerShell em uma VM que executa o Windows Server 2012 R2.
Eu tenho fielmente seguido as instruções de instalação e tenho certeza que minhas permissões de arquivo são corrija para .ssh\authorized_keys
. (Não é possível postar link para as instruções específicas no wiki do Win32-OpenSSH, já que sou muito pequena para postar mais de dois links, veja o comentário abaixo).
Eu consigo fazer login no host do Windows a partir de um host linux conforme o esperado com nome de usuário / senha. Não há sorte com a autenticação de chaves, no entanto.
Meu arquivo local .ssh/config
contém:
Host remotehostname
HostName remotehostname
User remoteuser
Port 22
IdentityFile /home/myusername/.ssh/id_dsa
As permissões no diretório local .ssh
parecem corretas:
[[email protected]]$ ls -ltrh
total 56K
-rw------- 1 cengadmin cengadmin 1.6K Sep 11 10:01 known_hosts
-r-------- 1 cengadmin cengadmin 672 Sep 11 10:06 id_dsa
-r-------- 1 cengadmin cengadmin 580 Sep 11 10:13 config
O diretório .ssh
no meu host remoto é o seguinte:
Directory of C:\Users\REMOTEUSER\.ssh
09/11/2017 10:07 AM <DIR> .
09/11/2017 10:07 AM <DIR> ..
09/11/2017 10:07 AM 623 authorized_keys
09/11/2017 10:05 AM 672 id_dsa
09/11/2017 10:05 AM 623 id_dsa.pub
5 File(s) 4,012 bytes
2 Dir(s) 10,752,004,096 bytes free
C:\Users\REMOTEUSER\.ssh>icacls authorized_keys
authorized_keys NT SERVICE\sshd:(R)
NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
FOODOM1\REMOTEUSER:(F)
C:\Users\REMOTEUSER\.ssh>icacls id_dsa
id_dsa BUILTIN\Administrators:(F)
NT AUTHORITY\SYSTEM:(F)
DHDOM1\REMOTEUSER:(R,W)
Meu arquivo authorized_keys
contém apenas a saída de type id_dsa.pub > authorized_keys
.
C:\Users\REMOTEUSER\.ssh>fc id_dsa.pub authorized_keys
Comparing files id_dsa.pub and AUTHORIZED_KEYS
FC: no differences encountered
sshd_config tem PubkeyAuthentication
ativado
PubkeyAuthentication yes
A configuração e as permissões parecem sãs para mim. No entanto, recebo o erro onipresente missing begin marker
que sempre recebo quando bato as permissões.
Eu vejo:
debug2: key not found
que geralmente significa que tenho a chave errada em authorized_keys
, mas acho que a diferença acima refuta esse problema.
Clues? Seja gentil, eu não usei o Windows com raiva em quase 10 anos.
(note que eu tenho outras chaves rsa neste diretório, não incluídas acima para maior clareza)
$ ssh -v -i .ssh/id_dsa myhostname
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /home/localuser/.ssh/config
debug1: /home/localuser/.ssh/config line 21: Applying options for raleys-etl
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Hostname has changed; re-reading configuration
debug1: Reading configuration data /home/localuser/.ssh/config
debug1: /home/localuser/.ssh/config line 15: Applying options for remotehostname
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to remotehostname [00:00:00:00] port 22.
debug1: Connection established.
debug1: identity file /home/localuser/.ssh/id_dsa type -1
debug1: identity file /home/localuser/.ssh/id_dsa-cert type -1
debug1: identity file /home/localuser/.ssh/ssis_rsa type -1
debug1: identity file /home/localuser/.ssh/ssis_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.5
debug1: match: OpenSSH_7.5 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: kex: [email protected] need=20 dh_need=20
debug1: kex: [email protected] need=20 dh_need=20
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA e7:aa:c8:d4:8b:02:58:da:64:e6:18:26:d3:be:6a:b2
debug1: Host 'remotehostname' is known and matches the ECDSA host key.
debug1: Found key in /home/localuser/.ssh/known_hosts:5
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: [email protected]
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering RSA public key: [email protected]
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering RSA public key: [email protected]
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/localuser/.ssh/id_dsa
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type DSA
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Received disconnect from 00:00:00:00: 2: Too many authentication failures