密碼驗證在 Windows 上的 ssh 中不起作用

密碼驗證在 Windows 上的 ssh 中不起作用

我嘗試安裝 Windows OpenSSH 伺服器功能,也嘗試在 C:/Program Files/OpenSSH 中手動安裝 OpenSSH,但是當我嘗試連線時,要求輸入密碼,我輸入正確,但它說權限始終被拒絕。它工作正常,但一段時間後開始面臨這個問題。我嘗試使用 -d 選項手動運行 sshd 伺服器,它給出以下日誌

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10+deb10u2
debug1: match: OpenSSH_7.9p1 Debian-10+deb10u2 pat OpenSSH* compat 0x04000000
debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none [preauth]
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: rekey out after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: Sending SSH2_MSG_EXT_INFO [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: rekey in after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user aawais@domain service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: user domain\\aawais matched group list administrators at line 84
User domain\\aawais not allowed because shell c:\\program files\\powershell\\7\\pwsh.exe does not exist
debug1: userauth-request for user aawais@domain service ssh-connection method keyboard-interactive [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: keyboard-interactive devs  [preauth]
debug1: auth2_challenge: user=aawais@domain devs= [preauth]
debug1: kbdint_alloc: devices '' [preauth]
debug1: userauth-request for user aawais@domain service ssh-connection method password [preauth]
debug1: attempt 2 failures 1 [preauth]
debug1: Windows authentication failed for user: NOUSER domain: . error: 1326 

以下是我的 sshd_config 文件

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
MaxAuthTries 600
#MaxSessions 10

PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile  .ssh/authorized_keys

#AuthorizedPrincipalsFile none

# For this to work you will also need host keys in %programData%/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem   sftp    sftp-server.exe

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

造成這個問題的原因可能是什麼?

答案1

無法登入的原因:

debug1: user domain\\aawais matched group list administrators at line 84
User domain\\aawais not allowed because shell c:\\program files\\powershell\\7\\pwsh.exe does not exist

sshd 在詢問密碼之前檢查使用者的有效性。

答案2

預設 shell 位置不正確,我在問題中提到的伺服器偵錯日誌中發現了這一點,即

User domain\\aawais not allowed because shell c:\\program files\\powershell\\7\\pwsh.exe does not exist

執行以下命令設定預設shell

New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force

答案3

問題也可能是您使用的是「Microsoft」雲端帳戶。此問題有兩個修復方法:

  1. 使用您的 Microsoft 帳戶密碼登入(即https://www.microsoft.com/) 而不是您登入本機時所使用的密碼。

  2. 使用密鑰代替密碼登入。 (例如,請按照此處的指南進行操作:https://archive.is/VXPE8

  3. 將您的 Microsoft 帳戶變更為本機帳戶。如果您使用本機帳戶,「設定」->「帳戶」->「您的資訊」應該如下所示。

在此輸入影像描述

相關內容