openssh unix dev - Jun 2019 - AW: AW: OpenSSH public key authentication does not work from Windows client if private key was added to SSH agent

Hi,

I pasted two server connection logs at https://pastebin.com/vJb5tnTL. First a
successful one and second an unsuccessful one.

Patrick

-----Urspr?ngliche Nachricht-----
Von: Damien Miller <djm at mindrot.org>
Gesendet: Samstag, 22. Juni 2019 10:43
An: Steinforth, Patrick <Steinforth at osnabrueck.de>
Cc: openssh-unix-dev at mindrot.org
Betreff: Re: AW: OpenSSH public key authentication does not work from Windows
client if private key was added to SSH agent

I don't understand why the server is rejecting the key; from the perspective
of the client, it tried to use the key in both cases and the only difference
visible from the client is that it was unsuccessful in the case where the agent
was used.

Are you able to obtain logs from the server? It might offer some clue - try to
run the server in debug mode if you can "sshd -ddd"

Also, it seems that you're using OpenSSH for Windows. You should check with
the Microsoft developers first for that product.

-d

On Fri, 21 Jun 2019, Steinforth, Patrick wrote:
> Hey Damien,
>
> thank you for your reply. I posted the debug information at
https://pastebin.com/40esNPED and replaced some sensitive information before
(usernames, servernames, domainnames, IP addresses). In addition I commented
some lines with a message like "### <my message> ###".
>
> Patrick
>
> -----Urspr?ngliche Nachricht-----
> Von: Damien Miller <djm at mindrot.org>
> Gesendet: Freitag, 21. Juni 2019 06:40
> An: Steinforth, Patrick <Steinforth at osnabrueck.de>
> Cc: openssh-unix-dev at mindrot.org
> Betreff: Re: OpenSSH public key authentication does not work from
> Windows client if private key was added to SSH agent
>
> On Wed, 19 Jun 2019, Steinforth, Patrick wrote:
>
> > Hey guys,
> >
> > I installed OpenSSH 7.9p1 on Windows Server 2016 and generated a SSH
key pair with ssh-keygen on my Windows 10 Client (OpenSSH 7.6p1). I can connect
to the server with "ssh user at domain@servername -i id_rsa". But as
soon as I add the private key to the SSH agent by "ssh-add id_rsa"
this does not work anymore and aborts with the message "Permission denied
(publickey,keyboard-interactive)". The ssh command without "-i
id_rsa" leads to the same error. As soon as I remove the private key from
the ssh agent, public key authentication works again like a charm.
> > If I add the public key on my Ubuntu Server 18.04 LTS to the SSH agent
and establish a connection, this works without any problems. SSH client version
on Ubuntu is also OpenSSH 7.6p1.
> > I noticed further, if I add my key id_rsa to the SSH agent on Windows
and copy the key file to id_rsa_new the connection can be established by
"ssh user at domain@servername -i id_rsa_new" without any problems,
but not with "-i id_rsa".
> > I think this is strange and not the expected behavior. Any ideas
what's wrong?
>
> Could you send the output of ssh with debugging enabled for both a working
and failing connection? I.e. "ssh -vvv host"
>
> It should show what is going on.
>
> -d
>
> Ich weise Sie darauf hin, dass Ihnen gem. Art. 13
> Datenschutz-Grundverordnung verschiedene Rechte als betroffene Person bei
der Verarbeitung von personenbezogenen Daten durch die Stadt Osnabr?ck zustehen.
Eine ausf?hrliche Information, welche Rechte dies im Einzelnen sind und wie Ihre
Daten verarbeitet werden, k?nnen Sie unter folgenden Link abrufen:
https://www.osnabrueck.de/datenschutz.html
Ich weise Sie darauf hin, dass Ihnen gem. Art. 13 Datenschutz-Grundverordnung
verschiedene Rechte als betroffene Person bei der Verarbeitung von
personenbezogenen Daten durch die Stadt Osnabr?ck zustehen. Eine ausf?hrliche
Information, welche Rechte dies im Einzelnen sind und wie Ihre Daten verarbeitet
werden, k?nnen Sie unter folgenden Link abrufen:
https://www.osnabrueck.de/datenschutz.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7396 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20190624/ab5842d4/attachment-0001.p7s>

Here's the failure:

debug3: mm_answer_keyverify: publickey 000002179BBC60C0 signature unverified

This indicates that your ssh-agent is returning a bad signature for some
reason. I guess you using the Microsoft OpenSSH for Windows port, so I suggest
you file an issue with them https://github.com/PowerShell/Win32-OpenSSH/issues

You might want to try the latest 8.0.0 version from them first though.

On Mon, 24 Jun 2019, Steinforth, Patrick wrote:
> Hi,
> 
> I pasted two server connection logs at https://pastebin.com/vJb5tnTL. First
a successful one and second an unsuccessful one.
> 
> Patrick
> 
> -----Urspr?ngliche Nachricht-----
> Von: Damien Miller <djm at mindrot.org>
> Gesendet: Samstag, 22. Juni 2019 10:43
> An: Steinforth, Patrick <Steinforth at osnabrueck.de>
> Cc: openssh-unix-dev at mindrot.org
> Betreff: Re: AW: OpenSSH public key authentication does not work from
Windows client if private key was added to SSH agent
> 
> I don't understand why the server is rejecting the key; from the
perspective of the client, it tried to use the key in both cases and the only
difference visible from the client is that it was unsuccessful in the case where
the agent was used.
> 
> Are you able to obtain logs from the server? It might offer some clue - try
to run the server in debug mode if you can "sshd -ddd"
> 
> Also, it seems that you're using OpenSSH for Windows. You should check
with the Microsoft developers first for that product.
> 
> -d
> 
> On Fri, 21 Jun 2019, Steinforth, Patrick wrote:
> 
> > Hey Damien,
> >
> > thank you for your reply. I posted the debug information at
https://pastebin.com/40esNPED and replaced some sensitive information before
(usernames, servernames, domainnames, IP addresses). In addition I commented
some lines with a message like "### <my message> ###".
> >
> > Patrick
> >
> > -----Urspr?ngliche Nachricht-----
> > Von: Damien Miller <djm at mindrot.org>
> > Gesendet: Freitag, 21. Juni 2019 06:40
> > An: Steinforth, Patrick <Steinforth at osnabrueck.de>
> > Cc: openssh-unix-dev at mindrot.org
> > Betreff: Re: OpenSSH public key authentication does not work from
> > Windows client if private key was added to SSH agent
> >
> > On Wed, 19 Jun 2019, Steinforth, Patrick wrote:
> >
> > > Hey guys,
> > >
> > > I installed OpenSSH 7.9p1 on Windows Server 2016 and generated a
SSH key pair with ssh-keygen on my Windows 10 Client (OpenSSH 7.6p1). I can
connect to the server with "ssh user at domain@servername -i id_rsa".
But as soon as I add the private key to the SSH agent by "ssh-add
id_rsa" this does not work anymore and aborts with the message
"Permission denied (publickey,keyboard-interactive)". The ssh command
without "-i id_rsa" leads to the same error. As soon as I remove the
private key from the ssh agent, public key authentication works again like a
charm.
> > > If I add the public key on my Ubuntu Server 18.04 LTS to the SSH
agent and establish a connection, this works without any problems. SSH client
version on Ubuntu is also OpenSSH 7.6p1.
> > > I noticed further, if I add my key id_rsa to the SSH agent on
Windows and copy the key file to id_rsa_new the connection can be established by
"ssh user at domain@servername -i id_rsa_new" without any problems,
but not with "-i id_rsa".
> > > I think this is strange and not the expected behavior. Any ideas
what's wrong?
> >
> > Could you send the output of ssh with debugging enabled for both a
working and failing connection? I.e. "ssh -vvv host"
> >
> > It should show what is going on.
> >
> > -d
> >
> > Ich weise Sie darauf hin, dass Ihnen gem. Art. 13
> > Datenschutz-Grundverordnung verschiedene Rechte als betroffene Person
bei der Verarbeitung von personenbezogenen Daten durch die Stadt Osnabr?ck
zustehen. Eine ausf?hrliche Information, welche Rechte dies im Einzelnen sind
und wie Ihre Daten verarbeitet werden, k?nnen Sie unter folgenden Link abrufen:
https://www.osnabrueck.de/datenschutz.html
> Ich weise Sie darauf hin, dass Ihnen gem. Art. 13
Datenschutz-Grundverordnung verschiedene Rechte als betroffene Person bei der
Verarbeitung von personenbezogenen Daten durch die Stadt Osnabr?ck zustehen.
Eine ausf?hrliche Information, welche Rechte dies im Einzelnen sind und wie Ihre
Daten verarbeitet werden, k?nnen Sie unter folgenden Link abrufen:
https://www.osnabrueck.de/datenschutz.html

One problem I?m seen is that the Windows SSH agent doesn?t seem to respect the
flags requesting RSA SHA-2 signatures. I had to disable the negotiation of these
signature algorithms to get key negotiation to work properly with RSA keys on
Windows 10 when its built-in SSH agent was used. It looks like it always returns
a SHA-1 signature.
> On Jun 24, 2019, at 5:43 AM, Damien Miller <djm at mindrot.org>
wrote:
> 
> Here's the failure:
> 
> debug3: mm_answer_keyverify: publickey 000002179BBC60C0 signature
unverified
> 
> This indicates that your ssh-agent is returning a bad signature for some
> reason. I guess you using the Microsoft OpenSSH for Windows port, so I
suggest
> you file an issue with them
https://github.com/PowerShell/Win32-OpenSSH/issues
> 
> You might want to try the latest 8.0.0 version from them first though.
> 
> On Mon, 24 Jun 2019, Steinforth, Patrick wrote:
> 
>> Hi,
>> 
>> I pasted two server connection logs at https://pastebin.com/vJb5tnTL.
First a successful one and second an unsuccessful one.
>> 
>> Patrick
>> 
>> -----Urspr?ngliche Nachricht-----
>> Von: Damien Miller <djm at mindrot.org>
>> Gesendet: Samstag, 22. Juni 2019 10:43
>> An: Steinforth, Patrick <Steinforth at osnabrueck.de>
>> Cc: openssh-unix-dev at mindrot.org
>> Betreff: Re: AW: OpenSSH public key authentication does not work from
Windows client if private key was added to SSH agent
>> 
>> I don't understand why the server is rejecting the key; from the
perspective of the client, it tried to use the key in both cases and the only
difference visible from the client is that it was unsuccessful in the case where
the agent was used.
>> 
>> Are you able to obtain logs from the server? It might offer some clue -
try to run the server in debug mode if you can "sshd -ddd"
>> 
>> Also, it seems that you're using OpenSSH for Windows. You should
check with the Microsoft developers first for that product.
>> 
>> -d
>> 
>> On Fri, 21 Jun 2019, Steinforth, Patrick wrote:
>> 
>>> Hey Damien,
>>> 
>>> thank you for your reply. I posted the debug information at
https://pastebin.com/40esNPED and replaced some sensitive information before
(usernames, servernames, domainnames, IP addresses). In addition I commented
some lines with a message like "### <my message> ###".
>>> 
>>> Patrick
>>> 
>>> -----Urspr?ngliche Nachricht-----
>>> Von: Damien Miller <djm at mindrot.org>
>>> Gesendet: Freitag, 21. Juni 2019 06:40
>>> An: Steinforth, Patrick <Steinforth at osnabrueck.de>
>>> Cc: openssh-unix-dev at mindrot.org
>>> Betreff: Re: OpenSSH public key authentication does not work from
>>> Windows client if private key was added to SSH agent
>>> 
>>> On Wed, 19 Jun 2019, Steinforth, Patrick wrote:
>>> 
>>>> Hey guys,
>>>> 
>>>> I installed OpenSSH 7.9p1 on Windows Server 2016 and generated
a SSH key pair with ssh-keygen on my Windows 10 Client (OpenSSH 7.6p1). I can
connect to the server with "ssh user at domain@servername -i id_rsa".
But as soon as I add the private key to the SSH agent by "ssh-add
id_rsa" this does not work anymore and aborts with the message
"Permission denied (publickey,keyboard-interactive)". The ssh command
without "-i id_rsa" leads to the same error. As soon as I remove the
private key from the ssh agent, public key authentication works again like a
charm.
>>>> If I add the public key on my Ubuntu Server 18.04 LTS to the
SSH agent and establish a connection, this works without any problems. SSH
client version on Ubuntu is also OpenSSH 7.6p1.
>>>> I noticed further, if I add my key id_rsa to the SSH agent on
Windows and copy the key file to id_rsa_new the connection can be established by
"ssh user at domain@servername -i id_rsa_new" without any problems,
but not with "-i id_rsa".
>>>> I think this is strange and not the expected behavior. Any
ideas what's wrong?
>>> 
>>> Could you send the output of ssh with debugging enabled for both a
working and failing connection? I.e. "ssh -vvv host"
>>> 
>>> It should show what is going on.
>>> 
>>> -d
>>> 
>>> Ich weise Sie darauf hin, dass Ihnen gem. Art. 13
>>> Datenschutz-Grundverordnung verschiedene Rechte als betroffene
Person bei der Verarbeitung von personenbezogenen Daten durch die Stadt
Osnabr?ck zustehen. Eine ausf?hrliche Information, welche Rechte dies im
Einzelnen sind und wie Ihre Daten verarbeitet werden, k?nnen Sie unter folgenden
Link abrufen: https://www.osnabrueck.de/datenschutz.html
>> Ich weise Sie darauf hin, dass Ihnen gem. Art. 13
Datenschutz-Grundverordnung verschiedene Rechte als betroffene Person bei der
Verarbeitung von personenbezogenen Daten durch die Stadt Osnabr?ck zustehen.
Eine ausf?hrliche Information, welche Rechte dies im Einzelnen sind und wie Ihre
Daten verarbeitet werden, k?nnen Sie unter folgenden Link abrufen:
https://www.osnabrueck.de/datenschutz.html
-- 
Ron Frederick
ronf at timeheart.net