-
Windows OpenSSH public-key 인증 실패Server 2019. 9. 30. 12:27
현재 회사에서는 Windows 서버를 사용하고 있다.
최근 진행하고 있는 CI/CD 구축 작업을 위해 SSH 서버를 설치했다.
Password Authentication은 SSH 접속 시마다 비밀번호를 입력해야 한다.
배치 파일을 통해 SSH에 접속할 수 있어야 하기 때문에 Public-key Authentication 방식을 사용하기로 했다.
1. 클라이언트에서 public key와 private key 쌍을 생성한다(필자는 ssh-keygen 사용).
default로 해당 사용자 디렉터리에 id_rsa(private key, 확장자 없음)와 id_rsa.pub(public key) 파일이 생성된다.
아래 명령을 실행하면 passpharse(key 파일에 설정하는 암호)를 입력할 수 있는데, 해당 key를 사용할 때마다 암호를 입력해야 하므로 이는 생략한다.
C:\Users\binaitz> ssh-keygen2. 생성된 키 중 private key 파일을 서버의 사용자 디렉터리에 authorized_keys(확장자 없음)라는 이름으로 복사한다.
C:\Users\binaitz> scp .ssh\id_rsa.pub binaitz@192.168.1.36:C:\Users\binaitz\.ssh\authorized_keys3. SSH로 접속한다.
C:\Users\binaitz> ssh binaitz@192.168.1.36SSH는 여러 인증 방식을 설정 파일에 정의하여 사용할 수 있다. 필자의 설정대로라면 원래는 가장 먼저 key 파일을 검색하여 파일이 있으면 이를 인증에 사용해야 하는데, 비밀번호를 입력하라는 메시지가 나왔다. 앞의 인증이 모두 실패하여 우선순위가 가장 마지막인 Password Authentication까지 도달한 듯했다.
구글링을 통해 ssh 접속 시 -vvv 옵션을 추가하여 logging level을 지정해봤지만, 별다른 에러 메시지 없이 다음 인증 방식으로 넘어가는 것을 확인했다.
C:\Users\binaitz> ssh -vvv binaitz@192.168.1.36 OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5 debug3: Failed to open file:C:/Users/binaitz/.ssh/config error:2 debug3: Failed to open file:C:/ProgramData/ssh/ssh_config error:2 debug2: resolve_canonicalize: hostname 192.168.1.116 is address debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to 192.168.1.36 [192.168.1.36] port 22. debug1: Connection established. debug1: identity file C:\\Users\\binaitz/.ssh/id_rsa type 0 debug3: Failed to open file:C:/Users/binaitz/.ssh/id_rsa-cert error:2 debug3: Failed to open file:C:/Users/binaitz/.ssh/id_rsa-cert.pub error:2 debug1: key_load_public: No such file or directory debug1: identity file C:\\Users\\binaitz/.ssh/id_rsa-cert type -1 debug3: Failed to open file:C:/Users/binaitz/.ssh/id_dsa error:2 debug3: Failed to open file:C:/Users/binaitz/.ssh/id_dsa.pub error:2 debug1: key_load_public: No such file or directory debug1: identity file C:\\Users\\binaitz/.ssh/id_dsa type -1 debug3: Failed to open file:C:/Users/binaitz/.ssh/id_dsa-cert error:2 debug3: Failed to open file:C:/Users/binaitz/.ssh/id_dsa-cert.pub error:2 debug1: key_load_public: No such file or directory debug1: identity file C:\\Users\\binaitz/.ssh/id_dsa-cert type -1 debug3: Failed to open file:C:/Users/binaitz/.ssh/id_ecdsa error:2 debug3: Failed to open file:C:/Users/binaitz/.ssh/id_ecdsa.pub error:2 debug1: key_load_public: No such file or directory debug1: identity file C:\\Users\\binaitz/.ssh/id_ecdsa type -1 debug3: Failed to open file:C:/Users/binaitz/.ssh/id_ecdsa-cert error:2 debug3: Failed to open file:C:/Users/binaitz/.ssh/id_ecdsa-cert.pub error:2 debug1: key_load_public: No such file or directory debug1: identity file C:\\Users\\binaitz/.ssh/id_ecdsa-cert type -1 debug3: Failed to open file:C:/Users/binaitz/.ssh/id_ed25519 error:2 debug3: Failed to open file:C:/Users/binaitz/.ssh/id_ed25519.pub error:2 debug1: key_load_public: No such file or directory debug1: identity file C:\\Users\\binaitz/.ssh/id_ed25519 type -1 debug3: Failed to open file:C:/Users/binaitz/.ssh/id_ed25519-cert error:2 debug3: Failed to open file:C:/Users/binaitz/.ssh/id_ed25519-cert.pub error:2 debug1: key_load_public: No such file or directory debug1: identity file C:\\Users\\binaitz/.ssh/id_ed25519-cert type -1 debug3: Failed to open file:C:/Users/binaitz/.ssh/id_xmss error:2 debug3: Failed to open file:C:/Users/binaitz/.ssh/id_xmss.pub error:2 debug1: key_load_public: No such file or directory debug1: identity file C:\\Users\\binaitz/.ssh/id_xmss type -1 debug3: Failed to open file:C:/Users/binaitz/.ssh/id_xmss-cert error:2 debug3: Failed to open file:C:/Users/binaitz/.ssh/id_xmss-cert.pub error:2 debug1: key_load_public: No such file or directory debug1: identity file C:\\Users\\binaitz/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7 debug1: Remote protocol version 2.0, remote software version OpenSSH_for_Windows_7.6 debug1: match: OpenSSH_for_Windows_7.6 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to 192.168.1.36:22 as 'binaitz' debug3: hostkeys_foreach: reading file "C:\\Users\\binaitz/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file C:\\Users\\binaitz/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys from 192.168.1.36 debug3: Failed to open file:C:/Users/binaitz/.ssh/known_hosts2 error:2 debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2 debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2 debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none debug2: compression stoc: none debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none debug2: compression stoc: none debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31 debug1: Server host key: ecdsa-sha2-nistp256 SHA256:nCz5vi05TleceYLNgZb5F+Q7ixh9orutzjGmPKJXuy0 debug3: hostkeys_foreach: reading file "C:\\Users\\binaitz/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file C:\\Users\\binaitz/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys from 192.168.1.36 debug3: Failed to open file:C:/Users/binaitz/.ssh/known_hosts2 error:2 debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2 debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2 debug1: Host '192.168.1.36' is known and matches the ECDSA host key. debug1: Found key in C:\\Users\\binaitz/.ssh/known_hosts:1 debug3: send packet: type 21 debug2: set_newkeys: mode 1 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey after 134217728 blocks debug2: key: C:\\Users\\binaitz/.ssh/id_rsa (0000018D6014C400), agent debug2: key: C:\\Users\\binaitz/.ssh/id_dsa (0000000000000000) debug2: key: C:\\Users\\binaitz/.ssh/id_ecdsa (0000000000000000) debug2: key: C:\\Users\\binaitz/.ssh/id_ed25519 (0000000000000000) debug2: key: C:\\Users\\binaitz/.ssh/id_xmss (0000000000000000) debug3: send packet: type 5 debug3: receive packet: type 7 debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: RSA SHA256:8XgorhtHcleo0WhNSQB/Ez+CVL7nstqLLhCPuLmqzgs C:\\Users\\binaitz/.ssh/id_rsa debug3: send_pubkey_test debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Trying private key: C:\\Users\\binaitz/.ssh/id_dsa debug3: no such identity: C:\\Users\\binaitz/.ssh/id_dsa: No such file or directory debug1: Trying private key: C:\\Users\\binaitz/.ssh/id_ecdsa debug3: no such identity: C:\\Users\\binaitz/.ssh/id_ecdsa: No such file or directory debug1: Trying private key: C:\\Users\\binaitz/.ssh/id_ed25519 debug3: no such identity: C:\\Users\\binaitz/.ssh/id_ed25519: No such file or directory debug1: Trying private key: C:\\Users\\binaitz/.ssh/id_xmss debug3: no such identity: C:\\Users\\binaitz/.ssh/id_xmss: No such file or directory debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug3: send packet: type 50 debug2: we sent a keyboard-interactive packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: userauth_kbdint: disable: no info_req_seen debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: debug3: authmethod_is_enabled password debug1: Next authentication method: password debug3: failed to open file:C:/dev/tty error:3 debug1: read_passphrase: can't open /dev/tty: No such file or directoryOwner와 Administrator를 제외한 user가 .ssh 디렉터리와 그 아래의 authorized_keys 파일에 대한 permission을 갖고 있어도 인증에 실패한다고 하여 나머지 user의 permission을 제거하기도 해봤지만 이 역시 실패했다.
한참을 고민하던 중 서버의 로그도 살펴보면 뭐가 나오지 않을까 싶어서 서버의 로그 파일을 열었지만 별다른 로그가 없었다. 서버의 설정 파일(sshd_config)을 확인해보니 logging level이 기본값 INFO로 되어있어서 이를 가장 deep한 level인 DEBUG3으로 수정 후 restart하여 다시 접속해봤다.
# This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: #HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key #HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key #HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key #HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH LogLevel DEBUG3 # Authentication: #LoginGraceTime 2m #PermitRootLogin prohibit-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 # PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none # For this to work you will also need host keys in %programData%/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # GSSAPI options #GSSAPIAuthentication no #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #PermitUserEnvironment no #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # override default of no subsystems Subsystem sftp sftp-server.exe # Example of overriding settings on a per-user basis #Match User anoncvs # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server Match Group administrators AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys드디어 힌트가 나왔다.
중요한 부분은 여기였다.
debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys서버에서 authorized_keys 파일을 사용자 디렉터리가 아닌 __PROGRAMDATA__/ssh/administrators_authorized_keys에서 찾고 있었던 것이다. 왜 그런가 봤더니 위에서 본 sshd_config 파일 가장 하단에 administrators group에 속한 user는 다른 경로로 매칭하는 구문이 있었다. 내가 접속하려는 계정이 관리자 그룹에 속해있어서 다른 파일로 매칭이 된 모양이다.
Match Group administrators AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys이 구문을 제거하고 재접속해보니 이번엔 다른 에러가 로그에 찍혔다.
희망이 보였다.
debug3: Bad permissions. Try removing permissions for user: S-1-5-11 on file C:\\ProgramData/ssh/administrators_authorized_keys.이 에러가 앞에서 찾았던 permission 관련 문제였다. S-1-5-11은 Windows에서의 SID(Security Identifier, 보안 식별자)인데, 해당 SID는 인증된 사용자 이름(Authenticated Users)을 의미한다.
authorized_keys 파일 우클릭 -> 속성 -> 보안 탭에서 Authenticated Users 권한을 제거했다.
결과는 접속 성공. 이제 Public-key Authentication으로 접속할 수 있게 되었다.
'Server' 카테고리의 다른 글
로컬 시스템 계정으로 실행된 서비스에서 WinRM 사용 시 주의사항 (0) 2020.02.06