I am running a server on Cent OS 10, using server a Samba as an Active Directory Domain.
On my Windows 11 clients, that have OpenSSH installed and were working before latest Windows 11 update, the Windows 11 clients reject ssh connection with a user that is part of Active Directory. I have created and populated groups on the Windows clients allowing
remote access, I am enabling in sshd_config as shown below. I can log in with a non-domain user to the Windows Client but not a domain user even though I have set \Domain Users on the Windows client. the ssh ends with a port reset. Do I have to enable an certain key or
protocol in sshd_config?
I can tell that the AllowGroups directive is working as shown. I have used diagnostic log techniques recommended by GitHub project that supports OpenSSH. I will provide logs that show windows 10 working and windows 11 not working. The OpenSSH with Window domain users on Window client machines started failing in last month, there appears to have been a security release for Windows 11, that have killed ssh operability for domain users, on Windows Client that are a member of AD Domain.
I have figured how to fix this issue for Windows 11 client’s machines; Domain members are able to login into the Client machines successfully . See this working sshd_config in the c:\ProgramData\ssh
The basic changes are
1.) Comment out the (Required) #Match Group administrators #AuthorizedKeysFile __programdata/ssh/administrators_authorized_keys
2.) User access to your windows client can be accomplished with the
AllowUsers directive as shown in sshd_config. Note: the # directive comments out
text in bash shell and Linux/Unix configuration files. sshd_config is the configuration file
for sshd.
sshd_config
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
# For this to work you will also need host keys in %programData%/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# GSSAPI options
#GSSAPIAuthentication no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# No default banner path
#Banner none
# override default of no subsystems
Subsystem sftp sftp-server.exe
#
# Example of overriding settings on a per-user basis
#Match User anoncvs
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
# Note did not find the administrators_authorized_keys
#
#Match Group administrators
# AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
# Trying various things to allow for people in the domain
# to login via ssh
#
AllowUsers "MYDOMAIN\*" local_admin01
Actual steps used in debug exercise. Logged into Windows Client as normal user.
Started a PowerShell session as Administrator, executable for shell wt (Windows Terminal)
Windows Terminal can have multiple tabs as a User or Administrator.
Use ssh to logon to localhost on a wt (Windows Terminal) after you have started sshd with
psexec as shown.
ssh “MYDOMAIN\user1”@localhost -t pwsh
Setting up open_sshd on server in detailed debug login mode on another wt (Windows Terminal Tab):
Stop-service sshd
# Invoke sshd.exe with psexec, you only get one run at session whether you log
# on successfully or not. This debug session shows how the config_ssd are processed
# and will give glues as to where the user logon is not working
PS C:\Users\Administrator> psexec -s C:\Windows\System32\OpenSSH\sshd.exe -ddd
PsExec v2.43 - Execute processes remotely
Copyright (C) 2001-2023 Mark Russinovich
Sysinternals - www.sysinternals.com
debug2: load_server_config: filename __PROGRAMDATA__\\ssh/sshd_config
#:
#:
debug1: do_cleanup
debug1: Killing privsep child 6748
#
C:\Windows\System32\OpenSSH\sshd.exe exited on DADS3 with error code 255.