Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openSSH for Windows: Domain Admin access with SSH Key #1881

Open
derSchweiger opened this issue Jan 4, 2022 · 3 comments
Open

openSSH for Windows: Domain Admin access with SSH Key #1881

derSchweiger opened this issue Jan 4, 2022 · 3 comments

Comments

@derSchweiger
Copy link

OpenSSH for Windows version: 8.6
Server OperatingSystem: W2k16, W2k19, W2k22
Client OperatingSystem: W10Pro

What is failing
We've configured openSSH for Windows and accessing it with public/private keys. To allow domain admins to join via SSH, we use the following config line:
AllowGroups "DOMAIN\Domain Admins"

It's possible to login and I'm able to invoke administrative commands but as soon as I'm trying to connect to the active directory domain or use Exchange Powershell cmdlets, I get the following error message:

PS C:\Users\Administrator.DOMAIN> Get-ADUser -Filter *
Get-ADUser : Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services
running.
At line:1 char:1
+ Get-ADUser -Filter *
+ ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [Get-ADUser], ADServerDownException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser

PS C:\Users\Administrator.DOMAIN> Get-ExchangeServer
Active Directory operation failed on . The supplied credential for 'DOMAIN\Administrator' is invalid.
At line:1 char:1
+ Get-ExchangeServer
+ ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], ADInvalidCredentialException
    + FullyQualifiedErrorId : [Server=EX0401,RequestId=a1317adf-797b-47b8-9334-392b2ae48768,TimeStamp=04.01.2022 14:29:41] [FailureCategory=Cmdlet-ADInvalidCredentialExc
   eption] 3C6659B2

If I login with domain username/password combination, it's working fine. So it seems like that it's not possible to run domain cmdlets if I'm using SSH key for authentication. Could that be true? Have I missed something?
@bagajjal
Copy link
Collaborator

bagajjal commented Jan 4, 2022

Please have a look at #518

@derSchweiger
Copy link
Author

Thank you very much @bagajjal, this seems to be exactly our problem. Is there currently no solid solution for this behaviour?
We are managing thousands of hosts with dozens of different domains. Therefore, it's unfortunately not an option for us to work with openSSH while using Basic authentication.

@mgkuhn
Copy link

mgkuhn commented Jan 9, 2022

Have you considered using Kerberos/GSSAPI authentication and delegation instead of public key authentication?

Wouldn't GSSAPI delegation cause the required credential (Kerberos ticket) to be available at the other end?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mgkuhn @bagajjal @derSchweiger