search

PowerShell / Win32-OpenSSH

Win32 port of OpenSSH
7.2k stars 739 forks source link

"Match Group" together with "ChrootDirectory" breaks SFTP #2212

Open alexeig opened 4 months ago

alexeig commented 4 months ago

Prerequisites

Steps to reproduce

  1. Install OpenSSH on Windows Server 2019 or later following Microsoft Instructions
  2. Update C:\ProgramData\ssh\sshd_config as follows (below)
  3. Start OpenSSH service, attempt sftp logins, observe them to be successful, including user test being "jailed" to their home directory via Match User and ChrootDirectory directive.
  4. Uncomment Match Group and ChrootDirectory directives in the config file below
  5. Restart OpenSSH service, attempt sftp logins, observe unpredictable behavior (Permission denied and client_loop: send disconnect: Connection reset for "known good" users, and occasionally, successful logins)
Subsystem   sftp    sftp-server.exe
ForceCommand internal-sftp

Match User test
    ChrootDirectory C:\Users\

# Match Group users
#    ChrootDirectory %h\Documents\

Expected behavior

Users are able to login (open sftp sessions) consistently.

Actual behavior

sftp connections (that were previously successful, before adding Match Group directives) mostly (but not always) fail with Permission denied and client_loop: send disconnect: Connection reset errors.

(This happens even if the Match Group directive does not match the user attempting to connect, i.e. the mere presence of the Match Group directive appears to break OpenSSH functionality / behavior.)

Error details

Attempting to sftp to the server:

PS> sftp test@sftpserver
test@sftpserver's password:
Connected to sftpserver.
sftp> pwd
Remote working directory: /
sftp> ls
user1          user2        All Users   Default
Default User   Public       user3       desktop.ini
test           user4
sftp> exit

PS> sftp test@sftpserver
test@sftpserver's password:
client_loop: send disconnect: Connection reset
Connection closed

PS> sftp test@sftpserver
test@sftpserver's password:
Permission denied, please try again.
test@sftpserver's password:
Permission denied, please try again.
test@sftpserver's password:
Connection closed

Note that in all 3 attempts, the server's responses are different:

  1. Successful login in the 1st attempt, and the user appears to have been successfully "jailed" to C:\Users\ (yay!).
  2. client_loop: send disconnect: Connection reset and Connection closed on the 2nd attempt.
  3. Permission denied on the 3rd (and most subsequent) attempts

From C:\ProgramData\ssh\logs\sshd.log:

4536 2024-02-28 12:45:13.331 Connection from <source_ip> port 65442 on <this_server_ip> port 22
4536 2024-02-28 12:45:13.331 debug1: Client protocol version 2.0; client software version OpenSSH_for_Windows_8.6
4536 2024-02-28 12:45:13.331 debug1: match: OpenSSH_for_Windows_8.6 pat OpenSSH* compat 0x04000000
4536 2024-02-28 12:45:13.331 debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
4536 2024-02-28 12:45:13.331 debug2: fd 3 setting O_NONBLOCK
4536 2024-02-28 12:45:13.393 debug3: spawning "C:\\Windows\\System32\\OpenSSH\\sshd.exe" "-y"
4536 2024-02-28 12:45:13.409 debug2: Network child is on pid 6016

[...]

4536 2024-02-28 12:45:13.487 debug3: receive packet: type 5 [preauth]
4536 2024-02-28 12:45:13.487 debug3: send packet: type 6 [preauth]
4536 2024-02-28 12:45:13.487 debug3: receive packet: type 50 [preauth]
4536 2024-02-28 12:45:13.487 debug1: userauth-request for user test service ssh-connection method none [preauth]

[...]

4536 2024-02-28 12:45:13.487 debug1: attempt 0 failures 0 [preauth]
4536 2024-02-28 12:45:13.487 debug3: mm_getpwnamallow entering [preauth]
4536 2024-02-28 12:45:13.487 debug3: mm_request_send entering: type 8 [preauth]
4536 2024-02-28 12:45:13.487 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
4536 2024-02-28 12:45:13.487 debug3: mm_request_receive_expect entering: type 9 [preauth]
4536 2024-02-28 12:45:13.487 debug3: mm_request_receive entering [preauth]
4536 2024-02-28 12:45:13.487 debug3: mm_request_receive entering
4536 2024-02-28 12:45:13.487 debug3: monitor_read: checking request 8
4536 2024-02-28 12:45:13.487 debug3: mm_answer_pwnamallow
4536 2024-02-28 12:45:13.487 debug2: parse_server_config: config reprocess config len 398
4536 2024-02-28 12:45:13.487 debug3: checking match for 'Group users,administrators' user test host <source_IP> addr <source_IP> laddr <this_server_IP> lport 22
4536 2024-02-28 12:45:13.487 debug3: LsaLogonUser Succeeded (Impersonation: 0)
4536 2024-02-28 12:45:13.487 debug2: get_user_groups: extracting all groups of user test
4536 2024-02-28 12:45:13.487 debug3: Added group 'none' for user test
4536 2024-02-28 12:45:13.487 debug3: Added group 'sftp_users' for user test
4536 2024-02-28 12:45:13.487 debug3: Added group 'users' for user test
4536 2024-02-28 12:45:13.487 debug2: get_user_groups: done extracting all groups of user test
4536 2024-02-28 12:45:13.487 debug1: user  matched group list users,administrators at line 95

Note two spaces in the last line above in user matched group, and no username. Compare to a similar line from a successful (previous) logon:

7460 2024-02-28 12:44:41.670 debug1: user test matched group list users,administrators at line 95

Continuing:

4536 2024-02-28 12:45:13.487 debug3: match found
4536 2024-02-28 12:45:13.487 debug3: reprocess config:96 setting ChrootDirectory C:\\Users\\
4536 2024-02-28 12:45:13.487 debug3: checking match for 'Group administrators' user  host <source_IP> addr <source_IP> laddr <this_server_IP> lport 22
4536 2024-02-28 12:45:13.487 debug3: get_passwd: Invalid account type: 3.
4536 2024-02-28 12:45:13.487 debug1: Can't match group at line 106 because user  does not exist
4536 2024-02-28 12:45:13.487 debug3: match not found
4536 2024-02-28 12:45:13.487 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 0
4536 2024-02-28 12:45:13.487 debug3: mm_request_send entering: type 9
4536 2024-02-28 12:45:13.487 debug2: monitor_read: 8 used once, disabling now
4536 2024-02-28 12:45:13.487 debug3: mm_inform_authserv entering [preauth]
4536 2024-02-28 12:45:13.487 debug3: mm_request_send entering: type 4 [preauth]
4536 2024-02-28 12:45:13.487 debug2: input_userauth_request: try method none [preauth]
4536 2024-02-28 12:45:13.487 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" [preauth]
4536 2024-02-28 12:45:13.487 debug3: send packet: type 51 [preauth]
4536 2024-02-28 12:45:13.487 debug3: mm_request_receive entering
4536 2024-02-28 12:45:13.487 debug3: monitor_read: checking request 4
4536 2024-02-28 12:45:13.487 debug3: mm_answer_authserv: service=ssh-connection, style=
4536 2024-02-28 12:45:13.487 debug2: monitor_read: 4 used once, disabling now
4536 2024-02-28 12:45:13.503 debug3: receive packet: type 50 [preauth]
4536 2024-02-28 12:45:13.503 debug1: userauth-request for user test service ssh-connection method keyboard-interactive [preauth]
4536 2024-02-28 12:45:13.503 debug1: attempt 1 failures 0 [preauth]
4536 2024-02-28 12:45:13.503 debug2: input_userauth_request: try method keyboard-interactive [preauth]
4536 2024-02-28 12:45:13.503 debug1: keyboard-interactive devs  [preauth]
4536 2024-02-28 12:45:13.503 debug1: auth2_challenge: user=test devs= [preauth]
4536 2024-02-28 12:45:13.503 debug1: kbdint_alloc: devices '' [preauth]
4536 2024-02-28 12:45:13.503 debug2: auth2_challenge_start: devices  [preauth]
4536 2024-02-28 12:45:13.503 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" [preauth]
4536 2024-02-28 12:45:13.503 debug3: send packet: type 51 [preauth]

Environment data

[sftpserver.ourdomain.local]: PS C:\Users\*****\Documents> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.17763.5458
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.5458
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version

5.1.17763.5458

Visuals

(Not needed as of yet.)

matsmcp commented 2 months ago

Have you tried with 9.5?

We do use match group with AD groups without seeing this issue. 

Match localport 23 Group sftp
  ForceCommand internal-sftp #No shell if user is only going to use sftp
  ChrootDirectory c:\sftp\ 
  PubkeyAuthentication yes
alexeig commented 2 months ago

Have you tried with 9.5?

9.5 from openssh-portable distro as opposed to the Windows OpenSSH Server feature? No and probably won't: internal policies and all that. (We've since moved on to OpenSSH on Ubuntu where it seems to work.)

matsmcp commented 2 months ago

Have you tried with 9.5?

9.5 from openssh-portable distro as opposed to the Windows OpenSSH Server feature? No and probably won't: internal policies and all that. (We've since moved on to OpenSSH on Ubuntu where it seems to work.)

Yes, my point with the question was to see if it is something that has been fixed in later releases