Key refused WinSCP/PuTTY issue when connecting to Windows OpenSSH server

Question

I'm trying to configure a private key for use use with WinSCP and PuTTY/Plink but I'm stuck (trying to connect from Windows 10 to Windows 2012 Server).

I have OpenSSH installed on my windows server and I can use a username and password to connect via WinSCP (SFTP) and PuTTY (SSH-2), but when I try to use a private key I get a key refused error.

I created the key on the local machine using PuTTYgen (RSA 2048) and added it to the server's authorized_keys file (I used the feature in WinSCP to do this automatically) for my user (not a local admin) in the same location as specified in the sshd_config file (C:\Users\<username>\.ssh).

I removed all permissions for all other accounts on this folder and the authorized_keys file. I tried setting the logging to verbose on the server but there doesn't seem to be much to go on, just "Failed none" followed by "Failed publickey".

I don't know what else to try. Does anyone else have a suggestion?

Answer 1

Turns out my openssh logfile didn't have anything useful in it because I had read to change the logging level in C:\Program Files\OpenSSH\sshd_config to VERBOSE, but that didn't provide all of the information I needed. It turns out that you have to change it to DEBUG3.
Now when I tried to use the key to connect I see this:

148 09:35:57:393 debug1: Could not open authorized keys 'C:\Users\sshuser\.ssh/authorized_keys': Permission denied

Which led me to this github comment specific to windows: https://github.com/PowerShell/Win32-OpenSSH/issues/826#issuecomment-318128066

Which indicated that the NT SERVICE\sshd account needs to have read permissions on the C:\Users\sshuser\.ssh/authorized_keys folder and file for the user I was trying to connect with. In my case, even Read & Execute was too much. You can only set read permission for sshd.