[win32-openssh] Permissions (NT Rights) aren't set correctly for SSHD user

[alex3305]

For me it was impossible to connect to the SSH daemon after installation with the Chocolatey script. I reproduced it on several fresh Win2012 R2 machines and couldn't get it to work.

With some exclusion it seems that the Add-Privilige from the included PoshPrivilege doesn't seem to work or is currently insufficient for enabling the correct right for the SSHD user. Maybe you will also have to add an Enable-Privilege to the install script to correctly enable this permission? Or perhaps the currently added permission is insufficient.

When adding this (lifted from install-sshd.ps1) after the Chocolatey install script, SSHD seems to work beautifully:

$path = "C:\Program Files\OpenSSH-Win64"
$ntrights = "ntrights.exe -u `"NT SERVICE\SSHD`" +r SeAssignPrimaryTokenPrivilege"
Push-Location
cd $path
cmd.exe /c $ntrights
Pop-Location

The rest of the package seems to be working great. Thanks for that!

[MattHodge]

@DarwinJS could the same logic just be used for all versions of PowerShell, considering the ntrights.exe is bundled with the Win32-OpenSSH releases anyway?:

https://github.com/DarwinJS/ChocoPackages/blob/master/win32-openssh/2016.05.30/tools/chocolateyinstall.ps1#L232

[DarwinJS]

@MattHodge,
Sorry, I hadn't checked in the latest code.

Actually it's much better now - the default method works with Nano and everything else.

I have logic in to allow the end user to override and use ntrights.exe IF they find a scenario where the new approach does not work.

I tested 4 different .NET ways until it was apparent the local group policy hack had the broadest compatibility.

See the update here:
https://github.com/DarwinJS/ChocoPackages/blob/master/win32-openssh/2016.05.30.20160807/tools/chocolateyinstall.ps1#L310-327

[MattHodge]

@DarwinJS looks like it should work, except there is a missing $ in front of OSBits.:

https://github.com/DarwinJS/ChocoPackages/blob/master/win32-openssh/2016.05.30.20160807/tools/chocolateyinstall.ps1#L317

Created a PR: #10

[DarwinJS]

Good catch!

Have you tested the package on your target version of Windows without the NTRights option?

[MattHodge]

Yeah, (Windows 2012 R2 with PS4). Had the broken pipe error (PowerShell/Win32-OpenSSH#294) when connecting to SSHD when it was running as a service. Running it with sshd -d worked fine though.

Running ntrights.exe -u "NT SERVICE\SSHD" +r SeAssignPrimaryTokenPrivilege fixed the problem.

[DarwinJS]

If you have time to test I have pushed a new version to choco. It's still in moderation, but you can get it by using -version 2016.05.30.20160827 ("8/27" instead of "8/7")

[MattHodge]

Hi @DarwinJS .. unfortunately I still have the same issue.

I used choco install -y win32-openssh -version 2016.05.30.20160827 --params='/SSHServerFeature /KeyBasedAuthenticationFeature /UseNTRights' to install. No installation errors this time.

Still get the broken pipe error when running as a service.

As soon as I do ntrights.exe -u "NT SERVICE\SSHD" +r SeAssignPrimaryTokenPrivilege it works.

[DarwinJS]

The bug was found - the wrong privilege was being set - whether using the new privilege setting or ntrights.exe.

If you have time @MattHodge, could you try testing 2016.05.30.20160902 (still in moderation) and report back if it fixes the issue?

I think the machine will have to be clean or else the permission may linger from your fixed up run.

Thanks for any help you can lend.

choco install -y win32-openssh -version 2016.05.30.20160902 -params='"/SSHServerFeature"'

[DarwinJS]

Sorry that should be:

choco install -y win32-openssh -version 2016.05.30.20160902 -params='"/SSHServerFeature"'