Troubleshooting Public Key Authentication Failures in Windows OpenSSH Server Implementation


3 views

When setting up public key authentication between Linux and Windows systems using OpenSSH, several configuration elements must align perfectly. The error "missing begin marker" typically indicates either:

  • Incorrect key file permissions
  • Malformed key file content
  • SSH service configuration issues

First, let's verify the key file structure on both systems. The private key should look like:

-----BEGIN DSA PRIVATE KEY-----
MIIBuwIBAAKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUp
wmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ5
1s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIVAN4A/4jZIWX+5Z6fS5Q4m9Py1XAkA8xV
-----END DSA PRIVATE KEY-----

For Windows OpenSSH server, these additional checks are crucial:

# Verify sshd service is running
Get-Service sshd | Select Status,StartType

# Check sshd_config settings
(Get-Content C:\ProgramData\ssh\sshd_config) | Where {$_ -notmatch "^#"} | Where {$_ -ne ""}

Ensure your Windows sshd_config contains these directives:

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no  # For testing purposes

Windows requires strict ACL permissions for SSH files. For the .ssh directory and authorized_keys file:

# Set permissions on .ssh folder
icacls "C:\Users\REMOTEUSER\.ssh" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" /grant:r "Administrators:(OI)(CI)F" /grant:r "REMOTEUSER:(OI)(CI)F"

# Set permissions on authorized_keys
icacls "C:\Users\REMOTEUSER\.ssh\authorized_keys" /inheritance:r /grant:r "SYSTEM:F" /grant:r "Administrators:F" /grant:r "sshd:R" /grant:r "REMOTEUSER:F"

Enable verbose logging on both client and server:

# On Windows server (run as admin)
Stop-Service sshd
sshd -ddd

Common issues to check in logs:

  • Key file access denied errors
  • Authentication method sequence
  • Key format recognition

If DSA keys prove problematic, consider using RSA keys (minimum 2048-bit):

# Generate new RSA key pair
ssh-keygen -t rsa -b 4096 -C "windows_ssh_key"

# Convert existing key if needed
ssh-keygen -p -f ~/.ssh/id_dsa -m pem
  1. Verify key file permissions on both systems
  2. Confirm sshd_config settings match
  3. Check for proper line endings in authorized_keys
  4. Test with minimal configuration first
  5. Review Windows event logs for additional clues

When setting up public key authentication between a Linux client and Windows Server 2012 R2 running Win32-OpenSSH, several common pitfalls can prevent successful authentication. The error message "missing begin marker" typically indicates either permission issues or key format problems.

For public key authentication to work properly, three critical components must be correctly configured:

1. Client-side private key permissions (Linux)
2. Server-side authorized_keys file (Windows)
3. SSH daemon configuration (sshd_config)

Windows has stricter permission requirements than Unix systems for SSH keys:

# Linux client permissions should be:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_dsa
chmod 600 ~/.ssh/config

# Windows server permissions should be:
icacls C:\Users\USERNAME\.ssh\authorized_keys /grant "NT AUTHORITY\SYSTEM:(F)"
icacls C:\Users\USERNAME\.ssh\authorized_keys /grant "BUILTIN\Administrators:(F)"
icacls C:\Users\USERNAME\.ssh\authorized_keys /grant "DOMAIN\USERNAME:(F)"

The "missing begin marker" error often occurs when the key format is incorrect. Ensure your keys follow proper PEM format:

-----BEGIN DSA PRIVATE KEY-----
[base64 encoded key data]
-----END DSA PRIVATE KEY-----

If your key lacks these markers, you can regenerate it using:

ssh-keygen -t dsa -f ~/.ssh/id_dsa -m PEM

When troubleshooting, always use verbose mode to identify where the authentication fails:

ssh -vvv -i ~/.ssh/id_dsa user@windows_host

Key things to look for in the output:

debug1: Offering public key: /home/user/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password

The Win32-OpenSSH implementation has some Windows-specific behaviors:

  • Ensure the SSH-Agent service is running (if using agent forwarding)
  • Check Windows firewall rules for port 22
  • Verify the SSH server service is properly registered

If public key authentication continues to fail, consider these alternatives while troubleshooting:

# In sshd_config:
PasswordAuthentication yes
PubkeyAuthentication yes
GSSAPIAuthentication no