'Server refused our key' upon attempted connection to Windows Server
Solution 1
I think I'm facing the same problem... Any luck since then? Have you found the reason/solution?
EDIT:
OK, I found the cause of the issue on my side... It could be the same for you too, Chris, if you're SSH'ing with an administrator account:
Actually, a comment in this post pointed out to the issue: https://stackoverflow.com/questions/20864224/putty-getting-server-refused-our-key-error
"the main fact that as an Administrator there is a bug that only looks in the administrators_authorized_keys file and not the expected Users .ssh folder for authorized_keys (everybody's point of grief running sshd on Windows)"
Solution:
At the end / bottom of the sshd_config file that's in %programdata%\ssh you need to comment out (or remove) the last two lines:
Match Group Administrators
AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
The SSH server needs to be restarted to take it into account.
Another (maybe more secure) way would be to create such "administrators_authorized_keys" file under %programdata%\ssh and add the clients' public keys in there in those are indeed admin users.
Solution 2
I had the same issue. In short, this resulted from two separate "misconfigurations" from my side.
- You need to use the "administrators_authorized_keys" in the case of an admin user.
- The authorized_keys file needs to be of specific permissions to be used.
Make sure to create the file:
%PROGRAMDATA%\ssh\administrators_authorized_keys
Insert your SSH public key into it, and then make sure it has the right permissions by running the following command in powershell:
icacls.exe "C:\ProgramData\ssh\administrators_authorized_keys" /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F"
This seems to have solved the problem for me. Assuming your user isn't an admin user, try only the permission part on your authorized_keys file. Perhaps it will solve it.
This solution is based on https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement under the "Administrative User" part
Related videos on Youtube
Christopher Walters
Updated on September 18, 2022Comments
-
Christopher Walters over 1 year
I'm attempting to use PuTTY to securely connect my remote desktop from my laptop to my desktop computer, and so far I have been successful in tunneling through the proper ports WITHOUT A KEY, just by using my username and password. These are both Windows machines, running Windows 10.
I generated a key using PuTTYGen, and each time I would copy and paste the
public key
intoC:\Users\Chris\.ssh\authorized_keys
(on the server) like so:ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQBl8kTxv8cxW5tSvNjId+qrype1ZA+zEO3Qag+BHhlMvvtrx/faZp8XMXbSqulZVqXNFnN0ADAaAv2hMltP+rft4R8X9qaJSIlYdPo8F3BmV5G2mu+AQKnOrGooLfwc2oa4qOfHJMqzciFqVVTAOjo3BQ3ZtZnN23os1WfiRCcwlNZgrRlgpUPkA/CgaWTDnlDpxvNZp3fVia8pDvLlqVIIn+Fu7UEJi/pNDUiexrky7nR0JzIL3ZAPAu6U26WLJA7fYw7nlySzz/BuxiPyIzeRT+qiHQuwf2yOkCXNIeQQjgLsbw0eS67TWC7pa6NbLa0KqmgDChdSNsSB5aKTMh3T rsa-key-20190410
Then, on the client, I select the private key file in
Settings > Connection > SSH > Auth > Private key file for Authentication > C:\Users\Chris\Desktop\SSH-KEY\key1.ppk
I have double and triple checked: the public key that I pasted into
authorized_keys
corresponds to the private key that is loaded into PuTTY.When I attempt to connect the session, I get this error:
Using username "Chris". Server refused our key [email protected]'s password:
I am able to find no further documentation or error codes.
There is no log file present, but when I enabled logging manually and opened it up after connection, this was present in the file for the client:
Using username "Chris". Server refused our key [email protected]'s password:
I have tried both using
Chris
andchris
, in addition to generating and using key pairs generated from the server, and from the client.I later found an additional log file for the server in
C:\ProgramData\ssh\logs\sshd.log
:1184 2019-04-10 12:38:48.995 Server listening on :: port 22. 1184 2019-04-10 12:38:48.995 Server listening on 0.0.0.0 port 22. 13568 2019-04-10 12:39:00.943 Authentication refused. 13568 2019-04-10 12:39:04.395 Connection closed by authenticating user chris my.pub.lic.ip port 54460 [preauth]
I've seen several suggestions about using
chmod
, and checking/var/log/secure
, both of which are useless to me as they are linux commands and directories, and both of these machines are Windows.I'll admit: I've kind of been losing my marbles over this. I'm doing everything that every tutorial anywhere suggests, and nothing is working.
-
Christopher Walters almost 5 yearsUnfortunately no :/ I just ended up using KiTTY and just storing a password in there.
-
Chris almost 5 yearsSorry Ramhound, I'm new to StackExchange... You can see I was encouraging Chris to share a solution in case he had one.
-
Chris almost 5 yearsAnyway, I fixed the problem on my side and updated my answer with it. This should do.
-
pacoverflow over 3 yearsThanks for providing the link - it contains more steps necessary to get it working.
-
acid magic over 3 yearsYour solution works for me on Win 7. Thx!