Estou tentando configurar o ssh sem senha e sem senha de um host Linux Mint 19.1 para um host Windows 10. O host do Windows 10 possui OpenSSH_for_Windows_7.7p1. Esta é a porta OpenSSH da Microsoft.
Consigo configurar isso para contas de administrador, mas contas sem privilégios não estão funcionando para mim. As contas de administrador são feitas de maneira diferente.
Eu tentei um grande número de coisas diferentes, mas aqui está a que acho que deveria funcionar e o que há de errado com ela:
Eu crio um arquivo /Users/Alden Stromberg/.ssh/authorized_keys com mkdir e echo > (ou mkdir e cygwin vi - mesmo resultado).
Então eu uso o OpenSSHUtils paratentarpara definir as permissões corretas:
PS C:\Users\Alden Stromberg\.ssh> Import-Module 'C:\Program Files\WindowsPowerShell\Modules\OpenSSHUtils\0.0.2.0\OpenSSHUtils.psd1'
PS C:\Users\Alden Stromberg\.ssh> Repair-AuthorizedKeyPermission .\authorized_keys
[*] .\authorized_keys
'NT AUTHORITY\SYSTEM' has the following access to '.\authorized_keys': 'Deny'-'ExecuteFile'.
Shall I make it Allow FullControl?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):
Exception calling "SetAccessRule" with "1" argument(s): "This access control list is not in canonical form and therefore cannot be
modified."
At C:\Program Files\WindowsPowerShell\Modules\OpenSSHUtils\0.0.2.0\OpenSSHUtils.psm1:399 char:17
+ $acl.SetAccessRule($ace)
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : InvalidOperationException
'NT AUTHORITY\SYSTEM' now has FullControl access to '.\authorized_keys'.
'DESKTOP-A31M9SV\None' should not have access to '.\authorized_keys'..
Shall I remove this access?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):
Exception calling "RemoveAccessRule" with "1" argument(s): "This access control list is not in canonical form and therefore cannot
be modified."
At C:\Program Files\WindowsPowerShell\Modules\OpenSSHUtils\0.0.2.0\OpenSSHUtils.psm1:490 char:20
+ if(-not ($acl.RemoveAccessRule($ace)))
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : InvalidOperationException
'Everyone' should not have access to '.\authorized_keys'..
Shall I remove this access?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):
Exception calling "RemoveAccessRule" with "1" argument(s): "This access control list is not in canonical form and therefore cannot
be modified."
At C:\Program Files\WindowsPowerShell\Modules\OpenSSHUtils\0.0.2.0\OpenSSHUtils.psm1:490 char:20
+ if(-not ($acl.RemoveAccessRule($ace)))
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : InvalidOperationException
'NT SERVICE\sshd' needs Read access to '.\authorized_keys'.
Shall I make the above change?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):
Exception calling "AddAccessRule" with "1" argument(s): "This access control list is not in canonical form and therefore cannot be
modified."
At C:\Program Files\WindowsPowerShell\Modules\OpenSSHUtils\0.0.2.0\OpenSSHUtils.psm1:564 char:21
+ $acl.AddAccessRule($ace)
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : InvalidOperationException
'NT SERVICE\sshd' now has Read access to '.\authorized_keys'.
Set-Acl : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.
At C:\Program Files\WindowsPowerShell\Modules\OpenSSHUtils\0.0.2.0\OpenSSHUtils.psm1:582 char:9
+ Set-Acl -Path $FilePath -AclObject $acl -Confirm:$false
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Users\Alden ...authorized_keys:String) [Set-Acl], PrivilegeNotHeldException
+ FullyQualifiedErrorId : System.Security.AccessControl.PrivilegeNotHeldException,Microsoft.PowerShell.Commands.SetAclCommand
Repaired permissions
Na esperança de corrigir a ACL não canônica, tentei:
icacls.exe .\authorized_keys /reset /T /C /L /Q
... mas, posteriormente, executar novamente Repair-AuthorizedKeyPermission não produz alegria.
O que estou fazendo de errado? 0.0.2.0\OpenSSHUtils.psm1 está desatualizado?
Para completar, aqui está o que funcionou para contas de administrador:
get-acl c:\ProgramData\ssh\ssh_host_dsa_key | set-acl c:\ProgramData\ssh\administrators_authorized_keys
Obrigado!
Responder1
O que resolveu esse problema para mim foram comment outestas duas linhas no final do C:\ProgramData\ssh\sshd_configarquivo:
Match Group administrators
AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
Em seguida, reinicie o sshd. Depois disso (e adicionando a chave pub a ~/.ssh/authorized_keys e certificando-se de que o arquivo tinha as permissões corretas), não fui mais solicitada uma senha.
Responder2
Uma maneira de fazer com que a autenticação sem senha funcione para contas que não sejam de administrador é descrita em: https://www.techpaste.com/2015/06/windows-ssh-server-setup-and-configuration/
Resumindo, coloque-os em seu sshd_config, descomentando as entradas pré-existentes conforme necessário, encontradas emc:\ProgramData\ssh\
PermitRootLogin yes
StrictModes no
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
IgnoreUserKnownHosts yes
Então net stop sshde net start sshd.
Isso provavelmente significa que suas chaves_autorizadas podem ser lidas por todos no computador, mas pelo menos funciona.