SSH login to Windows 10 not possible with a admin account

Question

I am trying to establish an SSH connection from a VirtualBox Ubuntu2204 guest to Windows 10 host via ssh using public key. I can do it when I use a non-admin account, but it fails with an admin account.

Can somebody give me a hint to the solution, as I have given admin rights to my normal account and can still use it for SSH?

---

ACLs:

• administrators_authorized_keys:

  Verzeichnis: C:\ProgramData\ssh
  Path                           Owner                        Access
  
  administrators_authorized_keys VORDEFINIERT\Administratoren NT-AUTORITÄT\SYSTEM Allow  FullControl...
  

  
  
• Client .ssh/id_rsa:

  xubuntu@xubuntu2204:~/.ssh$ getfacl id_rsa
  # file: id_rsa
  # owner: xubuntu
  # group: xubuntu
  user::rw-
  group::---
  other::---
  

  
  

---

Configs:

• Server sshd_config:

  PermitRootLogin yes
  #AllowUsers AdminHIJ
  StrictModes no
  PubkeyAuthentication yes
  PasswordAuthentication yes
  AuthorizedKeysFile  .ssh/authorized_keys
  ClientAliveInterval 3000
  Subsystem   sftp    sftp-server.exe
  Match Group administrators
    AuthorizedKeysFile PROGRAMDATA/ssh/administrators_authorized_keys
  

  
  
• Client ssh_config

  Host *
    ServerAliveInterval 20
    TCPKeepAlive no
  

  
  

---

Logs:

• Server:

  (base) PS C:\Windows\System32\OpenSSH> .\sshd.exe -d
  debug1: sshd version OpenSSH_for_Windows_8.1, LibreSSL 3.0.2
  debug1: private host key #0: ssh-rsa SHA256:TGAP/tbzl8vIE64yd37DdC9I2IoC8J+MpIKtKaytLHs
  debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:nLrIlMEdU9YNp7uCUHdUDL6z6+ysXalgGZ+53v4aTuQ
  debug1: private host key #2: ssh-ed25519 SHA256:eFn4JnkBpBhJ80dj91xKcyYPSM675W9sWCqglMyvkW0
  debug1: rexec_argv[0]='C:\\Windows\\System32\\OpenSSH\\sshd.exe'
  debug1: rexec_argv[1]='-d'
  debug1: Bind to port 22 on ::.
  Server listening on :: port 22.
  debug1: Bind to port 22 on 0.0.0.0.
  Server listening on 0.0.0.0 port 22.
  debug1: Server will not fork when running in debugging mode.
  Connection from 192.168.50.9 port 41988 on 192.168.50.222 port 22
  debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.6
  debug1: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.6 pat OpenSSH* compat 0x04000000
  debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
  debug1: SSH2_MSG_KEXINIT sent [preauth]
  debug1: SSH2_MSG_KEXINIT received [preauth]
  debug1: kex: algorithm: curve25519-sha256 [preauth]
  debug1: kex: host key algorithm: ssh-ed25519 [preauth]
  debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
  debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
  debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
  debug1: rekey out after 134217728 blocks [preauth]
  debug1: SSH2_MSG_NEWKEYS sent [preauth]
  debug1: Sending SSH2_MSG_EXT_INFO [preauth]
  debug1: expecting SSH2_MSG_NEWKEYS [preauth]
  debug1: SSH2_MSG_NEWKEYS received [preauth]
  debug1: rekey in after 134217728 blocks [preauth]
  debug1: KEX done [preauth]
  debug1: userauth-request for user adminhij service ssh-connection method none [preauth]
  debug1: attempt 0 failures 0 [preauth]
  debug1: get_user_token - unable to generate user token for adminhij as i am not running as system
  ga_init, unable to resolve user adminhij
  debug1: do_cleanup
  debug1: Killing privsep child 71992
  

  
  
• Client:

  ssh -i ~/.ssh/id_rsa -v  adminhij@192.168.50.222 
  OpenSSH_8.9p1 Ubuntu-3ubuntu0.6, OpenSSL 3.0.2 15 Mar 2022
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
  debug1: /etc/ssh/ssh_config line 21: Applying options for *
  debug1: Connecting to 192.168.50.222 [192.168.50.222] port 22.
  debug1: Connection established.
  debug1: identity file /home/xubuntu/.ssh/id_rsa type 0
  debug1: identity file /home/xubuntu/.ssh/id_rsa-cert type -1
  debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6
  debug1: Remote protocol version 2.0, remote software version OpenSSH_for_Windows_8.1
  debug1: compat_banner: match: OpenSSH_for_Windows_8.1 pat OpenSSH* compat 0x04000000
  debug1: Authenticating to 192.168.50.222:22 as 'adminhij'
  debug1: load_hostkeys: fopen /home/xubuntu/.ssh/known_hosts2: No such file or directory
  debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
  debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha256
  debug1: kex: host key algorithm: ssh-ed25519
  debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
  debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: SSH2_MSG_KEX_ECDH_REPLY received
  debug1: Server host key: ssh-ed25519 SHA256:eFn4JnkBpBhJ80dj91xKcyYPSM675W9sWCqglMyvkW0
  debug1: load_hostkeys: fopen /home/xubuntu/.ssh/known_hosts2: No such file or directory
  debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
  debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
  debug1: Host '192.168.50.222' is known and matches the ED25519 host key.
  debug1: Found key in /home/xubuntu/.ssh/known_hosts:3
  debug1: rekey out after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: SSH2_MSG_NEWKEYS received
  debug1: rekey in after 134217728 blocks
  debug1: Will attempt key: /home/xubuntu/.ssh/id_rsa RSA SHA256:8vTjqYAkpcCEsaRFhBod4YKJLwYj8OPze7UJ2DvJZPk explicit
  debug1: SSH2_MSG_EXT_INFO received
  debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  Connection reset by 192.168.50.222 port 22
  

update

Sorry, but I disagree that my question is a duplicate of logging-into-windows-10-openssh-server-with-administrator-account-and-public-key. This post is about the fact that it is possible to log in via password for a certain account, but not with a public key. My post is about the fact that login is not possible with a certain admin account, but is possible with another one.

The problem account definitely exists under Windows:

(base) PS C:\Windows\System32\OpenSSH> Get-LocalUser
Name Enabled Description

AdminHIJ True
....
....

If I use a non-existent account I'm still prompted for a password.

xubuntu@xubuntu2204:~/ansible-tango$ ssh FAKEUSER@192.168.50.222 
FAKEUSER@192.168.50.222's password: 

When I use my problem account AdminHIJ, I get connection reset immediately.

xubuntu@xubuntu2204:~/ansible-tango$ ssh AdminHIJ@192.168.50.222 
Connection reset by 192.168.50.222 port 22

Even if my problem is solved after a lot of trial and error, after amount of time invested it would be nice at least to understand the cause.

Answer 1

Change the following:

Match Group administrators
  AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

---

To the following:

Match Group Administratorens
  AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Additionally make sure that the key being used can only be accessed by the Administratorens user group. If for some reason this still doesn’t work, verify the exact spelling of the Administrators user group, for the primary system locale.