Win32-OpenSSH icon indicating copy to clipboard operation
Win32-OpenSSH copied to clipboard

Published 20 hours ago verified publisher icon PowerShell

openSSH for Windows: Domain Admin access with SSH Key

Open derSchweiger opened this issue 3 years ago • 3 comments
trafficstars

OpenSSH for Windows version: 8.6 Server OperatingSystem: W2k16, W2k19, W2k22 Client OperatingSystem: W10Pro

What is failing We've configured openSSH for Windows and accessing it with public/private keys. To allow domain admins to join via SSH, we use the following config line: AllowGroups "DOMAIN\Domain Admins"

It's possible to login and I'm able to invoke administrative commands but as soon as I'm trying to connect to the active directory domain or use Exchange Powershell cmdlets, I get the following error message:

PS C:\Users\Administrator.DOMAIN> Get-ADUser -Filter *
Get-ADUser : Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services
running.
At line:1 char:1
+ Get-ADUser -Filter *
+ ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [Get-ADUser], ADServerDownException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser

PS C:\Users\Administrator.DOMAIN> Get-ExchangeServer
Active Directory operation failed on . The supplied credential for 'DOMAIN\Administrator' is invalid.
At line:1 char:1
+ Get-ExchangeServer
+ ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], ADInvalidCredentialException
    + FullyQualifiedErrorId : [Server=EX0401,RequestId=a1317adf-797b-47b8-9334-392b2ae48768,TimeStamp=04.01.2022 14:29:41] [FailureCategory=Cmdlet-ADInvalidCredentialExc
   eption] 3C6659B2

If I login with domain username/password combination, it's working fine. So it seems like that it's not possible to run domain cmdlets if I'm using SSH key for authentication. Could that be true? Have I missed something?

derSchweiger avatar Jan 04 '22 15:01 derSchweiger

Please have a look at https://github.com/PowerShell/Win32-OpenSSH/issues/518

bagajjal avatar Jan 04 '22 19:01 bagajjal

Thank you very much @bagajjal, this seems to be exactly our problem. Is there currently no solid solution for this behaviour? We are managing thousands of hosts with dozens of different domains. Therefore, it's unfortunately not an option for us to work with openSSH while using Basic authentication.

derSchweiger avatar Jan 04 '22 20:01 derSchweiger

Have you considered using Kerberos/GSSAPI authentication and delegation instead of public key authentication?

Wouldn't GSSAPI delegation cause the required credential (Kerberos ticket) to be available at the other end?

mgkuhn avatar Jan 09 '22 16:01 mgkuhn