SSH Authentication Fails from Linux to Windows Box

[milindbangar79]

Hi,

Our scenario

• Trying to connect from Linux to a Windows box (SSH server). The boxes are in different domains.(from us.xxx.com (Linux Server) to inet.xxx.local domain (Windows Server))
• We have tested connectivity within the same domain and it works fine.
• Using V0.8.0 of OpenSSH

Attaching the Debug log for your reference:

6564 16:25:07 799 debug1: userauth-request for user svcpltadmindev@us service ssh-connection method none
6564 16:25:07 799 debug1: attempt 0 failures 0
6564 16:25:07 799 debug2: parse_server_config: config reprocess config len 323
6564 16:25:10 065 debug1: NetUserGetInfo() failed with error: 1722 \n
6564 16:25:10 471 debug1: NetUserGetInfo() with domainController failed with error: 5 \n
9072 16:25:10 596 debug2: ReadCB pio:000000975402CA00, pending_state:1, error:109, received:0
9072 16:25:10 596 debug3: select - returning 1
9072 16:25:10 596 debug1: close - io:000000975402CA00, type:2, fd:6, table_index:6
9072 16:25:10 596 debug2: fileclose - pio:000000975402CA00
9072 16:25:10 596 debug3: w32_select fd:3
9072 16:25:10 596 debug3: w32_select fd:4
9072 16:25:10 596 debug3: Total in fds:2
9072 16:25:10 596 debug2: on_select - io:000000975402D0E0 type:1 rd:1
9072 16:25:10 596 debug2: on_select - io:000000975402C7F0 type:1 rd:1
9072 16:25:10 596 debug3: wait() on 0 events and 1 children
9072 16:25:10 596 debug1: zombie'ing child at index 0, 0 zombies of 1
9072 16:25:10 596 debug3: process_signals()
9072 16:25:10 596 debug1: raise sig:3
9072 16:25:10 596 debug3: waitpid - pid:-1, options:1
9072 16:25:10 596 debug1: Unregister child at index 0, 1 zombies of 1
9072 16:25:10 596 debug3: waitpid - pid:-1, options:1
9072 16:25:10 596 debug2: signal() sig:3, handler:00007FF756B4C4F0
9072 16:25:10 596 debug1: process_queued_signals: WARNING - A signal has interrupted and was processed
9072 16:25:10 596 debug3: w32_select fd:3
9072 16:25:10 596 debug3: w32_select fd:4
9072 16:25:10 596 debug3: Total in fds:2
9072 16:25:10 596 debug2: on_select - io:000000975402D0E0 type:1 rd:1
9072 16:25:10 596 debug2: on_select - io:000000975402C7F0 type:1 rd:1
9072 16:25:10 596 debug3: wait() on 0 events and 0 children
9072 16:25:10 596 debug3: wait() on 2 events and 0 children

Early help is much appreciated.

Regards
Milind

[bagajjal]

This error occurs when the sshd process is unable to retrieve the user information...

I will test at my end and update this thread..

[manojampalam]

Can you try providing full FQDN in user name i.e [email protected] ?

[milindbangar79]

Tried the following FQDN :

1. svcpltadmindev@us.xxx.com@winbox
2. 'us\svcpltadmindev'@winBox
3. 'us.xxx.com\svcpltadmindev'@winBox

No luck.

Hope that's what you were looking for..

We have configured in another windows box and trying and getting the following

Invalid user us.xxx.com\dadmmbangar from 10.36.18.100 port 59584

I am able to RDP the Windows server, but not able to connect via ssh. User profile is available on the Windows server.

The user we are testing against is a domain user.

Query : Is there any limitation for cross domain ssh based authentication, which should be taken care during installation?

[gd197]

we had to escape the \ for interactive domain access from a linux box
ssh domain\\user@winbox
Hope that helps
EDIT.

[manojampalam]

Somehow the following logic in pwd.c is failing:
if ((status = NetUserGetInfo(udom_utf16, uname_utf16, 23, &user_info)) != NERR_Success) {
debug("NetUserGetInfo() failed with error: %d for user: %ls and domain: %ls \n", status, uname_utf16, udom_utf16);

		if ((dsStatus = DsGetDcNameW(NULL, udom_utf16, NULL, NULL, DS_DIRECTORY_SERVICE_PREFERRED, &pdc)) != ERROR_SUCCESS) {
			error("DsGetDcNameW() failed with error: %d \n", dsStatus);
			errno = ENOENT;
			goto done;
		}

		if ((status = NetUserGetInfo(pdc->DomainControllerName, uname_utf16, 23, &user_info)) != NERR_Success) {
			debug("NetUserGetInfo() with domainController: %ls failed with error: %d \n", pdc->DomainControllerName, status);
			errno = ENOENT;
			goto done;
		}

Can you try running sshd in debug mode

• net stop sshd
• In an elevated cmd.exe, run sshd.exe -d

and see if you can get past this error? (It may fail due to other reasons down the line, but we want to check if we are able to retrieve user's SID

Also try running sshd as SYSTEM and see if it makes a difference:
sc.exe config sshd obj= LocalSystem
restart sshd

[jschvartz]

Hi,
Maybe my issue is related to this one:

• WIN10 host with openssd sshd daemon (for tests purpose, will be using on WIN2008 or WIN2012 Servers)
• RHEL 6 ssh client
• Both in the same AD domain
  "ssh user@domain@host command" works ok, but cannot access Domain shares.
  I noticed this in debug output;
  [NetUserGetInfo() failed with error: 1722 for user]
  I attached the entire debug output of a sigle command.

Thanks for your work.
Joel
sshd.debug.txt

[manojampalam]

You cannot access domain shares because of this - #518

[jschvartz]

Hi Manoj, Thanks for your quick answers. Still, i don't understand it all. Case #518 seems to be related to non-domain machines or users, while both my server and user are part of a domain, trying to access a share in the same domain. And does it mean that that the latest openssh-portable does fix this issue (as per fix #82) ? Or are you still working on it (case #553) ? Or is it definitely a closed case as it is considered as a possible threat ? Many thanks again for your work, Joel

…

________________________________ De : Manoj Ampalam [[email protected]] Envoyé : vendredi 3 mars 2017 19:48 À : PowerShell/Win32-OpenSSH Cc : Joel Schvartz; Comment Objet : Re: [PowerShell/Win32-OpenSSH] SSH Authentication Fails from Linux to Windows Box (#543) You cannot access domain shares because of this - #518<#518> — You are receiving this because you commented. Reply to this email directly, view it on GitHub<#543 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AGH3NGwaEIXBdOn7jS8juDke7mjA3RNaks5riGCTgaJpZM4MLb2z>

[manojampalam]

accessing a share (domain or not) involves authentication. Remote ssh sessions created using key based auth cannot do outbound authentication, hence cannot access any share.

[jschvartz]

Hello Manoj, If i am already authenticated as a domain user on a host, why preventing me to also be identified in the domain on another host and get access to shares on this host? I understand it could be a threat in certain circumstances, but nothing worse that “rsh” I am using now … Could be fully configurable? Is it not worth opening a new discussion on the subject? Thanks, Joel Joel Schvartz Ingénieur Systèmes et Sécurité Malesherbes - Manchecourt +33 238 32 34 36 mobile +33 610 15 93 71 De : Manoj Ampalam [mailto:[email protected]] Envoyé : dimanche 5 mars 2017 10:10 À : PowerShell/Win32-OpenSSH Cc : Joel Schvartz; Comment Objet : Re: [PowerShell/Win32-OpenSSH] SSH Authentication Fails from Linux to Windows Box (#543) accessing a share (domain or not) involves authentication. Remote ssh sessions created using key based auth cannot do outbound authentication, hence cannot access any share. — You are receiving this because you commented. Reply to this email directly, view it on GitHub<#543 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AGH3NK5vec1yMpcojn-Zh9Of4PQy5y_7ks5rinvegaJpZM4MLb2z>.

[manojampalam]

Please continue double hop related discussion in #518