Open alexeig opened 4 months ago
Have you tried with 9.5?
We do use match group with AD groups without seeing this issue.
Match localport 23 Group sftp
ForceCommand internal-sftp #No shell if user is only going to use sftp
ChrootDirectory c:\sftp\
PubkeyAuthentication yes
Have you tried with 9.5?
9.5 from openssh-portable distro as opposed to the Windows OpenSSH Server feature? No and probably won't: internal policies and all that. (We've since moved on to OpenSSH on Ubuntu where it seems to work.)
Have you tried with 9.5?
9.5 from openssh-portable distro as opposed to the Windows OpenSSH Server feature? No and probably won't: internal policies and all that. (We've since moved on to OpenSSH on Ubuntu where it seems to work.)
Yes, my point with the question was to see if it is something that has been fixed in later releases
Prerequisites
Steps to reproduce
C:\ProgramData\ssh\sshd_config
as follows (below)test
being "jailed" to their home directory viaMatch User
andChrootDirectory
directive.Match Group
andChrootDirectory
directives in the config file belowPermission denied
andclient_loop: send disconnect: Connection reset
for "known good" users, and occasionally, successful logins)Expected behavior
Users are able to login (open sftp sessions) consistently.
Actual behavior
sftp connections (that were previously successful, before adding
Match Group
directives) mostly (but not always) fail withPermission denied
andclient_loop: send disconnect: Connection reset
errors.(This happens even if the
Match Group
directive does not match the user attempting to connect, i.e. the mere presence of theMatch Group
directive appears to break OpenSSH functionality / behavior.)Error details
Attempting to sftp to the server:
Note that in all 3 attempts, the server's responses are different:
C:\Users\
(yay!).client_loop: send disconnect: Connection reset
andConnection closed
on the 2nd attempt.Permission denied
on the 3rd (and most subsequent) attemptsFrom
C:\ProgramData\ssh\logs\sshd.log
:[...]
[...]
Note two spaces in the last line above in
user matched group
, and no username. Compare to a similar line from a successful (previous) logon:Continuing:
Environment data
Version
5.1.17763.5458
Visuals
(Not needed as of yet.)