Windows Server 2019 - OpenSSH (AD authentication and permissions)

7,655

Found the solution here:

https://github.com/MicrosoftDocs/windowsserverdocs/issues/2119

Basically, I added:

AllowGroups DOMAIN\ALLOWED_GROUP

To C:\ProgramData\ssh\sshd_config

And it worked. The reason it wasn't working at the beginning was because I was playing with a mix of AllowGroups, DenyGroups, AllowUsers and DenyUsers. But AllowGroups will ONLY allow users that are part of the listed group(s) SSH access. No need to handle all the others in DenyGroups or DenyUsers (ex: DenyUsers DOMAIN* and then allow the group via AllowGroups DOMAIN\ALLOWED_GROUP).

Share:
7,655
Aura
Author by

Aura

Security Administrator, GCIH

Updated on September 18, 2022

Comments

  • Aura
    Aura over 1 year

    I just installed OpenSSH Server on a Windows Server 2019, in a domain environment, and I noticed that by default, pretty much every user can connect to the server via SSH. It's as if AD authentication was working (because I can login to the server via SSH using a domain account/password), but the permissions aren't applied, or even validated.

    Basically, let's say I have 2 users, normalUser and adminUser. normalUser isn't part of any AD Groups that would give him access to WS2019SERVER, but adminUser is. Well, both users will be able to login to the server via SSH without any problem.

    If I login via SSH and do a "whoami /groups", this is what I get (if it can help).

    normalUser:

    Group Name                                                              Type             SID                                             Attributes
    ======================================================================= ================ =============================================== ===============================================================
    Everyone                                                                Well-known group S-1-1-0                                         Mandatory group, Enabled by default, Enabled group
    BUILTIN\Users                                                           Alias            S-1-5-32-545                                    Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\NETWORK                                                    Well-known group S-1-5-2                                         Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\Authenticated Users                                        Well-known group S-1-5-11                                        Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\This Organization                                          Well-known group S-1-5-15                                        Mandatory group, Enabled by default, Enabled group
    

    adminUser:

    Group Name                                                           Type             SID                                             Attributes
    ==================================================================== ================ =============================================== ===============================================================
    Everyone                                                             Well-known group S-1-1-0                                         Mandatory group, Enabled by default, Enabled group
    BUILTIN\Users                                                        Alias            S-1-5-32-545                                    Mandatory group, Enabled by default, Enabled group
    BUILTIN\Administrators                                               Alias            S-1-5-32-544                                    Mandatory group, Enabled by default, Enabled group, Group owner
    BUILTIN\Event Log Readers                                            Alias            S-1-5-32-573                                    Mandatory group, Enabled by default, Enabled group
    

    How to to prevent normalUser from SSHing into the server? I played with AllowGroup and DenyGroup in C:\ProgramData\ssh\sshd_config but it's not working (if anything, I managed to somehow block adminUser, but not normalUser?!).

    Thank you,

    Aura