You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Update C:\ProgramData\ssh\sshd_config as follows (below)
Start OpenSSH service, attempt sftp logins, observe them to be successful, including user test being "jailed" to their home directory via Match User and ChrootDirectory directive.
UncommentMatch Group and ChrootDirectory directives in the config file below
Restart OpenSSH service, attempt sftp logins, observe unpredictable behavior (Permission denied and client_loop: send disconnect: Connection reset for "known good" users, and occasionally, successful logins)
Subsystem sftp sftp-server.exe
ForceCommand internal-sftp
Match User test
ChrootDirectory C:\Users\
# Match Group users
# ChrootDirectory %h\Documents\
Expected behavior
Users are able to login (open sftp sessions) consistently.
Actual behavior
sftp connections (that were previously successful, before adding Match Group directives) mostly (but not always) fail with Permission denied and client_loop: send disconnect: Connection reset errors.
(This happens even if the Match Group directive does not match the user attempting to connect, i.e. the mere presence of the Match Group directive appears to break OpenSSH functionality / behavior.)
Error details
Attempting to sftp to the server:
PS> sftp test@sftpservertest@sftpserver's password:Connected to sftpserver.sftp> pwdRemote working directory: /sftp> lsuser1 user2 All Users DefaultDefault User Public user3 desktop.initest user4sftp> exitPS> sftp test@sftpservertest@sftpserver's password:client_loop: send disconnect: Connection resetConnection closedPS> sftp test@sftpservertest@sftpserver's password:Permission denied, please try again.test@sftpserver's password:Permission denied, please try again.test@sftpserver's password:Connection closed
Note that in all 3 attempts, the server's responses are different:
Successful login in the 1st attempt, and the user appears to have been successfully "jailed" to C:\Users\ (yay!).
client_loop: send disconnect: Connection reset and Connection closed on the 2nd attempt.
Permission denied on the 3rd (and most subsequent) attempts
From C:\ProgramData\ssh\logs\sshd.log:
4536 2024-02-28 12:45:13.331 Connection from <source_ip> port 65442 on <this_server_ip> port 22
4536 2024-02-28 12:45:13.331 debug1: Client protocol version 2.0; client software version OpenSSH_for_Windows_8.6
4536 2024-02-28 12:45:13.331 debug1: match: OpenSSH_for_Windows_8.6 pat OpenSSH* compat 0x04000000
4536 2024-02-28 12:45:13.331 debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
4536 2024-02-28 12:45:13.331 debug2: fd 3 setting O_NONBLOCK
4536 2024-02-28 12:45:13.393 debug3: spawning "C:\\Windows\\System32\\OpenSSH\\sshd.exe" "-y"
4536 2024-02-28 12:45:13.409 debug2: Network child is on pid 6016
[...]
4536 2024-02-28 12:45:13.487 debug3: receive packet: type 5 [preauth]
4536 2024-02-28 12:45:13.487 debug3: send packet: type 6 [preauth]
4536 2024-02-28 12:45:13.487 debug3: receive packet: type 50 [preauth]
4536 2024-02-28 12:45:13.487 debug1: userauth-request for user test service ssh-connection method none [preauth]
[...]
4536 2024-02-28 12:45:13.487 debug1: attempt 0 failures 0 [preauth]
4536 2024-02-28 12:45:13.487 debug3: mm_getpwnamallow entering [preauth]
4536 2024-02-28 12:45:13.487 debug3: mm_request_send entering: type 8 [preauth]
4536 2024-02-28 12:45:13.487 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
4536 2024-02-28 12:45:13.487 debug3: mm_request_receive_expect entering: type 9 [preauth]
4536 2024-02-28 12:45:13.487 debug3: mm_request_receive entering [preauth]
4536 2024-02-28 12:45:13.487 debug3: mm_request_receive entering
4536 2024-02-28 12:45:13.487 debug3: monitor_read: checking request 8
4536 2024-02-28 12:45:13.487 debug3: mm_answer_pwnamallow
4536 2024-02-28 12:45:13.487 debug2: parse_server_config: config reprocess config len 398
4536 2024-02-28 12:45:13.487 debug3: checking match for 'Group users,administrators' user test host <source_IP> addr <source_IP> laddr <this_server_IP> lport 22
4536 2024-02-28 12:45:13.487 debug3: LsaLogonUser Succeeded (Impersonation: 0)
4536 2024-02-28 12:45:13.487 debug2: get_user_groups: extracting all groups of user test
4536 2024-02-28 12:45:13.487 debug3: Added group 'none' for user test
4536 2024-02-28 12:45:13.487 debug3: Added group 'sftp_users' for user test
4536 2024-02-28 12:45:13.487 debug3: Added group 'users' for user test
4536 2024-02-28 12:45:13.487 debug2: get_user_groups: done extracting all groups of user test
4536 2024-02-28 12:45:13.487 debug1: user matched group list users,administrators at line 95
Note two spaces in the last line above in user matched group, and no username. Compare to a similar line from a successful (previous) logon:
7460 2024-02-28 12:44:41.670 debug1: user test matched group list users,administrators at line 95
Continuing:
4536 2024-02-28 12:45:13.487 debug3: match found
4536 2024-02-28 12:45:13.487 debug3: reprocess config:96 setting ChrootDirectory C:\\Users\\
4536 2024-02-28 12:45:13.487 debug3: checking match for 'Group administrators' user host <source_IP> addr <source_IP> laddr <this_server_IP> lport 22
4536 2024-02-28 12:45:13.487 debug3: get_passwd: Invalid account type: 3.
4536 2024-02-28 12:45:13.487 debug1: Can't match group at line 106 because user does not exist
4536 2024-02-28 12:45:13.487 debug3: match not found
4536 2024-02-28 12:45:13.487 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 0
4536 2024-02-28 12:45:13.487 debug3: mm_request_send entering: type 9
4536 2024-02-28 12:45:13.487 debug2: monitor_read: 8 used once, disabling now
4536 2024-02-28 12:45:13.487 debug3: mm_inform_authserv entering [preauth]
4536 2024-02-28 12:45:13.487 debug3: mm_request_send entering: type 4 [preauth]
4536 2024-02-28 12:45:13.487 debug2: input_userauth_request: try method none [preauth]
4536 2024-02-28 12:45:13.487 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" [preauth]
4536 2024-02-28 12:45:13.487 debug3: send packet: type 51 [preauth]
4536 2024-02-28 12:45:13.487 debug3: mm_request_receive entering
4536 2024-02-28 12:45:13.487 debug3: monitor_read: checking request 4
4536 2024-02-28 12:45:13.487 debug3: mm_answer_authserv: service=ssh-connection, style=
4536 2024-02-28 12:45:13.487 debug2: monitor_read: 4 used once, disabling now
4536 2024-02-28 12:45:13.503 debug3: receive packet: type 50 [preauth]
4536 2024-02-28 12:45:13.503 debug1: userauth-request for user test service ssh-connection method keyboard-interactive [preauth]
4536 2024-02-28 12:45:13.503 debug1: attempt 1 failures 0 [preauth]
4536 2024-02-28 12:45:13.503 debug2: input_userauth_request: try method keyboard-interactive [preauth]
4536 2024-02-28 12:45:13.503 debug1: keyboard-interactive devs [preauth]
4536 2024-02-28 12:45:13.503 debug1: auth2_challenge: user=test devs= [preauth]
4536 2024-02-28 12:45:13.503 debug1: kbdint_alloc: devices '' [preauth]
4536 2024-02-28 12:45:13.503 debug2: auth2_challenge_start: devices [preauth]
4536 2024-02-28 12:45:13.503 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" [preauth]
4536 2024-02-28 12:45:13.503 debug3: send packet: type 51 [preauth]
9.5 from openssh-portable distro as opposed to the Windows OpenSSH Server feature? No and probably won't: internal policies and all that.
(We've since moved on to OpenSSH on Ubuntu where it seems to work.)
9.5 from openssh-portable distro as opposed to the Windows OpenSSH Server feature? No and probably won't: internal policies and all that. (We've since moved on to OpenSSH on Ubuntu where it seems to work.)
Yes, my point with the question was to see if it is something that has been fixed in later releases
Prerequisites
Steps to reproduce
C:\ProgramData\ssh\sshd_config
as follows (below)test
being "jailed" to their home directory viaMatch User
andChrootDirectory
directive.Match Group
andChrootDirectory
directives in the config file belowPermission denied
andclient_loop: send disconnect: Connection reset
for "known good" users, and occasionally, successful logins)Expected behavior
Users are able to login (open sftp sessions) consistently.
Actual behavior
sftp connections (that were previously successful, before adding
Match Group
directives) mostly (but not always) fail withPermission denied
andclient_loop: send disconnect: Connection reset
errors.(This happens even if the
Match Group
directive does not match the user attempting to connect, i.e. the mere presence of theMatch Group
directive appears to break OpenSSH functionality / behavior.)Error details
Attempting to sftp to the server:
Note that in all 3 attempts, the server's responses are different:
C:\Users\
(yay!).client_loop: send disconnect: Connection reset
andConnection closed
on the 2nd attempt.Permission denied
on the 3rd (and most subsequent) attemptsFrom
C:\ProgramData\ssh\logs\sshd.log
:[...]
[...]
Note two spaces in the last line above in
user matched group
, and no username. Compare to a similar line from a successful (previous) logon:Continuing:
Environment data
Version
5.1.17763.5458
Visuals
(Not needed as of yet.)
The text was updated successfully, but these errors were encountered: