Win32-OpenSSH
Win32-OpenSSH copied to clipboard
PowerShell
Wrong name for administrators groups when locale is different than english in sshd_config file
Prerequisites
- [X] Write a descriptive title.
- [X] Make sure you are able to repro it on the latest version
- [X] Search the existing issues.
Steps to reproduce
Hello. I'm not sure whether this has been already fixed in the last version of openssh for win32 either this is the exact right place to write this, but I think this might be useful for other non-English Windows administrators so here it is:
I just installed openssh server in a Windows Server 2019 instance with Spanish locale. Note that, here, the Administrators group is named "Administradores", so Get-LocalGroupMember -Group administrators returns an error. To install it I followed the instructions in this website: https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell
The issue is with the the last line of my sshd_config file, which had set:
Match Group administrators
AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
That threw an error in the logs saying sshd: error: unable to resolve group administrators
Changing the group name to the translated version for our locale ("administradores") worked as expected.
After I upgraded to the last version of OpenSSH for windows uninstalling the previous version and using chocolatey to install the last version of ssh (v8.0.0.1), I didn't see any change and the configuration file is as I left it, with the changes I did; do I need to reboot the server or how the config file sshd_config is updated when I install the choco version?
Expected behavior
`Match Group` condition check use the appropriate locate-relevant name for the administrators group.
Actual behavior
sshd_config gets the right "administrators" name for any language installation.
Error details
sshd: error: unable to resolve group administrators
Environment data
Name Value
---- -----
PSVersion 5.1.17763.2183
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.2183
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Version
0.0.1.0 (the one that comes with Server 2019)
Visuals
No response
One simple way to address this might be to do a regex replacement of the group name within the PowerShell install by doing a reverse lookup on the BUILTIN\Administrators SID; the SID should not be language dependent:
$SID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
$Name = $SID.Translate([System.Security.Principal.NTAccount]).Value.Split('\')[-1]
I stumbled upon this; the docs fail to warn about this case. I do:
# Get the actual name of the Administrators group
$SID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
$AdministratorsGroupName = (Get-LocalGroup -SID $SID).Name
# Replace the group name in sshd_config
$ConfigFilePath = 'C:\ProgramData\ssh\sshd_config'
(Get-Content -Path $ConfigFilePath) -replace 'Match Group administrators', "Match Group $AdministratorsGroupName" | Set-Content -Path $ConfigFilePath
$athKeysPath="$env:ProgramData\ssh\administrators_authorized_keys"
icacls.exe ${athKeysPath} /inheritance:r /grant ${AdministratorsGroupName}:F /grant SYSTEM:F
icacls.exe command may still be incomplete, it does not remove extra permissions that were there in case of trial and error with permissions.
This is a hassle; a built-in optional feature does not work out-of-the box for non-localized ISOs...
