Windows SSH 服务器拒绝来自客户端的基于密钥的身份验证

Question

在 Windows 10 1809 上，我启用了内置 SSH 服务器并对其进行了配置。

在另一台机器上，我使用 WinSCP 和 PuTTy 生成器来生成身份验证密钥。我复制了公钥部分并将其附加到.ssh\authorized_keys我的 SSH 服务器用户的文件中。我根据需要将文件权限固定给我的用户，即登录用户，用于密钥文件。

在客户端计算机上，我使用 .PPK 私钥和 WinSCP 尝试连接到与我的服务器的 SFTP 会话，但我收到一条消息，表明服务器拒绝了我选择的密钥。

我可以使用密码进行身份验证，但密钥对无效。挖掘sshd服务器上生成的日志，我看到了：

10200 2019-06-07 01:38:16.376 debug1: attempt 1 failures 0 [preauth]
10200 2019-06-07 01:38:16.376 debug2: input_userauth_request: try method publickey [preauth]
10200 2019-06-07 01:38:16.376 debug1: userauth_pubkey: test pkalg ssh-rsa pkblob RSA SHA256:B6s0omPbz6HJB2cIZf3+5MKHU42wp+JfOTyAM+EVqoY [preauth]
10200 2019-06-07 01:38:16.376 debug2: userauth_pubkey: disabled because of invalid user [preauth]

我不确定这里发生了什么，如果这就是拒绝连接的原因。防火墙不会成为问题，因为我能够使用密码身份验证登录到服务器。客户端机器和 WinScp 在服务器上被识别，只是服务器拒绝提供的密钥。

PuTTy 生成的密钥（或用公钥复制的密钥内容）是否在任何地方都不支持？没有与密钥相关的密码短语，但我认为这不应该是一个问题。

服务器机器上只有一个用户，即登录用户。该sshd服务正在LOCAL SYSTEM帐户下运行。如果它在用户帐户下运行（我尝试过，但该服务根本没有启动，事件日志抱怨缺少特权......）

编辑 - 更多信息

我在 中注释了以下内容sshd_config：

 #Match Group administrators  
 #      AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

但是现在，连接尝试抱怨authorized_keys权限不好。该机器只有一个用户，并且该用户authorized_keys的 .ssh 文件夹中只有该用户可以访问。我尝试Repair-AuthorizedKeyPermission在密钥文件上使用，其中将 SYSTEM 和 sshd（NT 服务用户）作为用户添加到密钥文件中，sshd 具有读取权限。但现在，连接尝试抱怨糟糕的权限已被设置为用户S-1-5-80这是相同NT Service user sshd的加入Repair-AutorizedKeyFile。再次删除此用户的读取权限（仅权限）会出现旧错误，说Access Denied.

编辑 - sshd.exe 连接尝试的日志：

> 2696 2019-06-10 03:57:09.020 debug2: fd 3 setting O_NONBLOCK
> 
> 2696 2019-06-10 03:57:09.020 debug3: sock_set_v6only: set socket 3
> IPV6_V6ONLY
> 
> 2696 2019-06-10 03:57:09.020 debug1: Bind to port 22 on ::.
> 
> 2696 2019-06-10 03:57:09.020 Server listening on :: port 22.
> 
> 2696 2019-06-10 03:57:09.020 debug2: fd 4 setting O_NONBLOCK
> 
> 2696 2019-06-10 03:57:09.020 debug1: Bind to port 22 on 0.0.0.0.
> 
> 2696 2019-06-10 03:57:09.020 Server listening on 0.0.0.0 port 22.
> 
> 2696 2019-06-10 03:57:35.475 debug3: fd 5 is not O_NONBLOCK
> 
> 2696 2019-06-10 03:57:35.477 debug3: spawning
> "C:\\WINDOWS\\System32\\OpenSSH\\sshd.exe" "-R"
> 
> 2696 2019-06-10 03:57:35.483 debug3: send_rexec_state: entering fd = 8
> config len 287
> 
> 2696 2019-06-10 03:57:35.484 debug3: ssh_msg_send: type 0
> 
> 2696 2019-06-10 03:57:35.485 debug3: send_rexec_state: done
> 
> 9428 2019-06-10 03:57:35.556 debug1: inetd sockets after dupping: 3, 3
> 
> 9428 2019-06-10 03:57:35.556 Connection from 130.147.168.135 port
> 64534 on 161.85.17.107 port 22
> 
> 9428 2019-06-10 03:57:35.556 debug1: Client protocol version 2.0;
> client software version WinSCP_release_5.15.2
> 
> 9428 2019-06-10 03:57:35.556 debug1: no match: WinSCP_release_5.15.2
> 
> 9428 2019-06-10 03:57:35.556 debug1: Local version string
> SSH-2.0-OpenSSH_for_Windows_7.7
> 
> 9428 2019-06-10 03:57:35.556 debug2: fd 3 setting O_NONBLOCK
> 
> 9428 2019-06-10 03:57:35.568 debug3: spawning
> "C:\\WINDOWS\\System32\\OpenSSH\\sshd.exe" "-y"
> 
> 9428 2019-06-10 03:57:35.572 debug2: Network child is on pid 6944
> 
> 9428 2019-06-10 03:57:35.573 debug3: send_rexec_state: entering fd = 6
> config len 287
> 
> 9428 2019-06-10 03:57:35.573 debug3: ssh_msg_send: type 0
> 
> 9428 2019-06-10 03:57:35.575 debug3: send_rexec_state: done
> 
> 9428 2019-06-10 03:57:35.575 debug3: ssh_msg_send: type 0
> 
> 9428 2019-06-10 03:57:35.576 debug3: ssh_msg_send: type 0
> 
> 9428 2019-06-10 03:57:35.576 debug3: preauth child monitor started
> 
> 9428 2019-06-10 03:57:35.607 debug1: list_hostkey_types:
> ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
> [preauth]
> 
> 9428 2019-06-10 03:57:35.607 debug3: send packet: type 20 [preauth]
> 
> 9428 2019-06-10 03:57:35.607 debug1: SSH2_MSG_KEXINIT sent [preauth]
> 
> 9428 2019-06-10 03:57:35.794 debug3: receive packet: type 20 [preauth]
> 
> 9428 2019-06-10 03:57:35.794 debug1: SSH2_MSG_KEXINIT received
> [preauth]
> 
> 9428 2019-06-10 03:57:35.795 debug2: local server KEXINIT proposal
> [preauth]
> 
> 9428 2019-06-10 03:57:35.796 debug2: KEX algorithms:
> curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
> [preauth]
> 
> 9428 2019-06-10 03:57:35.797 debug2: host key algorithms:
> ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
> [preauth]
> 
> 9428 2019-06-10 03:57:35.798 debug2: ciphers ctos:
> chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
> [preauth]
> 
> 9428 2019-06-10 03:57:35.798 debug2: ciphers stoc:
> chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
> [preauth]
> 
> 9428 2019-06-10 03:57:35.798 debug2: MACs ctos:
> umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> [preauth]
> 
> 9428 2019-06-10 03:57:35.798 debug2: MACs stoc:
> umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> [preauth]
> 
> 9428 2019-06-10 03:57:35.798 debug2: compression ctos: none [preauth]
> 
> 9428 2019-06-10 03:57:35.798 debug2: compression stoc: none [preauth]
> 
> 9428 2019-06-10 03:57:35.799 debug2: languages ctos:  [preauth]
> 
> 9428 2019-06-10 03:57:35.799 debug2: languages stoc:  [preauth]
> 
> 9428 2019-06-10 03:57:35.799 debug2: first_kex_follows 0  [preauth]
> 
> 9428 2019-06-10 03:57:35.799 debug2: reserved 0  [preauth]
> 
> 9428 2019-06-10 03:57:35.799 debug2: peer client KEXINIT proposal
> [preauth]
> 
> 9428 2019-06-10 03:57:35.799 debug2: KEX algorithms:
> curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1
> [preauth]
> 
> 9428 2019-06-10 03:57:35.799 debug2: host key algorithms:
> ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
> 
> 9428 2019-06-10 03:57:35.799 debug2: ciphers ctos:
> aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305@openssh.com,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128
> [preauth]
> 
> 9428 2019-06-10 03:57:35.800 debug2: ciphers stoc:
> aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305@openssh.com,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128
> [preauth]
> 
> 9428 2019-06-10 03:57:35.800 debug2: MACs ctos:
> hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-etm@openssh.com [preauth]
> 
> 9428 2019-06-10 03:57:35.800 debug2: MACs stoc:
> hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-etm@openssh.com [preauth]
> 
> 9428 2019-06-10 03:57:35.800 debug2: compression ctos: none,zlib
> [preauth]
> 
> 9428 2019-06-10 03:57:35.800 debug2: compression stoc: none,zlib
> [preauth]
> 
> 9428 2019-06-10 03:57:35.800 debug2: languages ctos:  [preauth]
> 
> 9428 2019-06-10 03:57:35.800 debug2: languages stoc:  [preauth]
> 
> 9428 2019-06-10 03:57:35.800 debug2: first_kex_follows 0  [preauth]
> 
> 9428 2019-06-10 03:57:35.800 debug2: reserved 0  [preauth]
> 
> 9428 2019-06-10 03:57:35.801 debug1: kex: algorithm:
> curve25519-sha256@libssh.org [preauth]
> 
> 9428 2019-06-10 03:57:35.801 debug1: kex: host key algorithm:
> ssh-ed25519 [preauth]
> 
> 9428 2019-06-10 03:57:35.801 debug1: kex: client->server cipher:
> aes256-ctr MAC: hmac-sha2-256 compression: none [preauth]
> 
> 9428 2019-06-10 03:57:35.801 debug1: kex: server->client cipher:
> aes256-ctr MAC: hmac-sha2-256 compression: none [preauth]
> 
> 9428 2019-06-10 03:57:35.801 debug1: expecting SSH2_MSG_KEX_ECDH_INIT
> [preauth]
> 
> 9428 2019-06-10 03:57:35.834 debug3: receive packet: type 30 [preauth]
> 
> 9428 2019-06-10 03:57:35.843 debug3: mm_key_sign entering [preauth]
> 
> 9428 2019-06-10 03:57:35.843 debug3: mm_request_send entering: type 6
> [preauth]
> 
> 9428 2019-06-10 03:57:35.843 debug3: mm_key_sign: waiting for
> MONITOR_ANS_SIGN [preauth]
> 
> 9428 2019-06-10 03:57:35.843 debug3: mm_request_receive_expect
> entering: type 7 [preauth]
> 
> 9428 2019-06-10 03:57:35.843 debug3: mm_request_receive entering
> [preauth]
> 
> 9428 2019-06-10 03:57:35.843 debug3: mm_request_receive entering
> 
> 9428 2019-06-10 03:57:35.843 debug3: monitor_read: checking request 6
> 
> 9428 2019-06-10 03:57:35.843 debug3: mm_answer_sign
> 
> 9428 2019-06-10 03:57:35.846 debug3: mm_answer_sign: hostkey proof
> signature 0000029369ED8600(83)
> 
> 9428 2019-06-10 03:57:35.846 debug3: mm_request_send entering: type 7
> 
> 9428 2019-06-10 03:57:35.846 debug2: monitor_read: 6 used once,
> disabling now
> 
> 9428 2019-06-10 03:57:35.846 debug3: send packet: type 31 [preauth]
> 
> 9428 2019-06-10 03:57:35.846 debug3: send packet: type 21 [preauth]
> 
> 9428 2019-06-10 03:57:35.846 debug2: set_newkeys: mode 1 [preauth]
> 
> 9428 2019-06-10 03:57:35.846 debug1: rekey after 4294967296 blocks
> [preauth]
> 
> 9428 2019-06-10 03:57:35.846 debug1: SSH2_MSG_NEWKEYS sent [preauth]
> 
> 9428 2019-06-10 03:57:35.846 debug1: expecting SSH2_MSG_NEWKEYS
> [preauth]
> 
> 9428 2019-06-10 03:57:36.356 debug3: receive packet: type 21 [preauth]
> 
> 9428 2019-06-10 03:57:36.356 debug1: SSH2_MSG_NEWKEYS received
> [preauth]
> 
> 9428 2019-06-10 03:57:36.356 debug2: set_newkeys: mode 0 [preauth]
> 
> 9428 2019-06-10 03:57:36.356 debug1: rekey after 4294967296 blocks
> [preauth]
> 
> 9428 2019-06-10 03:57:36.356 debug1: KEX done [preauth]
> 
> 9428 2019-06-10 03:57:36.399 debug3: receive packet: type 5 [preauth]
> 
> 9428 2019-06-10 03:57:36.399 debug3: send packet: type 6 [preauth]
> 
> 9428 2019-06-10 03:57:36.435 debug3: receive packet: type 50 [preauth]
> 
> 9428 2019-06-10 03:57:36.435 debug1: userauth-request for user
> TestUser service ssh-connection method none [preauth]
> 
> 9428 2019-06-10 03:57:36.435 debug1: attempt 0 failures 0 [preauth]
> 
> 9428 2019-06-10 03:57:36.435 debug3: mm_getpwnamallow entering
> [preauth]
> 
> 9428 2019-06-10 03:57:36.436 debug3: mm_request_send entering: type 8
> [preauth]
> 
> 9428 2019-06-10 03:57:36.436 debug3: mm_getpwnamallow: waiting for
> MONITOR_ANS_PWNAM [preauth]
> 
> 9428 2019-06-10 03:57:36.436 debug3: mm_request_receive_expect
> entering: type 9 [preauth]
> 
> 9428 2019-06-10 03:57:36.436 debug3: mm_request_receive entering
> [preauth]
> 
> 9428 2019-06-10 03:57:36.436 debug3: mm_request_receive entering
> 
> 9428 2019-06-10 03:57:36.436 debug3: monitor_read: checking request 8
> 
> 9428 2019-06-10 03:57:36.436 debug3: mm_answer_pwnamallow
> 
> 9428 2019-06-10 03:57:36.439 debug2: parse_server_config: config
> reprocess config len 287
> 
> 9428 2019-06-10 03:57:36.439 debug3: checking match for 'Group
> administrators' user TestUser host 130.147.168.135 addr
> 130.147.168.135 laddr 161.85.17.107 lport 22
> 
> 9428 2019-06-10 03:57:36.446 debug3: LsaLogonUser Succeeded
> (Impersonation: 0)
> 
> 9428 2019-06-10 03:57:36.448 debug1: user TestUser matched group list
> administrators at line 84
> 
> 9428 2019-06-10 03:57:36.448 debug3: match found
> 
> 9428 2019-06-10 03:57:36.448 debug3: reprocess config:85 setting
> AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
> 
> 9428 2019-06-10 03:57:36.449 debug3: mm_answer_pwnamallow: sending
> MONITOR_ANS_PWNAM: 1
> 
> 9428 2019-06-10 03:57:36.449 debug3: mm_request_send entering: type 9
> 
> 9428 2019-06-10 03:57:36.450 debug2: monitor_read: 8 used once,
> disabling now
> 
> 9428 2019-06-10 03:57:36.450 debug2: input_userauth_request: setting
> up authctxt for TestUser [preauth]
> 
> 9428 2019-06-10 03:57:36.450 debug3: mm_inform_authserv entering
> [preauth]
> 
> 9428 2019-06-10 03:57:36.450 debug3: mm_request_send entering: type 4
> [preauth]
> 
> 9428 2019-06-10 03:57:36.451 debug3: mm_request_receive entering
> 
> 9428 2019-06-10 03:57:36.451 debug3: monitor_read: checking request 4
> 
> 9428 2019-06-10 03:57:36.451 debug3: mm_answer_authserv:
> service=ssh-connection, style=
> 
> 9428 2019-06-10 03:57:36.451 debug2: monitor_read: 4 used once,
> disabling now
> 
> 9428 2019-06-10 03:57:36.451 debug2: input_userauth_request: try
> method none [preauth]
> 
> 9428 2019-06-10 03:57:36.452 debug3: userauth_finish: failure
> partial=0 next methods="publickey,password,keyboard-interactive"
> [preauth]
> 
> 9428 2019-06-10 03:57:36.452 debug3: send packet: type 51 [preauth]
> 
> 9428 2019-06-10 03:57:36.453 debug3: receive packet: type 50 [preauth]
> 
> 9428 2019-06-10 03:57:36.453 debug1: userauth-request for user
> TestUser service ssh-connection method publickey [preauth]
> 
> 9428 2019-06-10 03:57:36.453 debug1: attempt 1 failures 0 [preauth]
> 
> 9428 2019-06-10 03:57:36.454 debug2: input_userauth_request: try
> method publickey [preauth]
> 
> 9428 2019-06-10 03:57:36.454 debug1: userauth_pubkey: test pkalg
> ssh-rsa pkblob RSA SHA256:ospJEFHH81sy96YBMFEySGGUokk1KZHV+AbgNTFRrjE
> [preauth]
> 
> 9428 2019-06-10 03:57:36.455 debug3: mm_key_allowed entering [preauth]
> 
> 9428 2019-06-10 03:57:36.455 debug3: mm_request_send entering: type 22
> [preauth]
> 
> 9428 2019-06-10 03:57:36.455 debug3: mm_request_receive entering
> 
> 9428 2019-06-10 03:57:36.455 debug3: monitor_read: checking request 22
> 
> 9428 2019-06-10 03:57:36.456 debug3: mm_answer_keyallowed entering
> 
> 9428 2019-06-10 03:57:36.456 debug3: mm_answer_keyallowed:
> key_from_blob: 0000029369F0D8B0
> 
> 9428 2019-06-10 03:57:36.456 debug1: trying public key file
> __PROGRAMDATA__/ssh/administrators_authorized_keys
> 
> 9428 2019-06-10 03:57:36.456 debug3: Failed to open
> file:C:/ProgramData/ssh/administrators_authorized_keys error:2
> 
> 9428 2019-06-10 03:57:36.456 debug1: Could not open authorized keys
> '__PROGRAMDATA__/ssh/administrators_authorized_keys': No such file or
> directory
> 
> 9428 2019-06-10 03:57:36.456 debug3: mm_answer_keyallowed: publickey
> authentication test: RSA key is not allowed
> 
> 9428 2019-06-10 03:57:36.456 Failed publickey for TestUser from
> 130.147.168.135 port 64534 ssh2: RSA SHA256:ospJEFHH81sy96YBMFEySGGUokk1KZHV+AbgNTFRrjE
> 
> 9428 2019-06-10 03:57:36.456 debug3: mm_request_send entering: type 23
> 
> 9428 2019-06-10 03:57:36.457 debug3: mm_key_allowed: waiting for
> MONITOR_ANS_KEYALLOWED [preauth]
> 
> 9428 2019-06-10 03:57:36.457 debug3: mm_request_receive_expect
> entering: type 23 [preauth]
> 
> 9428 2019-06-10 03:57:36.457 debug3: mm_request_receive entering
> [preauth]
> 
> 9428 2019-06-10 03:57:36.457 debug2: userauth_pubkey: authenticated 0
> pkalg ssh-rsa [preauth]
> 
> 9428 2019-06-10 03:57:36.457 debug3: userauth_finish: failure
> partial=0 next methods="publickey,password,keyboard-interactive"
> [preauth]
> 
> 9428 2019-06-10 03:57:36.457 debug3: send packet: type 51 [preauth]
> 
> 9428 2019-06-10 03:57:36.482 debug3: receive packet: type 50 [preauth]
> 
> 9428 2019-06-10 03:57:36.482 debug1: userauth-request for user
> TestUser service ssh-connection method keyboard-interactive [preauth]
> 
> 9428 2019-06-10 03:57:36.482 debug1: attempt 2 failures 1 [preauth]
> 
> 9428 2019-06-10 03:57:36.482 debug2: input_userauth_request: try
> method keyboard-interactive [preauth]
> 
> 9428 2019-06-10 03:57:36.482 debug1: keyboard-interactive devs 
> [preauth]
> 
> 9428 2019-06-10 03:57:36.483 debug1: auth2_challenge: user=TestUser
> devs= [preauth]
> 
> 9428 2019-06-10 03:57:36.483 debug1: kbdint_alloc: devices ''
> [preauth]
> 
> 9428 2019-06-10 03:57:36.483 debug2: auth2_challenge_start: devices 
> [preauth]
> 
> 9428 2019-06-10 03:57:36.483 debug3: userauth_finish: failure
> partial=0 next methods="publickey,password,keyboard-interactive"
> [preauth]
> 
> 9428 2019-06-10 03:57:36.483 debug3: send packet: type 51 [preauth]

Answer 1

从 Windows 10 v1809 开始，默认配置（可在 中找到%ProgramData%/ssh/sshd_config）AuthorizedKeysFile为管理员用户定义了一个单独的配置：

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

这意味着特殊 WindowsAdministrators组 (SID S-1-5-32-544)中的任何用户都不会查看该%UserProfile%/.ssh/authorized_keys文件，而是查看%ProgramData%/ssh/administrators_authorized_keys.

您有几个选择：

• 使用非管理员用户，或
• 从 的底部注释掉这两行sshd_config，然后将恢复为默认的 per-user AuthorizedKeysFile，或者
• 将您的密钥添加到（全局！）administrators_authorized_keys文件中

我的建议是尽可能使用非管理员用户，否则修改配置。为组中的任何帐户接受的全局密钥Administrators听起来像是不必要的复杂性。¹

¹在默认配置中，始终可以从管理员用户模拟任何其他用户，因为管理员用户通常意味着rootWindows 中的全级别控制。这可能是他们默认的理由。但当然，它使多用户系统的配置相当混乱，其中一些（非管理员）用户在标准位置拥有自己的授权密钥，而其他（管理员）用户必须共享一个非标准授权密钥列表。

我相信这样的配置没有任何安全优势，除了让所有管理员都可以模仿对方之外。

未来的版本可能会在%ProgramData/ssh.

这在此处有所探讨：https : //github.com/PowerShell/Win32-OpenSSH/issues/1324

Answer 2

Windows 10 上的 OpenSSH 需要额外的配置才能识别authorized_keys：

1. 将您authorized_keys的文件保存到C:\ProgramData\ssh\administrators_authorized_keys没有扩展名的文件中
2. 使用以下 PowerShell 脚本为文件设置正确的权限

    $acl = Get-Acl C:\ProgramData\ssh\administrators_authorized_keys
    $acl.SetAccessRuleProtection($true, $false)
    $administratorsRule = New-Object system.security.accesscontrol.filesystemaccessrule("Administrators","FullControl","Allow")
    $systemRule = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","Allow")
    $acl.SetAccessRule($administratorsRule)
    $acl.SetAccessRule($systemRule)
    $acl | Set-Acl

如果您不这样做，而只是将文件放在用户的 .ssh 文件夹中，您将收到输入密码的提示（而不是使用密钥文件），否则您的连接将失败并显示“太多身份验证尝试”。

参考：

• https://www.concurrency.com/blog/may-2019/key-based-authentication-for-openssh-on-windows

Answer 3

如果有人在 Windows 10（内部版本 1809 或更高版本，或 Server 2016）中安装了内置程序，请尝试在此处添加更多详细信息openssh server，无论是否遵循 Microsoft 的文档：安装、配置和密钥管理。似乎它们很旧或有点不完整，需要更新。

安装此服务后，启动它，您应该通过 localhost 从本地连接它ssh username@localhost，假设您的 Windows 登录名是username。但我们需要基于密钥的身份验证，并且只能根据上面列出的 Microsoft 文档失败：

1. 我们不能依赖Repair-AuthorizedKeyPermissionfix的许可，因为我们现在authorized_keys无法安装模块。这里的原因是，签名似乎已经过时了。OpenSSHUtils
2. sshd_config正如@Bob 指出的，如果我们不为管理员设置密钥对，我们必须评论一些内容。

如果您只想使用基于单个用户密钥的身份验证，我们只需执行以下操作（需要管理员权限，全部基于默认内置 openssh 服务器安装）：

1. 由于我们无法安装OpenSSHUtils模块，因此我们手动设置权限。检查authorized_keys的所有权和权限：

PS C:\>(get-acl .\users\username\.ssh\authorized_keys).owner
username
PS C:\>icacls .\users\username\.ssh\authorized_keys
ssh_host_dsa_key   BUILTIN\Administrators:(F)
                   username:(F) 
                   otheruser1:(IR)
                   otheruser2:(R)

2. 设置正确的所有权和权限authorized_keys：

PS C:\>icacls .\users\username\.ssh\authorized_keys /inheritance:r
PS C:\>icacls .\users\username\.ssh\authorized_keys /remove otheruser2

3. 在以下位置搜索并评论组匹配策略sshd_config：

#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

4. （可选）启用基于密钥的身份验证。搜索文本并将其更改为：

PubkeyAuthentication yes

5. （可选）禁用基于密码的身份验证。搜索文本并将其更改为：

PasswordAuthentication no

6. 将用户的公钥复制并粘贴到authorized_keys您想要连接的用户中。
7. 重新启动sshd服务。现在您应该使用密钥身份验证连接到该主机。

更详细的内容请查阅以下链接（本答案来自）：

• 在 Windows Server 2019 上安装和配置 OpenSSH

• Win32 OpenSSH中各种文件的安全保护