unable to generate token for user sshd

[dwatley]

"OpenSSH for Windows" version
v1.0.0.0-Beta

Server OperatingSystem
Windows 10 Enterprise

Client OperatingSystem
Windows 10 Enterprise

What is failing
When opening an SSH connection to the server and the SSH2_MSG_KEXINIT is sent by the client (confirmed via ssh -vvv), the server fails with:

18884 2018-01-31 15:19:29.699 debug1: inetd sockets after dupping: 3, 3
18884 2018-01-31 15:19:29.699 Connection from 127.0.0.1 port 64971 on 127.0.0.1 port 22
18884 2018-01-31 15:19:29.699 debug1: Client protocol version 2.0; client software version OpenSSH_7.2
18884 2018-01-31 15:19:29.699 debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
18884 2018-01-31 15:19:29.699 debug1: Local version string SSH-2.0-OpenSSH_7.6
18884 2018-01-31 15:19:29.699 debug2: fd 3 setting O_NONBLOCK
18884 2018-01-31 15:19:29.700 debug1: LsaLogonUser failed NTSTATUS: 1
18884 2018-01-31 15:19:29.700 error: unable to generate token for user sshd
18884 2018-01-31 15:19:29.903 debug1: LsaLogonUser failed NTSTATUS: 1
18884 2018-01-31 15:19:29.903 error: unable to generate token on 2nd attempt for user sshd
18884 2018-01-31 15:19:29.903 error: unable to get security token for user sshd
18884 2018-01-31 15:19:29.903 error: posix_spawn failed
18884 2018-01-31 15:19:29.903 debug3: send_rexec_state: entering fd = 6 config len 273
18884 2018-01-31 15:19:29.903 debug3: ssh_msg_send: type 0
18884 2018-01-31 15:19:29.903 debug3: write ERROR from cb(2):232, io:000002A431CABE90
18884 2018-01-31 15:19:29.903 error: ssh_msg_send: write
18884 2018-01-31 15:19:29.903 fatal: send_rexec_state: ssh_msg_send failed
18884 2018-01-31 15:19:29.903 debug1: do_cleanup

The issue seems identical to #1027

• I've followed the instructions
• Installed binaries to C:\Program Files\OpenSSH
• I've already verified running as SYSTEM (whoami) and turned on DEBUG3 as noted in the troubleshooting directions
• Tried deleting and re-installing, following the guide exactly.

Based on a comment in that issue, it sounds like the sshd (privilege separation account) token couldn't be generated.

Thoughts, additional troubleshooting options?

[dwatley]

Turns out this was an issue with a non-standard configuration for user rights assignment in secpol.msc

[jgiles]

I'm seeing this exact issue currently - would you mind elaborating on the cause and fix?

Thanks!
Josh

[dwatley]

Certainly, that crossed my mind as I closed it. 😅

You should see a corresponding event in the security channel of the Windows Event Log indicating an audit failure. Log snippet below.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/31/2018 4:45:26 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      dwatley-ws.myhost.blah.com
Description:
An account failed to log on.

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		sshd
	Account Domain:		DWATLEY-WS

Failure Information:
	Failure Reason:		The user has not been granted the requested logon type at this machine.
	Status:			0xC000015B
	Sub Status:		0x0

Process Information:
	Caller Process ID:	0x3bdc
	Caller Process Name:	C:\Program Files\OpenSSH\sshd.exe

Logon Type 3 indicates a network login. In my case there is a non-standard User Rights Assignment configuration, so the sshd user which is a local account created at some point (not sure exactly when this occurred, maybe at installation, maybe at first service start) needs to be in a group that has access to, or be explicitly added to the relevant portion of User Rights Assignment policy via secpol.msc

Security Settings > Local Policies > User Rights Assignment > Access this computer from the network

Once the appropriate permissions have been granted, should work with no issue.

[manojampalam]

Thanks for catching this and investigating the underlying cause. We'll fix it for next drop.
Added as a known issue in 1.0.0.0 release notes.

[friederschueler]

Connection from 192.168.0.96 port 52625 on 192.168.0.116 port 22
debug1: Client protocol version 2.0; client software version PuTTY_Release
debug1: no match: PuTTY_Release_0.70
debug1: Local version string SSH-2.0-OpenSSH_7.6
debug2: fd 5 setting O_NONBLOCK
unable to generate token for user sshd
unable to generate token on 2nd attempt for user sshd
unable to get security token for user sshd
posix_spawn failed
debug3: send_rexec_state: entering fd = 4 config len 152
debug3: ssh_msg_send: type 0
debug3: write ERROR from cb(2):232, io:0081CEF0
ssh_msg_send: write
send_rexec_state: ssh_msg_send failed
debug1: do_cleanup

C:\Program Files (x86)\OpenSSH>

I still get this error after allowing network access via secpol.msc for user sshd. I restarted my VM and checked the windows logs, but no hints. Any ideas?

"OpenSSH for Windows" version
v1.0.0.0-Beta on Windows 7 Enterprise SP1

[dwatley]

Maybe the service isn't running as SYSTEM?

[johnny5janbohac]

I have similiar issue with sshd user token, but difference is that during authentication is logged error "Unknown username or bad password" and user "FakeUser" Any tips ?

`An account failed to log on.

Subject:
Security ID: MYCZSW1DL015245\sshd
Account Name: sshd
Account Domain: MYCZSW1DL015245
Logon ID: 0xa4f897f5

Logon Type: 8

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: FakeUser
Account Domain: FakeDomain

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064

Process Information:
Caller Process ID: 0x2f90
Caller Process Name: C:\Users\adm-123024594.MBID\Desktop\OpenSSH-Win32\sshd.exe

Network Information:
Workstation Name: MYCZSW1DL015245
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

Logon Type: 8

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: FakeUser
Account Domain: FakeDomain

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064

Process Information:
Caller Process ID: 0x2f90
Caller Process Name: C:\Users\adm-123024594.MBID\Desktop\OpenSSH-Win32\sshd.exe

Network Information:
Workstation Name: MYCZSW1DL015245
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0`

[bagajjal]

@johnny5janbohac -
Analysis
when we failed to generate user token then we will try using FakeUser. This is a workaround for issue
#727

Code : https://github.com/PowerShell/Win32-OpenSSH/blob/L1-Prod/contrib/win32/win32compat/win32_usertoken_utils.c#L341

Next steps to debug further

1. Does your sshd service run as SYSTEM?

2. If yes, have you tried the workaround mentioned by @dwatley (User Rights Assignment policy via secpol.msc)

3. Make sure all your binaries have "read, execute" permissions to "Authenticated users" account.

[ghost]

According to #253, the problem is that one needs to use 'domain\user'@server if it's a domain account one is using to logon to server.

[ericcurtin]

Tried the suggested workarounds. Didn't seem to work for me, in the end I used cygwin openssh-server 7.7 which worked fine:

https://www.ibm.com/support/knowledgecenter/en/SSPLFC_7.2.2/com.ibm.taddm.doc_7.2.2/AdminGuide/t_cmdb_configcygwin.html

[phocean]

Same issue here. Installation instruction also feels rather incomplete.

[olegbliaher]

Having the same issue exactly, but only with AD-users. Works perfectly with the local user.

[jemiller0]

I'm seeing the following when attempting to login to a computer that is in a domain (at work) from a computer that is not in the domain (at home). I'm able to login fine from another computer that is in the domain at work.

34600 2019-03-07 16:32:39.788 Connection from 1.1.1.1 port 49800 on 1.1.1.1 port 22
34600 2019-03-07 16:32:40.111 Accepted key RSA SHA256:... found at C:\Users\myuser\.ssh/authorized_keys:1
34600 2019-03-07 16:32:40.111 Postponed publickey for myuser from 1.1.1.1 port 49800 ssh2 [preauth]
34600 2019-03-07 16:32:40.174 Accepted key RSA SHA256:... found at C:\Users\myuser\.ssh/authorized_keys:1
34600 2019-03-07 16:32:40.174 Accepted publickey for myuser from 1.1.1.1 port 49800 ssh2: RSA SHA256:...
34600 2019-03-07 16:32:40.274 error: get_user_token - unable to generate token on 2nd attempt for user mydomain\myuser
34600 2019-03-07 16:32:40.274 error: unable to get security token for user mydomain\myuser
34600 2019-03-07 16:32:40.274 fatal: fork of unprivileged child failed

Any ideas?

[jemiller0]

Apparently, it has something to do with the fact that I was using public key authentication. I moved my authorized_keys file out of the way and it works using password authentication.

[fore5fire]

I'm seeing this same issue when logging into a domain user from macOS using public key auth. Logs show the public key auth was accepted, but then it hits the error:

7192 2020-01-17 21:48:38.617 error: lookup_principal_name: User principal name lookup failed for user 'domain\\user' (explicit: 5, implicit: 5)
7192 2020-01-17 21:48:38.617 debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'domain\\user' Status: 0xC0000062 SubStatus 0.

Password auth is working fine, this only happens with public key auth.

[maertendMSFT]

Please reopen if this repros in the latest build.

[metrzero]

I'm able to reproduce this issue on Windows build 19041 using an AAD-joined server. I'm happy to provide access to a repro environment if that's helpful.

[bagajjal]

@metrzero - We currently don't support login with AAD (Azure Active Directory) credentials. AAD team is working on an API that can be used to generate the token for AAD users.

[metrzero]

Thank you for the update. Is there a feature request already submitted that I can track?

[bagajjal]

@metrzero - If you are working in Microsoft then you can track the workitem 26744004.

[swinder0161]

I still see this issue.

[Clebam]

In our environment, I faced this very problem when we removed "Authenticated Users" from the group "Pre-Windows 2000 Compatible Access"

I had to put Authenticated back in this group to solve the issue.

(Though it may still be a bad pratice that needs to be addressed in another way)

[KyleS-ITW]

In our environment, I faced this very problem when we removed "Authenticated Users" from the group "Pre-Windows 2000 Compatible Access"

I had to put Authenticated back in this group to solve the issue.

(Though it may still be a bad pratice that needs to be addressed in another way)

@Clebam I am seeing this same problem however only with some Domain Users not all of them and I cant seem to find out the cause. Have you made any more progress in resolving this without keeping Authenticated Users in the "Pre-Windows 2000 Compatible Access" group?

[bagajjal]

Adding @ThatWileyGuy from windows auth team to have a look at it.

[aefruswg]

Hi all, I'm experiencing this problem as well on multiple servers except for one. Been banging my head against the wall trying to find out why with no luck. There's no difference in applied policies between the one that works and the few that don't. Access computer from the network and Pre-Win2K aren't the issue. Firewall exceptions for SSH are set. All servers are on Server 2016 and are up to date. I'm getting the same error as in this thread:

#1363

Any help would be great as this is really putting a kink in our workflow