GSSAPIAuthentication for OpenSSH

[jborean93]

The OpenSSH docs indicate that GSSAPIAuthentication is not supported under https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/administration/OpenSSH/OpenSSH_Server_Configuration.md#not-supported. This has not been true since v7.9.0.0p1-Beta when the functionality was added.

Maybe this might apply to the SSH version that is included with Windows as I know they seem to have a separate release cadence than the releases that GitHub offers but I would assume that it would come with something that is newer than or equal to the 7.9.0.0 release that is on GitHub (June 24 2019). But I can verify that GSSAPIAuthentication works when doing the following

• Added GSSAPIAuthentication yes to C:\ProgramData\ssh\sshd_config on the SSH server
• Added the entry to the ssh config for my user at ~/.ssh/config on the SSH client

Host *.domain.com
    GSSAPIAuthentication yes
    # Same as using the -K arg but having this just applies by default
    # GSSAPIDelegateCredentials yes

From there I can authenticate using my current user's credentials without any explicit password

C:\Users\vagrant-domain>ssh dc01.domain.local -C "whoami.exe && klist.exe"
domain\vagrant-domain

Current LogonId is 0:0x59bc3

Cached Tickets: (1)

#0>     Client: vagrant-domain @ DOMAIN.LOCAL
        Server: host/dc01.domain.local @ DOMAIN.LOCAL
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
        Start Time: 7/26/2020 23:49:43 (local)
        End Time:   7/27/2020 9:49:43 (local)
        Renew Time: 0
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x8 -> ASC
        Kdc Called:

I can even get a forwarded (delegatable) ticket by using the -K arg (or the GSSAPIDelegateCredentials in the client config)

C:\Users\vagrant-domain>ssh -K dc01.domain.local -C "whoami.exe && klist.exe"
domain\vagrant-domain

Current LogonId is 0:0x9bdfe

Cached Tickets: (1)

#0>     Client: vagrant-domain @ DOMAIN.LOCAL
        Server: krbtgt/DOMAIN.LOCAL @ DOMAIN.LOCAL
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize
        Start Time: 7/26/2020 23:54:52 (local)
        End Time:   7/27/2020 9:49:43 (local)
        Renew Time: 8/2/2020 23:49:43 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called:

[ghost]

https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_server_configuration

(referencing the originating MS Docs page in case of follow-up from any MS Docs team members or topic-savvy users)

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: c8ad5c9a-efb1-d994-0e3c-53c90096a245
• Version Independent ID: 5cb0ea97-4c3d-ffdf-b69c-8a717f9f9f3f
• Content: OpenSSH Server Configuration for Windows
• Content Source: WindowsServerDocs/administration/OpenSSH/OpenSSH_Server_Configuration.md
• GitHub Login: @maertendMSFT

[ghost]

Parallel reference to the GitHub link in OP's post:

• https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_server_configuration#not-supported

[ghost]

@jborean93 : Are you suggesting or recommending changes to the page? If yes, would you like to create a Pull Request to have the page changed?

[jborean93]

I can but I guess my biggest question is around how should that doc align with the version of OpenSSH that comes with Windows itself. When I test the version of ssh ((Get-Item C:\Windows\System32\OpenSSH\ssh.exe).VersionInfo.FileVersion) on Server 2019 I get 7.7.2.1 which is from July 2018 so before this feature was available. There have been numerous releases on the GitHub repo for OpenSSH and use them instead of the ones in Windows because the latter lags massively behind what is available.

So from the perspective of what OpenSSH builtin to Windows as an optional feature is capable of then the docs are correct. But once a newer version is included in Windows then they will not be.

[ghost]

Hmm. Good question. I don't know the answer.

I notice this is the first time you are posting here. Are you familiar with the this repository for the Microsoft Docs Server documentation pages? If not, I would like to inform you that this repository is mostly / primarily intended for reporting issues with the documentation pages, or possibly requesting changes when other Microsoft information confirms that the content needs to be updated.

Please also note that the Microsoft Server Docs team is even smaller than the Microsoft IT-pro Docs team, so they might not have much time to offer help or answers to questions posted here.

That is mostly why I asked if you are willing to contribute with a PR to suggest updates or changes to the page.

You may want to look elsewhere for answers, unless you have suggestions for improving one or more specific pages in the MS Docs repository.

Disclaimer: I am not affiliated with Microsoft or the Microsoft Docs teams here on GitHub.

You might want to check out the following resources to get in touch with users who may be able to help you deciding what should be a reasonable way to move forward with your question and/or issue:

• TechNet forums: https://social.technet.microsoft.com/Forums/en-US/home
• MSDN: https://social.msdn.microsoft.com/Forums/en-US/home
• Microsoft Community: https://answers.microsoft.com/

[jborean93]

I know somewhat how the docs work but honestly not how each team really works. I'm happy to contribute a PR, it's a simple line fix but in the context of how that fits into the scope of the docs, i.e. what OpenSSH distributions it is meant to cover, I'm not sure and would need some guidance.

If it's no thanks we just want to focus on what WIndows includes then I'm happy to close this. I just wanted to bring it to someones attention that the docs don't reflect all the features that are present in the actual product in some shape or form.

[ghost]

Well, I have noticed that OpenSSH is documented in some of the Microsoft Docs pages, but I must admit that I don't know the topic well enough to provide a confirmation in this regard. (That is sort of why I suggested the external forums.) From my experience with this site, it is just as useful to create a PR with the intention in mind to get those questions answered properly.

@konstruktoid : Do you have any ideas or suggestions in this case?

[konstruktoid]

I haven't used the PowerShell OpenSSH client available in Windows, but looking at the repo, the master branch is 426 commits ahead, 683 commits behind openssh:master which making comparing the two versions difficult. But, as @jborean93 said, GSSAPI support has been available since https://github.com/PowerShell/openssh-portable/pull/360 (config here: https://github.com/PowerShell/openssh-portable/pull/360/files#diff-d7545c0e94c213315ed36abc8d8626d5R54-R56), so removing that line from https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_server_configuration#not-supported with a line fix PR seems like a good way to go.

[jborean93]

the master branch is 426 commits ahead, 683 commits behind openssh:master which making comparing the two versions difficult.

That comparison is between the Win32 fork and OpenSSH actual is not really relevant here as upstream OpenSSH does not support Windows at all. The issue is that Windows ships a version of the Win32 fork that is quite old (7.7.*) whereas the actual source of that fork on GitHub has had a few releases since then. So the docs currently reflect the the behaviour of Windows 10 1809 and Server 2019 as they are too old to support GSSAPIAuthentication> I'm not sure if newer builds of Win 10 come with a newer version of OpenSSH but in any case the only docs around installing and configuring OpenSSH from a Windows perspective seem to be from this landing page https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview. My concern is that while the product does support GSSAPIAuthentication the version that ships with Windows does not yet. Should these docs reflect what comes in Windows or what a future release would support?

[ghost]

From my experience, the currently supported features are accepted as part of the documentation. Future features are usually kept on hold until the MS Docs team want to add them to the docs.

[mgkuhn]

According to https://github.com/PowerShell/Win32-OpenSSH/issues/1646 Microsoft will finally release on 2020-10-20 a new version of Windows that includes as an optional feature OpenSSH 8.1, which supports GSSAPIAuthentication=yes and GSSAPIDelegateCredentials=yes.

[robinharwood]

Hi @jborean93

Thanks for your dedication to our documentation. We've submitted a documentation change based on your suggestion, and the updated article should be live by tomorrow.

Thanks

please-close