search

PowerShell / Win32-OpenSSH

Win32 port of OpenSSH
7.37k stars 759 forks source link

openSSH for Windows: Domain Admin access with SSH Key #1881

Open derSchweiger opened 2 years ago

derSchweiger commented 2 years ago

OpenSSH for Windows version: 8.6 Server OperatingSystem: W2k16, W2k19, W2k22 Client OperatingSystem: W10Pro

What is failing We've configured openSSH for Windows and accessing it with public/private keys. To allow domain admins to join via SSH, we use the following config line: AllowGroups "DOMAIN\Domain Admins"

It's possible to login and I'm able to invoke administrative commands but as soon as I'm trying to connect to the active directory domain or use Exchange Powershell cmdlets, I get the following error message:

PS C:\Users\Administrator.DOMAIN> Get-ADUser -Filter *
Get-ADUser : Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services
running.
At line:1 char:1
+ Get-ADUser -Filter *
+ ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [Get-ADUser], ADServerDownException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser
PS C:\Users\Administrator.DOMAIN> Get-ExchangeServer
Active Directory operation failed on . The supplied credential for 'DOMAIN\Administrator' is invalid.
At line:1 char:1
+ Get-ExchangeServer
+ ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], ADInvalidCredentialException
    + FullyQualifiedErrorId : [Server=EX0401,RequestId=a1317adf-797b-47b8-9334-392b2ae48768,TimeStamp=04.01.2022 14:29:41] [FailureCategory=Cmdlet-ADInvalidCredentialExc
   eption] 3C6659B2

If I login with domain username/password combination, it's working fine. So it seems like that it's not possible to run domain cmdlets if I'm using SSH key for authentication. Could that be true? Have I missed something?

bagajjal commented 2 years ago

Please have a look at https://github.com/PowerShell/Win32-OpenSSH/issues/518

derSchweiger commented 2 years ago

Thank you very much @bagajjal, this seems to be exactly our problem. Is there currently no solid solution for this behaviour? We are managing thousands of hosts with dozens of different domains. Therefore, it's unfortunately not an option for us to work with openSSH while using Basic authentication.

mgkuhn commented 2 years ago

Have you considered using Kerberos/GSSAPI authentication and delegation instead of public key authentication?

Wouldn't GSSAPI delegation cause the required credential (Kerberos ticket) to be available at the other end?