Accept SIDs in the AllowGroups/DenyGroups statements

[jantari]

Troubleshooting steps https://github.com/PowerShell/Win32-OpenSSH/wiki/Troubleshooting-Steps

None

Terminal issue? please go through wiki https://github.com/PowerShell/Win32-OpenSSH/wiki/TTY-PTY-support-in-Windows-OpenSSH

No

Please answer the following

"OpenSSH for Windows" version ((Get-Item (Get-Command sshd).Source).VersionInfo.FileVersion)

7.7.2.2

Server OperatingSystem ((Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows nt\CurrentVersion\" -Name ProductName).ProductName)

Windows Server 2019 Datacenter ( 10.0.17763.1339 )

Client OperatingSystem

Windows 10 Pro ( 10.0.19041.388 )

What is failing

Nothing

Expected output

Not applicable

Actual output

Not applicable

---

Suggestion

Because Windows localizes Group names like "Administrators", it is difficult to deploy a safe sshd_config to multiple machines or servers. By allowing SIDs, one can easily reference well-known groups without language barriers in Deny, Allow or Match statements.

A similar syntax to icacls.exe could be used, where a username and an SID is accepted at the command line but an SID must be prefixed with *, e.g. icacls file /grant *S-1-1-0:(D,WDAC) (fom the official icacls /? examples)

[impeeza]

For reference, the article https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/security-identifiers-in-windows has the well know SIDs for Windows

[timmjd]

Is there a way to pick global groups coming from AD?

In the classic RDP world you would selectively grand people the rights for single machine to "remote log into the instance" via AD. Such assignments do not show up in local groups but appear as global groups (whoami /groups --> NT AUTHORITY\Remote Interactive Logon aka. S-1-5-4).

With the current implementation you would need to maintain a local group beside the AD group - so no AD control available. Or is there a way to do something like:

AllowGroups "Builtin\Remote Desktop Users" "S-1-5-14"

❓