'Server refused our key' upon attempted connection to Windows Server
Solution 1
I think I'm facing the same problem... Any luck since then? Have you found the reason/solution?
EDIT:
OK, I found the cause of the issue on my side... It could be the same for you too, Chris, if you're SSH'ing with an administrator account:
Actually, a comment in this post pointed out to the issue: https://stackoverflow.com/questions/20864224/putty-getting-server-refused-our-key-error
"the main fact that as an Administrator there is a bug that only looks in the administrators_authorized_keys file and not the expected Users .ssh folder for authorized_keys (everybody's point of grief running sshd on Windows)"
Solution:
At the end / bottom of the sshd_config file that's in %programdata%\ssh you need to comment out (or remove) the last two lines:
Match Group Administrators
AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
The SSH server needs to be restarted to take it into account.
Another (maybe more secure) way would be to create such "administrators_authorized_keys" file under %programdata%\ssh and add the clients' public keys in there in those are indeed admin users.
Solution 2
I had the same issue. In short, this resulted from two separate "misconfigurations" from my side.
- You need to use the "administrators_authorized_keys" in the case of an admin user.
- The authorized_keys file needs to be of specific permissions to be used.
Make sure to create the file:
%PROGRAMDATA%\ssh\administrators_authorized_keys
Insert your SSH public key into it, and then make sure it has the right permissions by running the following command in powershell:
icacls.exe "C:\ProgramData\ssh\administrators_authorized_keys" /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F"
This seems to have solved the problem for me. Assuming your user isn't an admin user, try only the permission part on your authorized_keys file. Perhaps it will solve it.
This solution is based on https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement under the "Administrative User" part
Related videos on Youtube
01 : 40
07 : 45
09 : 44
02 : 21
23 : 01
Christopher Walters
Updated on September 18, 2022Comments
-
Christopher Walters over 1 year
I'm attempting to use PuTTY to securely connect my remote desktop from my laptop to my desktop computer, and so far I have been successful in tunneling through the proper ports WITHOUT A KEY, just by using my username and password. These are both Windows machines, running Windows 10.
I generated a key using PuTTYGen, and each time I would copy and paste the
public keyintoC:\Users\Chris\.ssh\authorized_keys(on the server) like so:ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQBl8kTxv8cxW5tSvNjId+qrype1ZA+zEO3Qag+BHhlMvvtrx/faZp8XMXbSqulZVqXNFnN0ADAaAv2hMltP+rft4R8X9qaJSIlYdPo8F3BmV5G2mu+AQKnOrGooLfwc2oa4qOfHJMqzciFqVVTAOjo3BQ3ZtZnN23os1WfiRCcwlNZgrRlgpUPkA/CgaWTDnlDpxvNZp3fVia8pDvLlqVIIn+Fu7UEJi/pNDUiexrky7nR0JzIL3ZAPAu6U26WLJA7fYw7nlySzz/BuxiPyIzeRT+qiHQuwf2yOkCXNIeQQjgLsbw0eS67TWC7pa6NbLa0KqmgDChdSNsSB5aKTMh3T rsa-key-20190410Then, on the client, I select the private key file in
Settings > Connection > SSH > Auth > Private key file for Authentication > C:\Users\Chris\Desktop\SSH-KEY\key1.ppkI have double and triple checked: the public key that I pasted into
authorized_keyscorresponds to the private key that is loaded into PuTTY.When I attempt to connect the session, I get this error:
Using username "Chris". Server refused our key [email protected]'s password:I am able to find no further documentation or error codes.
There is no log file present, but when I enabled logging manually and opened it up after connection, this was present in the file for the client:
Using username "Chris". Server refused our key [email protected]'s password:I have tried both using
Chrisandchris, in addition to generating and using key pairs generated from the server, and from the client.I later found an additional log file for the server in
C:\ProgramData\ssh\logs\sshd.log:1184 2019-04-10 12:38:48.995 Server listening on :: port 22. 1184 2019-04-10 12:38:48.995 Server listening on 0.0.0.0 port 22. 13568 2019-04-10 12:39:00.943 Authentication refused. 13568 2019-04-10 12:39:04.395 Connection closed by authenticating user chris my.pub.lic.ip port 54460 [preauth]I've seen several suggestions about using
chmod, and checking/var/log/secure, both of which are useless to me as they are linux commands and directories, and both of these machines are Windows.I'll admit: I've kind of been losing my marbles over this. I'm doing everything that every tutorial anywhere suggests, and nothing is working.
-
Christopher Walters almost 5 yearsUnfortunately no :/ I just ended up using KiTTY and just storing a password in there.
-
Chris almost 5 yearsSorry Ramhound, I'm new to StackExchange... You can see I was encouraging Chris to share a solution in case he had one.
-
Chris almost 5 yearsAnyway, I fixed the problem on my side and updated my answer with it. This should do.
-
pacoverflow over 3 yearsThanks for providing the link - it contains more steps necessary to get it working. -
acid magic over 3 yearsYour solution works for me on Win 7. Thx!
