Win32-OpenSSH icon indicating copy to clipboard operation
Win32-OpenSSH copied to clipboard

Published 20 hours ago verified publisher icon PowerShell

impossible to connect windows 10 client machine through public ipv4

Open aragon5956 opened this issue 1 year ago • 12 comments
trafficstars

Prerequisites

  • [X] Write a descriptive title.
  • [X] Make sure you are able to repro it on the latest version
  • [X] Search the existing issues.

Steps to reproduce

hello , i can't to connect my windows 10 machine client , i have this version of openssh : ``` OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2 usage: sshd [-46DdeGiqTtV] [-C connection_spec] [-c host_cert_file] [-E log_file] [-f config_file] [-g login_grace_time] [-h host_key_file] [-o option] [-p port] [-u len] PS C:\Program Files\OpenSSH>


my `sshd_config` in `ProgrammData`  directory is  : ```
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 2222
#AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::

#HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
SyslogFacility LOCAL0
LogLevel DEBUG

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

# For this to work you will also need host keys in %programData%/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

# GSSAPI options
#GSSAPIAuthentication no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	sftp-server.exe

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

could you help me ? Regards

Expected behavior

connected with success

Actual behavior

timeout

Error details

No response

Environment data

windows 10 lastest build : 19045.5011

Version

OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2

Visuals

https://github.com/user-attachments/assets/a8712b66-c735-4cbb-bbdf-8008af4dc253

aragon5956 avatar Oct 13 '24 12:10 aragon5956

Can you run ipconfig in terminal and ensure that IPV4 address is correct?

tgauth avatar Oct 14 '24 18:10 tgauth

It's a public ipv4 !! not private!!

aragon5956 avatar Oct 15 '24 06:10 aragon5956

Can you check the firewall rules and make sure sshd can accept incoming connections on public networks?

tgauth avatar Oct 15 '24 19:10 tgauth

I will try as soon as , it's vert strangely because even i disable firewall, i Can't connect through public ipv4 ,on 22 port pr 2222 , but inwill verify again Regards

aragon5956 avatar Oct 16 '24 06:10 aragon5956

got same issue

ltsc 24h2 lastest GitHub Release, installed by ps1 script

turn off firewall completely, connect turn on firewall, timed out

Chao216 avatar Oct 16 '24 23:10 Chao216

@Chao216 did you verify the firewall rules to ensure sshd can accept incoming connections on public networks?

tgauth avatar Oct 17 '24 13:10 tgauth

Hi @tgauth,

A weird thing is that i found on some Old os, install open ssh server will automatically add a firewall inbound rule allow port 22 , vice versa.

but new windows seems don't behave like that, I have to manually add firewall inbound rule.

regarding permissions for log folder, I used a local admin account, could not open and got uac prompt, this cause the later on ssh server break (restart 1607 error), a question I would like to know is as i set System and administrators to have full control, why my account (member of administrators) can't access log folder by default?

Chao216 avatar Oct 18 '24 10:10 Chao216

Hi @tgauth,

A weird thing is that i found on some Old os, install open ssh server will automatically add a firewall inbound rule allow port 22 , vice versa.

but new windows seems don't behave like that, I have to manually add firewall inbound rule.

Yes - newer Windows versions still create a firewall rule, but only for private networks.

regarding permissions for log folder, I used a local admin account, could not open and got uac prompt, this cause the later on ssh server break (restart 1607 error), a question I would like to know is as i set System and administrators to have full control, why my account (member of administrators) can't access log folder by default?

Technically, the check is for the SYSTEM and Administrators group SIDs so that is why the account, although administrator, is rejected. We're working on updating this, but in the meantime, if you navigate to the log folder via terminal, the user can still view the logs without the ACLs being modified by file explorer.

tgauth avatar Oct 18 '24 14:10 tgauth

Pouvez-vous vérifier les règles du pare-feu et vous en assurer sshdpeut-on accepter les connexions entrantes sur les réseaux publics? i have a another firewall , it GDATA internet security solution , and, even i disabled the firewall i can't connect myself through ipv4

Can you check the firewall rules and make sure sshd can accept incoming connections on public networks?

i can only with private netwok , i've tested it

aragon5956 avatar Oct 18 '24 19:10 aragon5956

Can you check the firewall rules and make sure sshd can accept incoming connections on public networks?

i cant only private ip like 192.168.1.x or localhost , and i listen on 0.0.0.0 on 2222 port regards

aragon5956 avatar Oct 18 '24 20:10 aragon5956

Hi @tgauth,

A weird thing is that i found on some Old os, install open ssh server will automatically add a firewall inbound rule allow port 22 , vice versa.

but new windows seems don't behave like that, I have to manually add firewall inbound rule.

Yes - newer Windows versions still create a firewall rule, but only for private networks.

regarding permissions for log folder, I used a local admin account, could not open and got uac prompt, this cause the later on ssh server break (restart 1607 error), a question I would like to know is as i set System and administrators to have full control, why my account (member of administrators) can't access log folder by default?

Technically, the check is for the SYSTEM and Administrators group SIDs so that is why the account, although administrator, is rejected. We're working on updating this, but in the meantime, if you navigate to the log folder via terminal, the user can still view the logs without the ACLs being modified by file explorer.

reverted permissions full control back to Nt system and administrators, if i use elevated CMD or PowerShell prompt,can cd into log folder and cat the log content.

Maybe an elevated Explorer process will be able to access just like the CLI environment

Chao216 avatar Oct 19 '24 01:10 Chao216

Can you run ipconfig in terminal and ensure that IPV4 address is correct?

I have another problem waiting and I do not know how to solve it : https://github.com/PowerShell/Win32-OpenSSH/issues/1176

or most recently : https://github.com/PowerShell/Win32-OpenSSH/issues/2290

aragon5956 avatar Oct 19 '24 09:10 aragon5956

Can you check the firewall rules and make sure sshd can accept incoming connections on public networks?

Do you want video proof ,as i solve others problem , about firewall and ssh port ?

aragon5956 avatar Oct 22 '24 08:10 aragon5956

@aragon5956 - can you provide sshd logs from the connection attempt via public ip?

tgauth avatar Oct 28 '24 18:10 tgauth

i've jsut this :

PS C:\Program Files\OpenSSH> sshd  -d
debug1: sshd version OpenSSH_for_Windows_9.5, LibreSSL 3.8.2
debug1: get_passwd: lookup_sid() failed: 1332.
debug1: private host key #0: ssh-rsa SHA256:ClEXD2C/iaTwtFDxUOPwcIrK8+CqXHlutDxXSgzIPTM
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:7qwfTYBphjkTNFm+wSF+LX9P9JKPMgu++qLcOKjd/FQ
debug1: private host key #2: ssh-ed25519 SHA256:T3TryzsUax+Lm1/tPpZtoH12STRWvMY/teFwy4HPa6o
debug1: rexec_argv[0]='C:\\Program Files\\OpenSSH\\sshd.exe'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.

and i can't start the service too !

aragon5956 avatar Oct 28 '24 18:10 aragon5956

I will see as soon as, if the service configuration points to

 C:\Program Files\OpenSSH\sshd

And no to

C:\Program Files\OpenSSH\

aragon5956 avatar Oct 29 '24 04:10 aragon5956

so i checked it , and it's ok : " C:\Program Files\OpenSSH\sshd"

aragon5956 avatar Oct 29 '24 14:10 aragon5956

after solve this issue partially : #2290, i've still problem to connect through ipv4

aragon5956 avatar Nov 01 '24 17:11 aragon5956

if I scan my ip with zenmap software on windows , and even connecting my computer to a shared wifi without restriction and high level security policies, I do not see port 22 open. the connection on the service sshd.exe only works locally with the local address 127.0.0.1 and the private ip address of my computer at my home network

aragon5956 avatar Nov 02 '24 10:11 aragon5956

@aragon5956, can you run the following in PowerShell to confirm the network firewall rule(s) for sshd: Get-NetFirewallApplicationFilter -Program "*sshd*" | Get-NetFirewallRule

The profile field for the sshd rule must include Public in order to connect over a public IP.

See https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell for more information on configuring firewall rules.

tgauth avatar Nov 04 '24 15:11 tgauth

impossible the problem come from your program, maybe , a more complete username is required i can only beconnected by private ip

video proof

https://github.com/user-attachments/assets/1be792f7-db72-4f4f-ab73-857c4ebbe11f

and video demo, connected by shared wifi smartphone

https://github.com/user-attachments/assets/88484cdb-17d1-4915-b84e-d1c6161a7692

even i disable my personnal firewall !!

and my windows 10 version:

https://github.com/user-attachments/assets/b303d52e-8d51-4b27-abde-e6452757c5be

aragon5956 avatar Nov 08 '24 16:11 aragon5956

could you help me ? can you fix this issue , Can you capture more logs in the next version?

aragon5956 avatar Dec 15 '24 12:12 aragon5956

could you help me ? can you fix this issue , Can you capture more logs in the next version?

image

Based on the recordings, it looks like the firewall rule's profile is set to Private. The rule needs to be updated to include Public or a new rule needs to created that includes Public networks for sshd.

tgauth avatar Dec 16 '24 18:12 tgauth

it doesn't change anything, my personnal internet security solution is bitdefender Internet Security, i wrote your suggestions. The proof in video démonstration :

https://github.com/user-attachments/assets/8f82a8fc-0760-46ac-9544-3c6243958140 is what is missing a parameter to be modified in C:\ProgramData\ssh\sshd_config ?

Regards

aragon5956 avatar Dec 23 '24 17:12 aragon5956

je sais pas ce que vous avez fait mais maintenant ça marche même avec la version portable , je peux me connecter avec mon adresse publique ipv4

aragon5956 avatar Jan 12 '25 12:01 aragon5956

[fr]le problème est revenu !!:( [eng]The problem has returned!!: (

[fr]par contre je viens de découvrir cette page, qui n'est pas facile d'accès : [eng]by cons I just discovered this page, which is not easy to access : https://github.com/powershell/win32-openssh/releases

[Eng]has microsoft done a windows update? [Fr]microsoft a il fait une mise à jour windows ?

https://github.com/user-attachments/assets/3f13564e-ffac-4f54-83c2-a739d0495e57

[Fr]Faut il changer un clé de registre ? [Eng]Need to change a windows registry key?

Regards

aragon5956 avatar Jan 19 '25 08:01 aragon5956

[FR] c'est mon fournisseur d'accès internet, en france je suis chez orange ,et pour des raisons de sécurité peut être chez d'autres français ils ont mis en amont un pare feu , j'avais eu des problèmes de sécurité, avant. J'ai beau changer les règles de mon pare-feu de ma machine ou de mon routeur , ça ne change rien C'est pour ça !

[ENG] this is my internet provider, in France I am at orange, and for security reasons maybe at other French they have put a firewall upstream, I had security problems before. No matter how much I change the rules of my firewall, my machine or my router, it doesn’t change anything. That’s why!

[updated 28 august 2025] sshd_config content:

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 2222
#AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
SyslogFacility AUTH
LogLevel DEBUG

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

# For this to work you will also need host keys in %programData%/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

# GSSAPI options
#GSSAPIAuthentication no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	sftp-server.exe

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

aragon5956 avatar Feb 09 '25 15:02 aragon5956