How to ssh to "new" accounts

[jaymzh]

If you have an account either in active directory, or locally created through powershell through new-localuser, the user is unable to SSH in.

It seems like the user isn't fully created until the first login through the GUI. But that's not always possible.

How can we create users that can SSH in?

"OpenSSH for Windows" version

> ((Get-Item (Get-Command sshd).Source).VersionInfo.FileVersion)
8.0.0.0

Server OperatingSystem

> ((Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows nt\CurrentVersion\" -Name ProductName).ProductName)
Windows 10 Pro

Client OperatingSystem Literally any. Ubuntu 18.04 commonly.

What is failing Cannot log in to a machine via SSH unless that user has logged in at lease once through the GUI

[mgkuhn]

Check with ssh -Kv which forms of authentication failed and why.

I certainly had domain users successfully log into a computer for the first time via OpenSSH 8.1, into a machine that they never had GUI access to and where they had no %userprofile% folder before that first ssh login. If I recall correctly, these first logins all happened with ssh -K via GSSAPI authentication, which is the form of authentication you really want to enable and use when working in an Active Directory domain.

[mgkuhn]

I would also try specifying the domain or machine name, as in ssh -Kv 'DOMAIN.COM\username@machine.domain.com', which seems to be required in case the same username exists both locally and in Active Directory.

[jaymzh]

So no conflicting accounts. I see this both with non-AD machines using local accounts (my main concern) and also AD machines with AD accounts.

For the non-AD side, this is extra critical for me. So in that case GSSAPI doesn't exist.

For the AD-side, I'm generally coming from Linux machines that are not AD-ified, so GSSAPI won't work. However, it's an interesting idea, I"ll try bouncing through an AD-ified windows box.

But the non-AD machines are my bigger concern.

[mgkuhn]

I'm generally coming from Linux machines that are not AD-ified, so GSSAPI won't work.

There is usually nothing more involved with "AD-ifying" a Linux machine where you want to use “ssh -K” than

$ sudo apt-get install krb5-user
$ kinit user@DOMAIN.COM
Password for user@DOMAIN.COM: [...]
$ klist
[optional, just to look at your ticket]
$ ssh -K user@machine.domain.com

You don't have to “join” a Linux machine to a domain. (I think only Samba's winbind can do that, and what it does is independent of OpenSSH's use of MIT Kerberos.) You just get a Kerberos ticket, and kinit and the libkrb5.so library should be able to find out on their own (via various DNS TXT records) how to get to the Active Directory KDC.

[jaymzh]

Oh hey, didn't know that, thanks!

Any thoughts on the non-AD-ified windows machines?