Password auth works, but Public Key auth fails while connecting to OpenSSH server installed on Windows Server 2019

YuWea

1/11/24, 3:02 AM

I'm trying to connect to a Windows Server 2019 via SSH for me to deploy my web app with GitLab CI/CD pipeline, so I installed OpenSSH server on it, and everything works fine if I logon using password authentication.

However, if I start the service through Start-service sshd from Powershell or using GUI like services.msc, I am not able to connect, the connection closed with debug3: recv - from CB ERROR:10054, io:000001AE1C4C53E0 message

Here's last few lines of output on ssh client while connecting with -vvv option:

Authenticated to x.x.x.x ([x.x.x.x]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting [email protected]
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug1: ENABLE_VIRTUAL_TERMINAL_INPUT is supported. Reading the VTSequence from console
debug3: This windows OS supports conpty
debug1: ENABLE_VIRTUAL_TERMINAL_PROCESSING is supported. Console supports the ansi parsing
debug3: Successfully set console output code page from:65001 to 65001
debug3: Successfully set console input code page from:950 to 65001
debug3: recv - from CB ERROR:10054, io:000001AE1C4C53E0
debug3: send packet: type 1
debug3: send - WSASend() ERROR:10054, io:000001AE1C4C53E0
client_loop: send disconnect: Connection reset
debug3: Successfully set console output code page from 65001 to 65001
debug3: Successfully set console input code page from 65001 to 950

On the server side, there's also some errors logged:

debug1: monitor_read_log: child log fd closed
13012 2023-01-12 13:47:15.466 error: lookup_principal_name: User principal name lookup failed for user 'domain\\user' (explicit: 5, implicit: 5)
13012 2023-01-12 13:47:15.467 debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'domain\\user' Status: 0xC0000062 SubStatus 0.
13012 2023-01-12 13:47:15.467 debug3: get_user_token - unable to generate token for user domain\\user
13012 2023-01-12 13:47:15.474 error: lookup_principal_name: User principal name lookup failed for user 'domain\\user' (explicit: 5, implicit: 5)
13012 2023-01-12 13:47:15.474 debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'domain\\user' Status: 0xC0000062 SubStatus 0.
13012 2023-01-12 13:47:15.474 error: get_user_token - unable to generate token on 2nd attempt for user domain\\user
13012 2023-01-12 13:47:15.474 error: unable to get security token for user domain\\user
13012 2023-01-12 13:47:15.474 fatal: fork of unprivileged child failed
13012 2023-01-12 13:47:15.474 debug1: do_cleanup

I once thought this is caused by insufficient privilege of sshd user, so I tried adding sshd to Adminstrators, but didn't help...

How I add sshd user to Administrator group

But if I start the service manually with by running C:\Windows\System32\OpenSSH\sshd.exe, everything works fine...

Any ideas for this?

593

0 + 3

windows

ssh

continuous-integration

windows-server-2019

Greg Askew

1/12/24, 7:19 AM

`lookup_principal_name: User principal name lookup failed for user 'domain\\user' (explicit: 5, implicit: 5)`. That's your error right there. I know it's possible to use AD for this but not sure how it's configured for your system. I can't think of another reason to query for userPrincipalName. https://www.saotn.org/retrieve-ssh-public-key-from-active-directory-for-ssh-authentication/

Nikita Kipriyanov

1/12/24, 8:05 AM

sshd service user does not need to be in the Administrators group, but the service runs under system account

YuWea

1/13/24, 3:51 AM

@GregAskew After some try, I figured out that if I can login using public key auth with an local acoount but not an AD account, but still no idea why this happens.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Password auth works, but Public Key auth fails while connecting to OpenSSH server installed on Windows Server 2019

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.