Key based authentication doesn't work immediately after a machine reboot/restart

[krombel]

"OpenSSH for Windows" version
OpenSSH_7.5p1, OpenSSL 1.0.2d 9 Jul 2015

Server OperatingSystem
Windows Server 2012 R2 Standard

Client OperatingSystem
SUSE Linux Enterprise Server 12 SP2

What is failing
Login with public key authentication (used inside a script) not possible until a user on the machine logs on.

Expected output
I can log in every time with the public key - not just after a user has logged in once.

Actual output
After the machine reboots it is just possible to use password-based authentication. This changes after a login on the device is done once. This can be via ssh or on the machine directly.

[manojampalam]

Did you mean that public key is not working until a user (any user) is logged in on the target? If so, is the logon an interactive logon?

Can you add more details on how exactly to reproduce this?

[krombel]

Did you mean that public key is not working until a user (any user) is logged in on the target? If so, is the logon an interactive logon?

Yes and yes.

Can you add more details on how exactly to reproduce this?

For me it is enough to reboot my machine. Then the first login via ssh requires a user and a password and all preceeding login's can be also done with public key authentication.
It is also possible to login on screen. Then I can use public keys as well.

[manojampalam]

@krombel thanks. I was able to repro this. LsaLogonUser is failing in ssh-agent. I'll see what can be done for May-End drop.

[rgl]

I'm trying to use Win32-OpenSSH as a SSH server in Vagrant, but this issue makes the whole experience quite odd, because one has to manually login at the machine before vagrant can connect. Can this issue be moved up to the July-Mid milestone? :-)

[jake-at-work]

I am experiencing the same issue with AWS images I am building. I am able to get the key authentication to work only after interactive login, WinRm authentication, or password based ssh login. In fact, any of those authentication modes can be just an attempt with the wrong password and suddenly the key base authentication starts working. I have scripted a "knock" by simply trying ssh password authentication with a bogus password. It is not ideal but it works for now.

[manojampalam]

Apologies for the delay as we were hung up with penetration testing. Will look into this for Aug-Mid drop.

[marcosnils]

@pivotal-jbarrett I use autologon (https://docs.microsoft.com/en-us/sysinternals/downloads/autologon) in AWS instances so the machine automatically logins at boot and then I can ssh into it. I guess it's similar to your script with the exception that autologon encrypts the password in the registry

[manojampalam]

I have debugged the internals of this issue (specifically lsass), and see that this is stemming from msv1_0.dll. From what I know, this should only impact workgroup accounts. Let me know if domain accounts are impacted too.

I'm adding a workaround in ssh-agent for now while I discuss this with security team.