bagajjal
commented
4 years ago @Kiroha - Please provide the sftp server and SSHD logs with DEBUG3 enabled.
Closed Kiroha closed 4 years ago
bagajjal
commented
4 years ago @Kiroha - Please provide the sftp server and SSHD logs with DEBUG3 enabled.
Kiroha
commented
4 years ago Hello :)
Thanks for reply. Below the log :
First attempt => KO 8784 2020-01-23 13:42:44.665 debug3: checking match for 'Group administrators' user yoda_cor_rpa host 127.0.0.1 addr 127.0.0.1 laddr 127.0.0.1 lport 22 8784 2020-01-23 13:42:44.665 debug3: LsaLogonUser Succeeded (Impersonation: 0) 8784 2020-01-23 13:42:44.665 debug1: user l does not match group list administrators at line 84 8784 2020-01-23 13:42:44.665 debug3: match not found 8784 2020-01-23 13:42:44.665 debug3: checking match for 'User yoda_cor_rpa' user l host 127.0.0.1 addr 127.0.0.1 laddr 127.0.0.1 lport 22 8784 2020-01-23 13:42:44.665 debug3: match not found Second Attempt => OK 7388 2020-01-23 13:43:06.698 debug3: checking match for 'Group administrators' user yoda_cor_rpa host 127.0.0.1 addr 127.0.0.1 laddr 127.0.0.1 lport 22 7388 2020-01-23 13:43:06.698 debug3: LsaLogonUser Succeeded (Impersonation: 0) 7388 2020-01-23 13:43:06.698 debug1: user yoda_cor_rpa does not match group list administrators at line 84 7388 2020-01-23 13:43:06.698 debug3: match not found 7388 2020-01-23 13:43:06.698 debug3: checking match for 'User yoda_cor_rpa' user yoda_cor_rpa host 127.0.0.1 addr 127.0.0.1 laddr 127.0.0.1 lport 22 7388 2020-01-23 13:43:06.698 debug1: user yoda_cor_rpa matched 'User yoda_cor_rpa' at line 87 7388 2020-01-23 13:43:06.698 debug3: match found 7388 2020-01-23 13:43:06.698 debug3: reprocess config:88 setting ChrootDirectory C:/Users/yoda_cor_rpa/SFTP/ 7388 2020-01-23 13:43:06.698 debug3: reprocess config:89 setting ForceCommand internal-sftp
Has you can see, randomly the user is l when it's KO and yoda_cor_rpa when it's OK
jrohbock
commented
4 years ago This seems to be this issue: ChrootDirectory is inconsistent #1486
See also: v7.9.0.0p1-Beta breaks with multiple groups #1354 Address Group Matching Issue #380
I was running into that issue (running v7.7.2.2 on Windows Server 2019 Standard installed via Get-WindowsCapability), and in the sshd logs the symptomatic pattern was a line like the following:
user <some-string-that-is-not-the-actual-username-and-usually-just-a-single-character> does not match group list ...
Kiroha
commented
4 years ago This seems to be this issue: ChrootDirectory is inconsistent #1486
See also: v7.9.0.0p1-Beta breaks with multiple groups #1354 Address Group Matching Issue #380
I was running into that issue (running v7.7.2.2 on Windows Server 2019 Standard installed via
Get-WindowsCapability), and in the sshd logs the symptomatic pattern was a line like the following:user <some-string-that-is-not-the-actual-username-and-usually-just-a-single-character> does not match group list ...
Right it seems to be exactly the same. Is there a simple way to update the OpenSSH server installed by the get-windowscapability without breaking the potential futur update made by Microsoft ?
jrohbock
commented
4 years ago Disclaimer: I'm not entirely sure how updates work for Windows OpenSSH as an optional feature/capability.
That said, I get the distinct feeling that you should NOT manually update the Windows OpenSSH server if you've installed it via the Get-WindowsCapability PowerShell cmdlet. I would bet money that if you did do that it would break something.
I think the only supported upgrade path for Windows OpenSSH installed as an optional feature/capability would be applying Windows updates. This comment from a dev seems to indirectly imply that updates for the "Windows official releases" of OpenSSH (a.k.a. versions available as optional feature) are distributed via WU/WSUS. Any version of OpenSSH for Windows downloaded from the releases on Github and manually installed would have to be manually updated.
For the current LTSC release of Windows Server 2019 Standard it doesn't look like any updates for Windows OpenSSH have been released through WU/WSUS (from what I can see). This also seems to be backed up by this comment from another guy running Windows Server (though he's running 1909 on the SAC instead of LTSC).
If this lack of an official update to Windows OpenSSH via WU/WSUS also applies to Windows Server 2019 Datacenter and you absolutely need the new bugfixes, your best bet may be to uninstall the optional feature, install a newer OpenSSH portable release, and just deal with updating it yourself until a newer version of the OpenSSH optional feature comes through the LTSC WU/WSUS pipes. (I'm assuming you're running the LTSC channel because you said you were running "Windows Server 2019 Datacenter" specifically and the docs claim that if you have the year in the name it indicates LTSC and if the year is missing from the name it's SAC.)
I would love for someone with more knowledge on the subject to chime in, as I'm not really 100% sure on any of this.
maertendMSFT
commented
4 years ago This issue is fixed in the latest release, 8.1. It will be available in-box in an update later this year.
Julian-13
commented
3 years ago same issue, randomly ignored ChrootDirectory auth with AD openssh-portable-8.2.p1_1,1 sftp from windows 10 pro (18363)
bagajjal
commented
3 years ago @Julian-13 - You are not using win32-openssh as your version is 8.2. our latest version is openssh v8.1.
blubberstahl
commented
10 months ago Hi, I still get the issue that the chroot directory is sometimes ignored. Since the issue had been fixed in 2020 - is there a way to update the native Microsoft implementation of OpenSSH?
Here are the machine details:
PS C:\Windows\system32> Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'
Name : OpenSSH.Client~~~~0.0.1.0
State : Installed
Name : OpenSSH.Server~~~~0.0.1.0
State : Installed
PS C:\Windows\system32> systeminfo
Host Name: *****
OS Name: Microsoft Windows Server 2019 Datacenter
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: *****
Original Install Date: 8/23/2022, 5:49:09 PM
System Boot Time: 12/3/2023, 5:26:11 PM
System Manufacturer: Microsoft Corporation
System Model: Virtual Machine
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2297 Mhz
BIOS Version: Microsoft Corporation Hyper-V UEFI Release v4.0, 12/17/2019
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
Total Physical Memory: 16,383 MB
Available Physical Memory: 6,887 MB
Virtual Memory: Max Size: 18,815 MB
Virtual Memory: Available: 8,949 MB
Virtual Memory: In Use: 9,866 MB
Page File Location(s): C:\pagefile.sys
Domain: *****
Logon Server: *****
Hotfix(s): 14 Hotfix(s) Installed.
[01]: KB5031990
[02]: KB4486153
[03]: KB4535680
[04]: KB4589208
[05]: KB5005112
[06]: KB5032196
[07]: KB5015896
[08]: KB5017400
[09]: KB5020374
[10]: KB5023789
[11]: KB5028316
[12]: KB5030505
[13]: KB5031589
[14]: KB5032306
Network Card(s): 1 NIC(s) Installed.
[01]: Microsoft Hyper-V Network Adapter
Connection Name: Ethernet
DHCP Enabled: No
IP address(es)
[01]: *****
[02]: *****
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
"OpenSSH for Windows" version 7.7.2.2
Server OperatingSystem Windows Server 2019 Datacenter
Client OperatingSystem Windows Server 2019 Datacenter and Debian Linux What is failing ChrootDirectory attribute randomly ignored Expected output ChrootDirectory apply at each client connection Actual output When my sftp client does multiple connect, randomly the ChrootDirectory is not set