Deprecated: Creation of dynamic property c2c_AddAdminCSS::$admin_options_name is deprecated in /var/www/html/wp-content/plugins/add-admin-css/c2c-plugin.php on line 106 Deprecated: Creation of dynamic property c2c_AddAdminCSS::$config is deprecated in /var/www/html/wp-content/plugins/add-admin-css/c2c-plugin.php on line 106 Deprecated: Creation of dynamic property c2c_AddAdminCSS::$disable_contextual_help is deprecated in /var/www/html/wp-content/plugins/add-admin-css/c2c-plugin.php on line 106 Deprecated: Creation of dynamic property c2c_AddAdminCSS::$disable_update_check is deprecated in /var/www/html/wp-content/plugins/add-admin-css/c2c-plugin.php on line 106 Deprecated: Creation of dynamic property c2c_AddAdminCSS::$hook_prefix is deprecated in /var/www/html/wp-content/plugins/add-admin-css/c2c-plugin.php on line 106 Deprecated: Creation of dynamic property c2c_AddAdminCSS::$form_name is deprecated in /var/www/html/wp-content/plugins/add-admin-css/c2c-plugin.php on line 106 Deprecated: Creation of dynamic property c2c_AddAdminCSS::$menu_name is deprecated in /var/www/html/wp-content/plugins/add-admin-css/c2c-plugin.php on line 106 Deprecated: Creation of dynamic property c2c_AddAdminCSS::$name is deprecated in /var/www/html/wp-content/plugins/add-admin-css/c2c-plugin.php on line 106 Deprecated: Creation of dynamic property c2c_AddAdminCSS::$nonce_field is deprecated in /var/www/html/wp-content/plugins/add-admin-css/c2c-plugin.php on line 106 Deprecated: Creation of dynamic property c2c_AddAdminCSS::$settings_page is deprecated in /var/www/html/wp-content/plugins/add-admin-css/c2c-plugin.php on line 106 Deprecated: Creation of dynamic property c2c_AddAdminCSS::$show_admin is deprecated in /var/www/html/wp-content/plugins/add-admin-css/c2c-plugin.php on line 106 Deprecated: Creation of dynamic property c2c_AddAdminCSS::$textdomain is deprecated in /var/www/html/wp-content/plugins/add-admin-css/c2c-plugin.php on line 106 Deprecated: Creation of dynamic property c2c_AddAdminCSS::$textdomain_subdir is deprecated in /var/www/html/wp-content/plugins/add-admin-css/c2c-plugin.php on line 106 Deprecated: Creation of dynamic property c2c_AddAdminCSS::$author_prefix is deprecated in /var/www/html/wp-content/plugins/add-admin-css/c2c-plugin.php on line 109 Deprecated: Creation of dynamic property c2c_AddAdminCSS::$id_base is deprecated in /var/www/html/wp-content/plugins/add-admin-css/c2c-plugin.php on line 110 Deprecated: Creation of dynamic property c2c_AddAdminCSS::$options_page is deprecated in /var/www/html/wp-content/plugins/add-admin-css/c2c-plugin.php on line 111 Deprecated: Creation of dynamic property c2c_AddAdminCSS::$plugin_basename is deprecated in /var/www/html/wp-content/plugins/add-admin-css/c2c-plugin.php on line 112 Deprecated: Creation of dynamic property c2c_AddAdminCSS::$plugin_file is deprecated in /var/www/html/wp-content/plugins/add-admin-css/c2c-plugin.php on line 113 Deprecated: Creation of dynamic property c2c_AddAdminCSS::$plugin_path is deprecated in /var/www/html/wp-content/plugins/add-admin-css/c2c-plugin.php on line 114 Deprecated: Creation of dynamic property c2c_AddAdminCSS::$u_id_base is deprecated in /var/www/html/wp-content/plugins/add-admin-css/c2c-plugin.php on line 115 Deprecated: Creation of dynamic property c2c_AddAdminCSS::$version is deprecated in /var/www/html/wp-content/plugins/add-admin-css/c2c-plugin.php on line 116 Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/wp-content/plugins/add-admin-css/c2c-plugin.php:106) in /var/www/html/wp-includes/rest-api/class-wp-rest-server.php on line 1768 {"id":172,"date":"2022-07-02T20:44:36","date_gmt":"2022-07-02T13:44:36","guid":{"rendered":"https:\/\/erwin.co\/?p=172"},"modified":"2022-07-05T18:32:07","modified_gmt":"2022-07-05T11:32:07","slug":"sharing-windows-openssh-keys-for-linux-dual-boot","status":"publish","type":"post","link":"https:\/\/erwin.co\/sharing-windows-openssh-keys-for-linux-dual-boot\/","title":{"rendered":"Sharing Windows OpenSSH keys for Linux Dual Boot"},"content":{"rendered":"\n

TL\/DR: If you run into problems with opensshd permissions on windows, open a PowerShell Administrator prompt and run:<\/strong><\/p>\n\n\n\n

cd C:\\ProgramData\\ssh\n\ntakeown \/R \/F ssh_host*\n\nicacls ssh_host* \/T  \/Q \/C \/RESET\n\nicacls ssh_host* \/grant SYSTEM:`(F`)\n\nicacls ssh_host* \/grant Administrators:`(F`)\n\nicacls ssh_host* \/inheritance:r\n\nicacls ssh_host* \/setowner system<\/code><\/pre>\n\n\n\n
Previously I wrote about Installing OpenSSH on Windows<\/a>. For my workflow, I actually prefer to dual-boot Linux and Windows even though WSL2 has come a long way.<\/p>\n\n\n\n
I use Barrier<\/a> (open source successor to synergy) to share my mouse (well trackball) and keyboard across my workstation and laptop, regardless of whether Linux or Windows is running - I securely share the same underlying keys, and have the dhcp server assign a fixed IP to each MAC address.<\/p>\n\n\n\n
It's actually quite tricky to get your OpenSSH keys from Linux's \/etc\/ssh\/ssh_host_*key<\/code> to C:\\ProgramData\\ssh\\ssh_host_*key<\/code> because of ACL details, even though I only edited the files with nvim<\/em> - I thought that should preserve the icacls status, but it doesn't.<\/p>\n\n\n\n
Windows iacls are a bit like selinux<\/em> or AppArmor<\/em>. Not a trivial subject, so be prepared if you're going to wade in.<\/p>\n\n\n\n
iacls have inheritance, removed with \/inheritance:r<\/code><\/p>\n\n\n\n
For me, the most confusing thing about icacls is that if you break the permissions in certain ways (for example removing inheritance before you've granted some individual permissions to that file), you can no longer use icacls to fix them! You have to use takeown<\/code> to re-assert ownership, and then you can start using icacls again.<\/p>\n\n\n\n
PS C:\\ProgramData\\ssh> net stop sshd
The OpenSSH SSH Server service was stopped successfully.<\/code><\/p>\n\n\n\n
PS C:\\ProgramData\\ssh> net start sshd
The OpenSSH SSH Server service is starting.
The OpenSSH SSH Server service could not be started.

A system error has occurred.
System error 1067 has occurred.
The process terminated unexpectedly.<\/code><\/p>\n\n\n\n
Because I am not a master of icacls<\/code>, I completely hosed my entire C:\\ProgramData<\/code> permissions while trying to fix ssh<\/code>...<\/p>\n\n\n\n
When trying to run sshd<\/code> directly from the command line rather than via the windows service<\/em> infrastructure, I actually got a bit more detail.<\/p>\n\n\n\n
PS C:\\WINDOWS\\system32> sshd -dd\ndebug2: load_server_config: filename __PROGRAMDATA__\\\\ssh\/sshd_config\ndebug2: load_server_config: done config len = 158\ndebug2: parse_server_config: config __PROGRAMDATA__\\\\ssh\/sshd_config len 158\ndebug1: sshd version OpenSSH_for_Windows_8.1, LibreSSL 3.0.2\ndebug1: get_passwd: LookupAccountName() failed: 1332.\ndebug1: Unable to load host key: __PROGRAMDATA__\\\\ssh\/ssh_host_rsa_key\ndebug1: Unable to load host key: __PROGRAMDATA__\\\\ssh\/ssh_host_ecdsa_key\ndebug1: Unable to load host key: __PROGRAMDATA__\\\\ssh\/ssh_host_ed25519_key\nsshd: no hostkeys available -- exiting.<\/code><\/pre>\n\n\n\n
The PowerShell team provides a guide for exactly what ACL permissions are required to for your ssh_host_*<\/code> files.<\/p>\n\n\n\n
https:\/\/github.com\/PowerShell\/Win32-OpenSSH\/wiki\/Security-protection-of-various-files-in-Win32-OpenSSH<\/a><\/p>\n\n\n\n
After several rounds of shooting myself in the foot with the not very memorable friendliness of icacls<\/code>, I finally ran:<\/p>\n\n\n\n
icacls \"C:\\ProgramData\\ssh\" \/setowner system\nicacls \"C:\\ProgramData\\ssh\" \/q \/c \/t \/reset\nicacls \"C:\\ProgramData\\ssh\\ssh_host_*\" \/remove erwin<\/code><\/pre>\n\n\n\n
After that, I ran sshd -dd<\/code> and finally was able to get OpenSSH to start up again on the command line without permissions errors, however running net start sshd<\/code> still was failing to startup... <\/p>\n\n\n\n
Turns out that running sshd -dd<\/code> as just runs sshd in interactive mode under the currently logged on user (typically as an admin). To simulate the SYSTEM actually running sshd<\/code> as a service you actually want to run:<\/p>\n\n\n\n
psexec -s sshd.exe -ddd<\/code><\/pre>\n\n\n\n
(Note, psexec is part of sysinternals, probably easiest to install with shovel<\/code><\/a>...)<\/p>\n\n\n\n
PS C:\\WINDOWS\\system32> psexec -s sshd.exe -dd

PsExec v2.34 - Execute processes remotely
Copyright (C) 2001-2021 Mark Russinovich
Sysinternals - www.sysinternals.com

debug2: load_server_config: filename PROGRAMDATA<\/strong>\\ssh\/sshd_config
debug2: load_server_config: done config len = 158
debug2: parse_server_config: config PROGRAMDATA<\/strong>\\ssh\/sshd_config len 158
debug1: sshd version OpenSSH_for_Windows_8.1, LibreSSL 3.0.2
debug1: get_passwd: LookupAccountName() failed: 1332.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'PROGRAMDATA<\/strong>\\ssh\/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
debug1: Unable to load host key \"PROGRAMDATA<\/strong>\\ssh\/ssh_host_rsa_key\": bad permissions
debug1: Unable to load host key: PROGRAMDATA<\/strong>\\ssh\/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'PROGRAMDATA<\/strong>\\ssh\/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
debug1: Unable to load host key \"PROGRAMDATA<\/strong>\\ssh\/ssh_host_ecdsa_key\": bad permissions
debug1: Unable to load host key: PROGRAMDATA<\/strong>\\ssh\/ssh_host_ecdsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'PROGRAMDATA<\/strong>\\ssh\/ssh_host_ed25519_key' are too open.

It is required that your private key files are NOT accessible by others.
This private key will be ignored.
debug1: Unable to load host key \"PROGRAMDATA<\/strong>\\ssh\/ssh_host_ed25519_key\": bad permissions
debug1: Unable to load host key: PROGRAMDATA<\/strong>\\ssh\/ssh_host_ed25519_key
sshd: no hostkeys available -- exiting.
sshd.exe exited on XPS with error code 1.<\/code><\/p>\n\n\n\n
So even though I had fixed the permissions enough for my user to run sshd<\/code> it was not enough for the system to run sshd<\/code>, the way that net start sshd<\/code> works.<\/p>\n\n\n\n
I wasn't even able to cd C:\\ProgramData\\ssh<\/code> so I started with:<\/p>\n\n\n\n
get-acl C: | set-acl C:\\ProgramData<\/code><\/pre>\n\n\n\n
Then when I cd<\/code> into C:\\ProgramData\\ssh<\/code> turns out that the permissions are in fact way more open than what Window's SSHD (or Linux sshd for that matter) permit.<\/p>\n\n\n\n
PS C:\\ProgramData\\ssh> icacls ssh_host_*key\nssh_host_dsa_key NT AUTHORITY\\Authenticated Users:(I)(M)\n                 NT AUTHORITY\\SYSTEM:(I)(F)\n                 BUILTIN\\Administrators:(I)(F)\n                 BUILTIN\\Users:(I)(RX)\n\nssh_host_ecdsa_key NT AUTHORITY\\Authenticated Users:(I)(M)\n                   NT AUTHORITY\\SYSTEM:(I)(F)\n                   BUILTIN\\Administrators:(I)(F)\n                   BUILTIN\\Users:(I)(RX)\n\nssh_host_ed25519_key NT AUTHORITY\\Authenticated Users:(I)(M)\n                     NT AUTHORITY\\SYSTEM:(I)(F)\n                     BUILTIN\\Administrators:(I)(F)\n                     BUILTIN\\Users:(I)(RX)\n\nssh_host_rsa_key NT AUTHORITY\\Authenticated Users:(I)(M)\n                 NT AUTHORITY\\SYSTEM:(I)(F)\n                 BUILTIN\\Administrators:(I)(F)\n                 BUILTIN\\Users:(I)(RX)\n\nSuccessfully processed 4 files; Failed processing 0 files<\/code><\/pre>\n\n\n\n
So the easy way to do this on Windows is just to focus on one file at a time... We know that sshd<\/code> complained about ssh_host_rsa_key<\/code> first, so we'll start there.<\/p>\n\n\n\n
# DONT DO THIS... IT WAS NOT EASY TO FIX...\nicacls .\\ssh_host_rsa_key \/inheritance:r<\/code><\/pre>\n\n\n\n
So this removed the inheritance ACL from that file, and it's basically impossible to re-add...<\/p>\n\n\n\n
Windows improbable answer for removing inheritance from a single file is to use takeown<\/code><\/p>\n\n\n\n
takeown \/R \/F C:\\ProgramData\\ssh\n\n# Then reset the ACLs to their default values\n\nicacls C:\\ProgramData\\ssh \/T \/Q \/C \/RESET<\/code><\/pre>\n\n\n\n
After takeown runs, you'll be able to fix all the permissions again, but all the permissions will be messed up requiring them to be fixed \ud83d\ude09<\/p>\n\n\n\n
Now we'll try again:<\/p>\n\n\n\n
icacls.exe .\\ssh_host_rsa_key\n\n.\\ssh_host_rsa_key NT AUTHORITY\\Authenticated Users:(I)(M)\n                   NT AUTHORITY\\SYSTEM:(I)(F)\n                   BUILTIN\\Administrators:(I)(F)\n                   BUILTIN\\Users:(I)(RX)\n<\/code><\/pre>\n\n\n\n
Now I'm first going to explicitly grant Full Control<\/code> to System<\/code>.<\/p>\n\n\n\n
icacls.exe .\\ssh_host_rsa_key \/grant SYSTEM:`(F`)\nicacls.exe .\\ssh_host_rsa_key \/grant Administrators:`(F`)<\/code><\/pre>\n\n\n\n
Then I'm going to remove Inheritance<\/p>\n\n\n\n
icacls.exe .\\ssh_host_rsa_key \/inheritance:r<\/code><\/pre>\n\n\n\n
However, unfortunately this still doesn't work... Even though this gives us the exact values that the PowerShell team documents as required:<\/p>\n\n\n\n
ssh_host_rsa_key BUILTIN\\Administrators:(F)\n                 NT AUTHORITY\\SYSTEM:(F)\n\nssh_host_rsa_key.pub NT AUTHORITY\\SYSTEM:(F)\n                     BUILTIN\\Administrators:(F)\n<\/code><\/pre>\n\n\n\n
When starting up sshd<\/code> with psexec<\/code> we'll still get the error:<\/p>\n\n\n\n
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\nPermissions for '__PROGRAMDATA__\\\\ssh\/ssh_host_rsa_key' are too open.\nIt is required that your private key files are NOT accessible by others.\nThis private key will be ignored.\ndebug1: Unable to load host key \"__PROGRAMDATA__\\\\ssh\/ssh_host_rsa_key\": bad permissions\ndebug1: Unable to load host key: __PROGRAMDATA__\\\\ssh\/ssh_host_rsa_key<\/code><\/pre>\n\n\n\n
After far too long of a detour today, I finally solved it with:<\/p>\n\n\n\n
cd C:\\ProgramData\\ssh\n\ntakeown \/R \/F ssh_host*\n\nicacls ssh_host* \/T  \/Q \/C \/RESET\n\nicacls ssh_host* \/grant SYSTEM:`(F`)\n\nicacls ssh_host* \/grant Administrators:`(F`)\n\nicacls ssh_host* \/inheritance:r\n\nicacls ssh_host* \/setowner system<\/code><\/pre>\n\n\n\n
Unlike Linux, the parent directory permissions don't seem to matter.<\/p>\n\n\n\n
Now, net start sshd<\/code> works perfectly \ud83d\ude42<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
TL\/DR: If you run into problems with opensshd permissions on windows, open a PowerShell Administrator prompt and run: Previously I wrote about Installing OpenSSH on Windows. For my workflow, I actually prefer to dual-boot Linux and Windows even though WSL2 has come a long way. I use Barrier (open source successor to synergy) to share […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[15,17],"tags":[],"_links":{"self":[{"href":"https:\/\/erwin.co\/wp-json\/wp\/v2\/posts\/172"}],"collection":[{"href":"https:\/\/erwin.co\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/erwin.co\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/erwin.co\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/erwin.co\/wp-json\/wp\/v2\/comments?post=172"}],"version-history":[{"count":3,"href":"https:\/\/erwin.co\/wp-json\/wp\/v2\/posts\/172\/revisions"}],"predecessor-version":[{"id":176,"href":"https:\/\/erwin.co\/wp-json\/wp\/v2\/posts\/172\/revisions\/176"}],"wp:attachment":[{"href":"https:\/\/erwin.co\/wp-json\/wp\/v2\/media?parent=172"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/erwin.co\/wp-json\/wp\/v2\/categories?post=172"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/erwin.co\/wp-json\/wp\/v2\/tags?post=172"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}