WindowsからWindowsへ公開鍵認証でSSH接続する方法

前提・実現したいこと

Windows10の端末Aに公開鍵認証のSSHでWindows10の端末Bから接続したいです。

発生している問題・エラーメッセージ

Permission denied (publickey).と表示されています。

ServerLog
1PS C:\Users\tokyo> sshd -d
2debug1: sshd version OpenSSH_for_Windows_7.7, LibreSSL 2.6.5
3debug1: private host key #0: ssh-rsa SHA256:G/ub26s5JItYlZ1TlGp8enYO/THKoNG6z6zCUcXqXa8
4debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:vn+wndGJin2OfdzGmoNuP1aFjeCNCBmz4luWCW1N15E
5debug1: private host key #2: ssh-ed25519 SHA256:10hOwuqDlXAKv0JTBjXK799t49CX+RpintJ568VfT5s
6debug1: rexec_argv[0]='C:\Windows\System32\OpenSSH\sshd.exe'
7debug1: rexec_argv[1]='-d'
8debug1: Bind to port 22 on ::.
9Server listening on :: port 22.
10debug1: Bind to port 22 on 0.0.0.0.
11Server listening on 0.0.0.0 port 22.
12debug1: Server will not fork when running in debugging mode.
13Connection from 192.168.0.18 port 18190 on 192.168.0.12 port 22
14debug1: Client protocol version 2.0; client software version OpenSSH_for_Windows_7.7
15debug1: match: OpenSSH_for_Windows_7.7 pat OpenSSH* compat 0x04000000
16debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
17debug1: sshd version OpenSSH_for_Windows_7.7, LibreSSL 2.6.5
18debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
19debug1: SSH2_MSG_KEXINIT sent [preauth]
20debug1: SSH2_MSG_KEXINIT received [preauth]
21debug1: kex: algorithm: curve25519-sha256 [preauth]
22debug1: kex: host key algorithm: rsa-sha2-512 [preauth]
23debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
24debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
25debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
26debug1: rekey after 134217728 blocks [preauth]
27debug1: SSH2_MSG_NEWKEYS sent [preauth]
28debug1: expecting SSH2_MSG_NEWKEYS [preauth]
29debug1: SSH2_MSG_NEWKEYS received [preauth]
30debug1: rekey after 134217728 blocks [preauth]
31debug1: KEX done [preauth]
32debug1: userauth-request for user tokyo service ssh-connection method none [preauth]
33debug1: attempt 0 failures 0 [preauth]
34debug1: user  matched group list administrators at line 102
35debug1: authentication methods list 0: publickey
36debug1: authentication methods list 0: publickey [preauth]
37debug1: userauth-request for user tokyo service ssh-connection method publickey [preauth]
38debug1: attempt 1 failures 0 [preauth]
39debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:3ZxDnxVmq/YtdwVqN8G0k8gOgEE/4aeU0DvVDJzG2x8 [preauth]
40debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys
41Authentication refused.
42Failed publickey for tokyo from 192.168.0.18 port 18190 ssh2: RSA SHA256:3ZxDnxVmq/YtdwVqN8G0k8gOgEE/4aeU0DvVDJzG2x8
43debug1: userauth-request for user tokyo service ssh-connection method publickey [preauth]
44debug1: attempt 2 failures 1 [preauth]
45debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:LNRm+pBTMjfEvM2jUy04ZlFofYtVLUiN7bKBmgrfm04 [preauth]
46debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys
47Authentication refused.
48Failed publickey for tokyo from 192.168.0.18 port 18190 ssh2: RSA SHA256:LNRm+pBTMjfEvM2jUy04ZlFofYtVLUiN7bKBmgrfm04
49debug1: userauth-request for user tokyo service ssh-connection method publickey [preauth]
50debug1: attempt 3 failures 2 [preauth]
51debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:VKBH7PMqKWtfxYW3tZu69PxztYSUPF6NsLs5kT2L+NI [preauth]
52debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys
53Authentication refused.
54Failed publickey for tokyo from 192.168.0.18 port 18190 ssh2: RSA SHA256:VKBH7PMqKWtfxYW3tZu69PxztYSUPF6NsLs5kT2L+NI
55Connection reset by authenticating user tokyo 192.168.0.18 port 18190 [preauth]
56debug1: do_cleanup [preauth]
57debug1: do_cleanup
58debug1: Killing privsep child 2732
59PS C:\Users\tokyo>

ClientLog
1PS C:\Users\take\Documents\share> ssh -i c:\users\take.ssh\id_rsa tokyo@192.168.0.12 -v
2OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
3debug1: Connecting to 192.168.0.12 [192.168.0.12] port 22.
4debug1: Connection established.
5debug1: identity file c:\users\take\.ssh\id_rsa type 0
6debug1: key_load_public: No such file or directory
7debug1: identity file c:\users\take\.ssh\id_rsa-cert type -1
8debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
9debug1: Remote protocol version 2.0, remote software version OpenSSH_for_Windows_7.7
10debug1: match: OpenSSH_for_Windows_7.7 pat OpenSSH* compat 0x04000000
11debug1: Authenticating to 192.168.0.12:22 as 'tokyo'
12debug1: SSH2_MSG_KEXINIT sent
13debug1: SSH2_MSG_KEXINIT received
14debug1: kex: algorithm: curve25519-sha256
15debug1: kex: host key algorithm: rsa-sha2-512
16debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
17debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
18debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
19debug1: Server host key: ssh-rsa SHA256:G/ub26s5JItYlZ1TlGp8enYO/THKoNG6z6zCUcXqXa8
20debug1: Host '192.168.0.12' is known and matches the RSA host key.
21debug1: Found key in C:\Users\take/.ssh/known_hosts:2
22debug1: rekey after 134217728 blocks
23debug1: SSH2_MSG_NEWKEYS sent
24debug1: expecting SSH2_MSG_NEWKEYS
25debug1: SSH2_MSG_NEWKEYS received
26debug1: rekey after 134217728 blocks
27debug1: Skipping ssh-dss key .\ssh_host_dsa_key - not in PubkeyAcceptedKeyTypes
28debug1: SSH2_MSG_EXT_INFO received
29debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
30debug1: SSH2_MSG_SERVICE_ACCEPT received
31debug1: Authentications that can continue: publickey
32debug1: Next authentication method: publickey
33debug1: Offering public key: RSA SHA256:3ZxDnxVmq/YtdwVqN8G0k8gOgEE/4aeU0DvVDJzG2x8 .\ssh_host_rsa_key
34debug1: Authentications that can continue: publickey
35debug1: Offering public key: RSA SHA256:LNRm+pBTMjfEvM2jUy04ZlFofYtVLUiN7bKBmgrfm04 C:\Users\take\.ssh\id_rsa
36debug1: Authentications that can continue: publickey
37debug1: Offering public key: RSA SHA256:VKBH7PMqKWtfxYW3tZu69PxztYSUPF6NsLs5kT2L+NI c:\users\take\.ssh\id_rsa
38debug1: Authentications that can continue: publickey
39debug1: No more authentication methods to try.
40tokyo@192.168.0.12: Permission denied (publickey).

設定ファイル

SshdConfig
1# This is the sshd server system-wide configuration file.  See
2# sshd_config(5) for more information.
3
4# The strategy used for options in the default sshd_config shipped with
5# OpenSSH is to specify options with their default value where
6# possible, but leave them commented.  Uncommented options override the
7# default value.
8
9#Port 22
10#AddressFamily any
11#ListenAddress 0.0.0.0
12#ListenAddress ::
13
14#HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key
15#HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key
16#HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key
17#HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key
18
19# Ciphers and keying
20#RekeyLimit default none
21
22# Logging
23#SyslogFacility AUTH
24#LogLevel INFO
25
26# Authentication:
27
28#LoginGraceTime 2m
29#PermitRootLogin prohibit-password
30#StrictModes yes
31#MaxAuthTries 6
32#MaxSessions 10
33
34#PubkeyAuthentication yes
35
36# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
37# but this is overridden so installations will only check .ssh/authorized_keys
38AuthorizedKeysFile	.ssh/authorized_keys
39
40#AuthorizedPrincipalsFile none
41
42# For this to work you will also need host keys in %programData%/ssh/ssh_known_hosts
43#HostbasedAuthentication no
44# Change to yes if you don't trust ~/.ssh/known_hosts for
45# HostbasedAuthentication
46#IgnoreUserKnownHosts no
47# Don't read the user's ~/.rhosts and ~/.shosts files
48#IgnoreRhosts yes
49
50# To disable tunneled clear text passwords, change to no here!
51#PasswordAuthentication yes
52#PermitEmptyPasswords no
53
54#AllowAgentForwarding yes
55#AllowTcpForwarding yes
56#GatewayPorts no
57#PermitTTY yes
58#PrintMotd yes
59#PrintLastLog yes
60#TCPKeepAlive yes
61#UseLogin no
62#PermitUserEnvironment no
63#ClientAliveInterval 0
64#ClientAliveCountMax 3
65#UseDNS no
66#PidFile /var/run/sshd.pid
67#MaxStartups 10:30:100
68#PermitTunnel no
69#ChrootDirectory none
70#VersionAddendum none
71
72# no default banner path
73#Banner none
74
75# override default of no subsystems
76Subsystem	sftp	sftp-server.exe
77
78# Example of overriding settings on a per-user basis
79#Match User anoncvs
80#	AllowTcpForwarding no
81#	PermitTTY no
82#	ForceCommand cvs server
83
84
85
86AllowUsers tokyo
87AllowUsers tokyo@192.168.0.12
88#AllowUsers tokyo@127.0.0.1
89#AllowUsers tokyo@localhost
90#AllowUsers tokyo@0.0.0.0
91#AllowUsers tokyo@192.168.0.18
92PasswordAuthentication no
93PubkeyAuthentication yes
94AuthenticationMethods publickey
95
96#Logging
97#SyslogFacility AUTH
98LogLevel INFO
99ChallengeResponseAuthentication no
100Protocol 2
101
102Match Group administrators
103       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
104

試したこと

https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
この手順でSSHDのインストールを行いました。
パスワード単体による認証でのSSH接続は成功しています。

• キーペアは、クライアントPCにてssh-keygen→すべてenterキーで作成しました。
• 公開鍵をサーバーの%programdata%\ssh\administrators_authorized_keysに書き込みました。
• sshサーバーの設定は%programdata%\ssh\sshd_configに記述しました。
• Get-Service ssh*で設定完了後のサービスの起動＆再起動は確認しました。

補足情報（FW/ツールのバージョンなど）

バージョン情報

• Win10 Pro 1906 or later
• Open SSH 7.7 or later

ネットワーク構成

• Work Group Domain
• Wired LAN
• Static IPv4
• FW Port 22 open

セキュリティ

• ユーザーやキー値を普通にコピペしてますが、NAT内の話なので問題無いかと思います。問題ありであればご指摘ください。即刻改めます。