Win32-OpenSSH
Win32-OpenSSH copied to clipboard
PowerShell
Cached Credentials Authentication For Domain User
Hello,
Scenario: I have a local network, I use other-computer to ssh into windows-computer using openssh-server. On windows-computer my session is a domain user it authenticates through Active directory on a domain controller.
Issue:
- When I am connected to internet (online):
- When I ssh from other-computer to windows-computer on local network, I have noticed that ssh authentication lags a bit because it authenticates remotely to the domain controller.
- ssh user@windows-computer-ip (works)
- When I am offline: I can't ssh anymore from other-computer to windows-computer. The other-computer error message is "Connection reset by windows-computer port port-number". The windows-computer error message in event viewer is "sshd: fatal: ga_init, unable to resolve user domain\user".
- The closest ticket I found related to that issue is https://github.com/PowerShell/Win32-OpenSSH/issues/1363 for users @xf6jx5fq and @shawnz
Explanation:
- To login to windows-computer there is a mechanism called cached credentials. I am able to login to windows-computer even when offline with my domain user.
- For instance on that stackoverflow post (https://stackoverflow.com/questions/48538582/principalcontext-validatecredentials-with-cached-credentials-in-c-sharp) a user explains how he can authenticate in C# with cached credentials when domain is not available because offline. I tested the code below with C# asp.net and it authenticates when offline. So it is doable to do that by code.
PrincipalContext pcon = new PrincipalContext(ContextType.Machine, Environment.MachineName);
var password_ok = pcon.ValidateCredentials("domain\\user", password);
- I also tried unsuccessfully to include the computer name in the ssh command because that is what
Environment.MachineNameprovides. ex:ssh user@windows-computer-name@windows-computer-ip
Questions:
- Can I authenticate in openssh-server using cached credentials using an ssh command parameter?
- Is there a setting on openssh-server that allows using cached credentials instead of connecting to remote?
- Can the issue be solved by a Windows group policy, or Windows settings?
- If question 1, 2, 3 return false then is there a way to implement a custom authentication mechanism on openssh-server on Windows as a work-around. If not did you plan adding cached credentials authentication feature?
Any help or information on that issue is appreciated.
Thanks,
What form of SSH authentication are you using? password, keyboard-interactive, gssapi-with-mic, pubkey? ("ssh -v" should tell you in the case in which it worked.)
In case you are using gssapi-with-mic (Kerberos) authentication, that won't work offline for longer than the ticket expiry time, which is by default after 10 hours in Active Directory (can be changed). You can see your ticket expiry time with klist.
I am using password method debug1: Next authentication method: password. My thought is openSSH should resolve my user against the cached credentials when I am offline. I don't think cached credentials expire according to this post https://social.technet.microsoft.com/Forums/ie/en-US/87e84872-c321-4b8c-b13d-0d60a003c3d3/how-long-does-windows-cache-domain-user-passwords?forum=winserversecurity.
For instance, if my domain password is changed but my PC is still offline I can still login using the old password. The issue is when I am offline and try to ssh into my offline machine, openSSH try to resolve my user against the online domain and not the PC with cached credentials.
In some way it is the same principle when you use Remote Desktop and you disable network level authentication, it still works offline with your domain credentials.
I have deployed the latest available OpenSSH-Win64-v8.9.1.0.msi to some local machines and have come across this issue as well. It works fine for local credentials but will not authenticate successfully with domain users if domain authentication is unavailable.
I second the ability to be able to use cached credentials when not on the domain. Otherwise, you can only log in when on the domain or as a local user.
Perhaps try ssh -l DOMAIN\user machine.example.com to make sure the domain is unambiguous.
I just tried the command ssh -l DOMAIN\user machine.example.com and I am able to connect when I have an internet connection but as soon as I disconnect from internet I have the same error in the event viewer "sshd: fatal: ga_init, unable to resolve user domain\user". Openssh does not implement cached credentials authentication feature so it tries to authenticate on a distant server when it should use cached credentials instead. That ticket is more a feature request than an issue.
I just tried the command
ssh -l DOMAIN\user machine.example.comand I am able to connect when I have an internet connection but as soon as I disconnect from internet I have the same error in the event viewer "sshd: fatal: ga_init, unable to resolve user domain\user". Openssh does not implement cached credentials authentication feature so it tries to authenticate on a distant server when it should use cached credentials instead. That ticket is more a feature request than an issue.
Same results here. Not connection to the domain, no ability to authenticate unless there is some hidden variables to get OpenSSH to utilize cached credentials that we are missing.
As it's currently coded, I don't believe there is any way cached credentials can be used. This is primarily because the username has to be internally resolved to several different formats (DOMAIN\username) and (UserName@domain) for various purposes. It's also possible that the group membership resolution method might also fail even if you were to come through this first hurdle.
