How I can create user access to SSH server without create actual user(s) on windows ?

[hamedsbt]

Please answer the following

"OpenSSH for Windows" version OpenSSH_7.6, LibreSSL 2.5.3 Win32 (tested x86 & x64)

Server OperatingSystem Windows 10 B.1703

Client OperatingSystem Windows 8.1

I want to use Win32-OpenSSH as SSH server (password less login via public-key authenticate) to process GIT requests from several users. So I have to create more than 10 separate users on windows for accessing our GIT repository! How I can create user access to SSH server without create actual user(s) on windows ?

Thank you.

[bagajjal]

If you use public key authentication then you don't need to create the actual users?

[hamedsbt]

thank you for your reply, I want independent ssh-key per user, But when I try to connect: ssh://michel@10.10.2.1/repo... the sshd look-for authorized_keys on "C:/Users/michel/.ssh" directory also for sara user: ssh://sara@10.10.2.1/repo... the sshd look-for authorized_keys on "C:/Users/sara/.ssh" directory right?! Also I tried to create "C:/Users/sara/.ssh" directory manually but sshd log: invalid user(seen got from windows API) So how I can manage the client's key(s) by myself ? such as: a D:/sft/OpenSSH-Win64/authorized-keys/ directory that contain michel directory that contain related michel key and so on...

On Sara as Client machine I created a config file contain: Host 10.10.2.1 Hostname 10.10.2.1 User michel IdentityFile C:/Users/sara/.ssh/idrsamichel

Host 10.10.2.1 Hostname 10.10.2.1 User sara IdentityFile C:/Users/sara/.ssh/idrsasara

I added tow public keys as one file authorized-keys to Server machine

michel account can connect the repo and fetch GIT but sara acount can not, because the Server machine does not have an account named sara sshd log:

836 00:34:31:185 Invalid user sara from 10.10.2.3 port 49251 836 00:34:31:185 debug2: input_userauth_request: try method none 836 00:34:31:185 Failed none for invalid user sara from 10.10.2.3 port 49251 ssh2 836 00:34:31:185 debug3: userauth_finish: failure partial=0 next

the server machine contain michel account but doesn't sara account so it seem I have to create sara account to server machine too :( but I don't like it because I have many contributors else, such as: Alex, David, Steve and...

[bagajjal]

Keep all the public keys in one authorised key file and configure hard coded path of authorized key file (AuthorizedKeysFile ) in sshd config..

[hamedsbt]

Thank you for your reply, I did hard coded path of authorized key file (D:\sft\OpenSSH-Win64\authorized_keys) and repaired permission via FixHostFilePermissions.ps1 but it does not works sshd log: 12056 22:01:03:057 debug3: fd 5 is not O_NONBLOCK 12056 22:01:03:057 debug3: spawning "D:\sft\OpenSSH-Win64\sshd.exe" 12056 22:01:03:135 debug1: Forked child 1928. 1928 22:01:03:229 debug1: sshd version OpenSSH_7.6, LibreSSL 2.5.3 1928 22:01:03:245 debug1: private host key #0: ssh-rsa SHA256:AzKKsphmaXEjgsVS6rp9Oob5VKfpvmOnQ/6UynOqLlE . . . . . 1928 22:01:04:339 debug2: parse_server_config: config reprocess config len 265 1928 22:01:04:339 debug3: NetUserGetInfo() failed with error: 2221 for user: sara and domain: (null) \n 1928 22:01:04:339 error: DsGetDcNameW() failed with error: 1355 \n 1928 22:01:04:339 Invalid user sara from 10.10.2.3 port 49258 1928 22:01:04:339 debug2: input_userauth_request: try method none 1928 22:01:04:339 Failed none for invalid user sara from 10.10.2.3 port 49258 ssh2 1928 22:01:04:339 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" 1928 22:01:04:339 debug3: send packet: type 51 1928 22:01:04:354 debug3: receive packet: type 50 1928 22:01:04:354 debug1: userauth-request for user sara service ssh-connection method publickey 1928 22:01:04:354 debug1: attempt 1 failures 0 1928 22:01:04:354 debug2: input_userauth_request: try method publickey 1928 22:01:04:354 debug2: userauth_pubkey: disabled because of invalid user 1928 22:01:04:354 Failed publickey for invalid user sara from 10.10.2.3 port 49258 ssh2 1928 22:01:04:354 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" 1928 22:01:04:354 debug3: send packet: type 51 1928 22:01:04:370 debug3: receive packet: type 50 1928 22:01:04:370 debug1: userauth-request for user sara service ssh-connection method publickey 1928 22:01:04:370 debug1: attempt 2 failures 1 1928 22:01:04:370 debug2: input_userauth_request: try method publickey 1928 22:01:04:370 debug2: userauth_pubkey: disabled because of invalid user 1928 22:01:07:683 debug3: recv - from CB ERROR:10054, io:00000289294AA730 1928 22:01:07:683 Connection reset by invalid user sara 10.10.2.3 port 49258 1928 22:01:07:683 debug1: do_cleanup

How I can solve it?

[bagajjal]

Looks like it didn't take the config.. Please share the sshd_config

[hamedsbt]

$OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $

This is the sshd server system-wide configuration file. See

sshd_config(5) for more information.

This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

The strategy used for options in the default sshd_config shipped with

OpenSSH is to specify options with their default value where

possible, but leave them commented. Uncommented options override the

default value.

Port 22

AddressFamily any

ListenAddress 0.0.0.0

ListenAddress ::

The default requires explicit activation of protocol 1

Protocol 2

HostKey for protocol version 1

HostKey /etc/ssh/ssh_host_key

HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

HostKey /etc/ssh/ssh_host_ecdsa_key

Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval 1h

ServerKeyBits 1024

Logging

obsoletes QuietMode and FascistLogging

SyslogFacility AUTH

LogLevel DEBUG3

Authentication:

LoginGraceTime 2m

PermitRootLogin yes

StrictModes yes

MaxAuthTries 6

MaxSessions 10

RSAAuthentication yes

PubkeyAuthentication yes

The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

but this is overridden so installations will only check .ssh/authorized_keys

AuthorizedKeysFile .ssh/authorized_keys

AuthorizedKeysFile "D:/sft/OpenSSH-Win64/authorized_keys"

For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

RhostsRSAAuthentication no

similar for protocol version 2

HostbasedAuthentication no

Change to yes if you don't trust ~/.ssh/known_hosts for

RhostsRSAAuthentication and HostbasedAuthentication

IgnoreUserKnownHosts no

Don't read the user's ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

To disable tunneled clear text passwords, change to no here!

PasswordAuthentication yes

PermitEmptyPasswords no

Change to no to disable s/key passwords

ChallengeResponseAuthentication yes

Kerberos options

KerberosAuthentication no

KerberosOrLocalPasswd yes

KerberosTicketCleanup yes

KerberosGetAFSToken no

GSSAPI options

GSSAPIAuthentication no

GSSAPICleanupCredentials yes

Set this to 'yes' to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will

be allowed through the ChallengeResponseAuthentication and

PasswordAuthentication. Depending on your PAM configuration,

PAM authentication via ChallengeResponseAuthentication may bypass

the setting of "PermitRootLogin without-password".

If you just want the PAM account and session checks to run without

PAM authentication, then enable this but set PasswordAuthentication

and ChallengeResponseAuthentication to 'no'.

UsePAM no

AllowAgentForwarding yes

AllowTcpForwarding yes

GatewayPorts no

X11Forwarding no

X11DisplayOffset 10

X11UseLocalhost yes

PrintMotd yes

PrintLastLog yes

TCPKeepAlive yes

UseLogin no

UsePrivilegeSeparation yes

PermitUserEnvironment yes

Compression delayed

ClientAliveInterval 0

ClientAliveCountMax 3

UseDNS yes

PidFile /var/run/sshd.pid

MaxStartups 10

PermitTunnel no

ChrootDirectory none

no default banner path

Banner none

override default of no subsystems

Subsystem sftp sftp-server.exe

Example of overriding settings on a per-user basis

Match User anoncvs

X11Forwarding no

AllowTcpForwarding no

ForceCommand cvs server

PubkeyAcceptedKeyTypes ssh-ed25519*

hostkeyagent \.\pipe\openssh-ssh-agent

[bagajjal]

Also share the full sshd log with debug3 enabled

[hamedsbt]

12056 22:18:18:392 debug3: fd 5 is not O_NONBLOCK 12056 22:18:18:392 debug3: spawning "D:\sft\OpenSSH-Win64\sshd.exe" 12056 22:18:18:420 debug1: Forked child 9712. 9712 22:18:18:499 debug1: sshd version OpenSSH_7.6, LibreSSL 2.5.3 9712 22:18:18:509 debug1: private host key #0: ssh-rsa SHA256:AzKKsphmaXEjgsVS6rp9Oob5VKfpvmOnQ/6UynOqLlE 9712 22:18:18:510 debug1: child socket: 396 9712 22:18:18:510 debug1: child startup_pipe: 384 9712 22:18:18:511 Connection from 10.10.2.3 port 49259 on 10.10.2.1 port 22 9712 22:18:18:511 debug1: Client protocol version 2.0; client software version OpenSSH_7.3 9712 22:18:18:511 debug1: match: OpenSSH_7.3 pat OpenSSH* compat 0x04000000 9712 22:18:18:511 debug1: Local version string SSH-2.0-OpenSSH_7.6 9712 22:18:18:511 debug2: fd 3 setting O_NONBLOCK 9712 22:18:19:512 debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256 9712 22:18:19:512 debug3: send packet: type 20 9712 22:18:19:512 debug1: SSH2_MSG_KEXINIT sent 9712 22:18:19:513 debug3: receive packet: type 20 9712 22:18:19:519 debug1: SSH2_MSG_KEXINIT received 9712 22:18:19:522 debug2: local server KEXINIT proposal 9712 22:18:19:522 debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 9712 22:18:19:522 debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256 9712 22:18:19:522 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr 9712 22:18:19:522 debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr 9712 22:18:19:522 debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 9712 22:18:19:522 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 9712 22:18:19:522 debug2: compression ctos: none 9712 22:18:19:522 debug2: compression stoc: none 9712 22:18:19:522 debug2: languages ctos: 9712 22:18:19:522 debug2: languages stoc: 9712 22:18:19:522 debug2: first_kex_follows 0 9712 22:18:19:522 debug2: reserved 0 9712 22:18:19:522 debug2: peer client KEXINIT proposal 9712 22:18:19:522 debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c 9712 22:18:19:522 debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 9712 22:18:19:522 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc 9712 22:18:19:522 debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc 9712 22:18:19:522 debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 9712 22:18:19:523 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 9712 22:18:19:523 debug2: compression ctos: none,zlib@openssh.com,zlib 9712 22:18:19:523 debug2: compression stoc: none,zlib@openssh.com,zlib 9712 22:18:19:523 debug2: languages ctos: 9712 22:18:19:523 debug2: languages stoc: 9712 22:18:19:523 debug2: first_kex_follows 0 9712 22:18:19:523 debug2: reserved 0 9712 22:18:19:523 debug1: kex: algorithm: curve25519-sha256@libssh.org 9712 22:18:19:523 debug1: kex: host key algorithm: rsa-sha2-512 9712 22:18:19:523 debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none 9712 22:18:19:523 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none 9712 22:18:19:523 debug1: expecting SSH2_MSG_KEX_ECDH_INIT 9712 22:18:19:531 debug3: receive packet: type 30 9712 22:18:19:553 debug3: send packet: type 31 9712 22:18:19:553 debug3: send packet: type 21 9712 22:18:19:553 debug2: set_newkeys: mode 1 9712 22:18:19:553 debug1: rekey after 134217728 blocks 9712 22:18:19:553 debug1: SSH2_MSG_NEWKEYS sent 9712 22:18:19:554 debug1: expecting SSH2_MSG_NEWKEYS 9712 22:18:19:554 debug3: send packet: type 7 9712 22:18:19:562 debug3: receive packet: type 21 9712 22:18:19:562 debug1: SSH2_MSG_NEWKEYS received 9712 22:18:19:562 debug2: set_newkeys: mode 0 9712 22:18:19:562 debug1: rekey after 134217728 blocks 9712 22:18:19:562 debug1: KEX done 9712 22:18:19:602 debug3: receive packet: type 5 9712 22:18:19:602 debug3: send packet: type 6 9712 22:18:19:603 debug3: receive packet: type 50 9712 22:18:19:603 debug1: userauth-request for user sara service ssh-connection method none 9712 22:18:19:603 debug1: attempt 0 failures 0 9712 22:18:19:603 debug2: parse_server_config: config reprocess config len 265 9712 22:18:19:604 debug3: NetUserGetInfo() failed with error: 2221 for user: sara and domain: (null) \n 9712 22:18:19:605 error: DsGetDcNameW() failed with error: 1355 \n 9712 22:18:19:605 Invalid user sara from 10.10.2.3 port 49259 9712 22:18:19:605 debug2: input_userauth_request: try method none 9712 22:18:19:605 Failed none for invalid user sara from 10.10.2.3 port 49259 ssh2 9712 22:18:19:605 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" 9712 22:18:19:605 debug3: send packet: type 51 9712 22:18:19:624 debug3: receive packet: type 50 9712 22:18:19:624 debug1: userauth-request for user sara service ssh-connection method publickey 9712 22:18:19:624 debug1: attempt 1 failures 0 9712 22:18:19:624 debug2: input_userauth_request: try method publickey 9712 22:18:19:624 debug2: userauth_pubkey: disabled because of invalid user 9712 22:18:19:624 Failed publickey for invalid user sara from 10.10.2.3 port 49259 ssh2 9712 22:18:19:624 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" 9712 22:18:19:624 debug3: send packet: type 51 9712 22:18:19:645 debug3: receive packet: type 50 9712 22:18:19:645 debug1: userauth-request for user sara service ssh-connection method publickey 9712 22:18:19:645 debug1: attempt 2 failures 1 9712 22:18:19:645 debug2: input_userauth_request: try method publickey 9712 22:18:19:645 debug2: userauth_pubkey: disabled because of invalid user 9712 22:18:19:645 Failed publickey for invalid user sara from 10.10.2.3 port 49259 ssh2 9712 22:18:19:645 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" 9712 22:18:19:645 debug3: send packet: type 51 9712 22:18:19:646 debug3: receive packet: type 50 9712 22:18:19:646 debug1: userauth-request for user sara service ssh-connection method keyboard-interactive 9712 22:18:19:646 debug1: attempt 3 failures 2 9712 22:18:19:646 debug2: input_userauth_request: try method keyboard-interactive 9712 22:18:19:646 debug1: keyboard-interactive devs 9712 22:18:19:646 debug1: auth2_challenge: user=sara devs= 9712 22:18:19:646 debug1: kbdint_alloc: devices '' 9712 22:18:19:646 debug2: auth2_challenge_start: devices 9712 22:18:19:646 Failed keyboard-interactive for invalid user sara from 10.10.2.3 port 49259 ssh2 9712 22:18:19:646 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" 9712 22:18:19:646 debug3: send packet: type 51 9712 22:18:22:978 debug3: recv - from CB ERROR:10054, io:0000027190F84B30 9712 22:18:22:979 Connection reset by invalid user sara 10.10.2.3 port 49259 9712 22:18:22:979 debug1: do_cleanup

[hamedsbt]

I'm waiting for your support . . .

[mgkuhn]

This sounds more like a general misunderstanding of how to use ssh with git/svn/etc. than a specific issue with the Win32 port of OpenSSH. You can't mention in the git URL "ssh://michel@10.10.2.1/repo..." that you give to your users before the @ sign the name of a user "michel" that does not exist on the server OS. Windows sshd is not different from Unix ssh here: sshd can only create processes for a named existing OS user, and the name before the @ sign identifies the Windows SID/token associated with the process to be created.

But that does not mean that you need to create a Windows user for each of your git users. Instead, simply create a single Windows pseudo-user "git-repo" that owns the repository and then give every real user the same URL to log in, i.e. "ssh://git-repo@10.10.2.1/repo...". Your git users will still be distinguished by the individual key pair they use to authenticate themselves, which will select which line in the C:/Users/git-repo/.ssh/authorized_keys file of Windows user "git-repo" will let them in, where you can then vary the command that gets executed instead of a shell with the command="..." attribute (which can then pass the git/svn/etc. user name on the command line, see link below). There should be no need to change sshd_config.

You may benefit from trying this out on a POSIX system first, where this trick is very widely used and documented, before trying to port the practice to a Win32 server, where ssh is still a rather experimental service. The relevant git setup is a bit more complex (because git identifies authors and committers, not users), and usually arranged via tools such as gitolite, but for Subversion (which has users) the same trick is very easy to set up manually, and is explained in the Subversion book section "SSH Configuration Tricks": http://svnbook.red-bean.com/en/1.7/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sshtricks

[bagajjal]

@mgkuhn is correct. please do as he suggest.

Modify your sshd_config (to exclude double quotes in the path), AuthorizedKeysFile D:/sft/OpenSSH-Win64/authorized_keys

[manojampalam]

Right. When you do

ssh user@target

"user" account should exist on "target" irrespective of the authentication type you use (password or key based).

[bagajjal]

@hamedsbt - can we close this issue?

[hamedsbt]

@bagajjal Thank you and everyone, what is benefit of to exclude double quotes in the path ? it working with double quotes now

[bagajjal]

@hamedsbt - You are right. Code strips off double quotes so it doesn't make any difference.