Score:2

SSH using public key losing Authentication on windows server

cn flag

I want to SSH from my laptop (A) to Windows Server (B) and run commands against SQL Server (C) from powershell. All three in one windows domain. I'm running built-in openssh server and client for Windows Server 2019.

If I connect to server B using password then I can run commands using Invoke-Sqlcmd and query SQL Server C just fine.

But if I connect using RSA key, I can't run commands anymore because SQL Server throws error that I'm not authenticated. Tried key with and without passphrase, saved on agent and provided explicitly, as admin and regular user. What else can I try?

enter image description here

From what I've found on the internet it should be possible to resolve by addind SPNs. But I already have them for server C.

SPNs for server c

Any other clues? Or is it not possible to authenticate properly using keys?

sarlacii avatar
gb flag
Hi there, possible issue with supported key types? Try generating an ed25519 key pair, copy the pub key to the Windows machine same as before, and then specify the ed25519 key instead of the rsa key for authentication. Same result? See [openssh_keymanagement](https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement).
Mak Sim avatar
cn flag
@sarlacii Nope, doesn't work with ed25519 either
Nikita Kipriyanov avatar
za flag
SSH key essentially is "one hop" authenticator: the system where you placed it authenticates you, but it can't prove your authenticity further to anyone else. SSH key-based authentication doesn't set up Kerberos tickets and/or other standard Windows SSO credentials which SQL server expects to see to authenticate you.
Score:1
cn flag

I've found the answer.

  • A remote session opened via password authentication has the user credentials attached to it and hence is capable of outbound authentication as the user.
  • A remote session opened via key based authentication does not have associated user credentials and hence is not capable of outbound authentication as the user. This is by design and goes by the rules of standard Windows security.

I was hoping to use key auth for automation to avoid manual password input, but since standard windows openssh client doesn't support this feature, I'd have to use plink instead.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.