search

PowerShell / Win32-OpenSSH

Win32 port of OpenSSH
7.22k stars 741 forks source link

open handles to users registry files make it impossible to delete user profile after ssh connection #1694

Open boschkundendienst opened 3 years ago

boschkundendienst commented 3 years ago

"OpenSSH for Windows" version

7.7.2.2

Server OperatingSystem

Windows Server 2019 Standard ((Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows nt\CurrentVersion\" -Name ProductName).ProductName)

Client OperatingSystem Windows 10

What is failing

When a connection to the SSH server has been closed, the user profile of the user persistently keeps handles open into the specific users registry files on the server. Even after stopping sshd it is e.g. not possible to delete the users profile until you reboot the server.

To reproduce, create a local user on the server (e.g. sftp). Establish an SSH connection to the server using this user. Close the SSH session. Stop SSHD. Try to delete the users profile via Advanced system settings GUI. The Delete button is grayed out because of the still opened handles to the users registry.

Expected output

All handles should be closed to make it possible to delete the user profile.

Actual output

Here is the result of handle64.exe after stop sshd and user is no longer logged in (username: sftp.

C:\>handle64.exe -a | findstr /i "sftp"
 135C: File  (---)   C:\Users\sftp\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2
 1CB0: File  (R--)   C:\Users\sftp\AppData\Local\Microsoft\Windows\UsrClass.dat{c7f32395-181e-11eb-8bf9-00505699b0d3}.TMContainer00000000000000000001.regtrans-ms
 1CD8: File  (R--)   C:\Users\sftp\NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TMContainer00000000000000000001.regtrans-ms
 1E24: File  (---)   C:\Users\sftp\NTUSER.DAT
 2104: File  (R--)   C:\Users\sftp\AppData\Local\Microsoft\Windows\UsrClass.dat{c7f32395-181e-11eb-8bf9-00505699b0d3}.TMContainer00000000000000000002.regtrans-ms
 2178: File  (R--)   C:\Users\sftp\AppData\Local\Microsoft\Windows\UsrClass.dat{c7f32395-181e-11eb-8bf9-00505699b0d3}.TM.blf
 22D8: File  (---)   C:\Users\sftp\AppData\Local\Microsoft\Windows\UsrClass.dat
 2614: File  (---)   C:\Users\sftp\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
 2648: File  (R--)   C:\Users\sftp\NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TM.blf
 2734: File  (---)   C:\Users\sftp\ntuser.dat.LOG2
 27C0: File  (R--)   C:\Users\sftp\NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TMContainer00000000000000000002.regtrans-ms
 2B08: File  (---)   C:\Users\sftp\ntuser.dat.LOG1
 1BEC: Token         MYSERVER\sftp:11aabc8f
heroinex commented 3 years ago

encounter the same problem : ( guess 'password_auth_token' is not closed in function 'windows_password_auth' of contrib\win32\win32compat\win32_usertoken_utils.c line 841

TBBle commented 3 years ago

It looks like HANDLE password_auth_token populated in windows_password_auth should be being closed in __posix_spawn_asuser when it spawns the shell process.