unable to generate token for user sshd

[dwatley]

"OpenSSH for Windows" version
v1.0.0.0-Beta

Server OperatingSystem
Windows 10 Enterprise

Client OperatingSystem
Windows 10 Enterprise

What is failing
When opening an SSH connection to the server and the SSH2_MSG_KEXINIT is sent by the client (confirmed via ssh -vvv), the server fails with:

18884 2018-01-31 15:19:29.699 debug1: inetd sockets after dupping: 3, 3
18884 2018-01-31 15:19:29.699 Connection from 127.0.0.1 port 64971 on 127.0.0.1 port 22
18884 2018-01-31 15:19:29.699 debug1: Client protocol version 2.0; client software version OpenSSH_7.2
18884 2018-01-31 15:19:29.699 debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
18884 2018-01-31 15:19:29.699 debug1: Local version string SSH-2.0-OpenSSH_7.6
18884 2018-01-31 15:19:29.699 debug2: fd 3 setting O_NONBLOCK
18884 2018-01-31 15:19:29.700 debug1: LsaLogonUser failed NTSTATUS: 1
18884 2018-01-31 15:19:29.700 error: unable to generate token for user sshd
18884 2018-01-31 15:19:29.903 debug1: LsaLogonUser failed NTSTATUS: 1
18884 2018-01-31 15:19:29.903 error: unable to generate token on 2nd attempt for user sshd
18884 2018-01-31 15:19:29.903 error: unable to get security token for user sshd
18884 2018-01-31 15:19:29.903 error: posix_spawn failed
18884 2018-01-31 15:19:29.903 debug3: send_rexec_state: entering fd = 6 config len 273
18884 2018-01-31 15:19:29.903 debug3: ssh_msg_send: type 0
18884 2018-01-31 15:19:29.903 debug3: write ERROR from cb(2):232, io:000002A431CABE90
18884 2018-01-31 15:19:29.903 error: ssh_msg_send: write
18884 2018-01-31 15:19:29.903 fatal: send_rexec_state: ssh_msg_send failed
18884 2018-01-31 15:19:29.903 debug1: do_cleanup

The issue seems identical to #1027

• I've followed the instructions
• Installed binaries to C:\Program Files\OpenSSH
• I've already verified running as SYSTEM (whoami) and turned on DEBUG3 as noted in the troubleshooting directions
• Tried deleting and re-installing, following the guide exactly.

Based on a comment in that issue, it sounds like the sshd (privilege separation account) token couldn't be generated.

Thoughts, additional troubleshooting options?

[dwatley]

Turns out this was an issue with a non-standard configuration for user rights assignment in secpol.msc

[jgiles]

I'm seeing this exact issue currently - would you mind elaborating on the cause and fix?

Thanks!
Josh

[dwatley]

Certainly, that crossed my mind as I closed it. 😅

You should see a corresponding event in the security channel of the Windows Event Log indicating an audit failure. Log snippet below.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/31/2018 4:45:26 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      dwatley-ws.myhost.blah.com
Description:
An account failed to log on.

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		sshd
	Account Domain:		DWATLEY-WS

Failure Information:
	Failure Reason:		The user has not been granted the requested logon type at this machine.
	Status:			0xC000015B
	Sub Status:		0x0

Process Information:
	Caller Process ID:	0x3bdc
	Caller Process Name:	C:\Program Files\OpenSSH\sshd.exe

Logon Type 3 indicates a network login. In my case there is a non-standard User Rights Assignment configuration, so the sshd user which is a local account created at some point (not sure exactly when this occurred, maybe at installation, maybe at first service start) needs to be in a group that has access to, or be explicitly added to the relevant portion of User Rights Assignment policy via secpol.msc

Security Settings > Local Policies > User Rights Assignment > Access this computer from the network

Once the appropriate permissions have been granted, should work with no issue.

[manojampalam]

Thanks for catching this and investigating the underlying cause. We'll fix it for next drop.
Added as a known issue in 1.0.0.0 release notes.

[friederschueler]

Connection from 192.168.0.96 port 52625 on 192.168.0.116 port 22
debug1: Client protocol version 2.0; client software version PuTTY_Release
debug1: no match: PuTTY_Release_0.70
debug1: Local version string SSH-2.0-OpenSSH_7.6
debug2: fd 5 setting O_NONBLOCK
unable to generate token for user sshd
unable to generate token on 2nd attempt for user sshd
unable to get security token for user sshd
posix_spawn failed
debug3: send_rexec_state: entering fd = 4 config len 152
debug3: ssh_msg_send: type 0
debug3: write ERROR from cb(2):232, io:0081CEF0
ssh_msg_send: write
send_rexec_state: ssh_msg_send failed
debug1: do_cleanup

C:\Program Files (x86)\OpenSSH>

I still get this error after allowing network access via secpol.msc for user sshd. I restarted my VM and checked the windows logs, but no hints. Any ideas?

"OpenSSH for Windows" version
v1.0.0.0-Beta on Windows 7 Enterprise SP1

[dwatley]

Maybe the service isn't running as SYSTEM?

[johnny5janbohac]

I have similiar issue with sshd user token, but difference is that during authentication is logged error "Unknown username or bad password" and user "FakeUser" Any tips ?

`An account failed to log on.

Subject:
Security ID: MYCZSW1DL015245\sshd
Account Name: sshd
Account Domain: MYCZSW1DL015245
Logon ID: 0xa4f897f5

Logon Type: 8

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: FakeUser
Account Domain: FakeDomain

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064

Process Information:
Caller Process ID: 0x2f90
Caller Process Name: C:\Users\adm-123024594.MBID\Desktop\OpenSSH-Win32\sshd.exe

Network Information:
Workstation Name: MYCZSW1DL015245
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

Logon Type: 8

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: FakeUser
Account Domain: FakeDomain

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064

Process Information:
Caller Process ID: 0x2f90
Caller Process Name: C:\Users\adm-123024594.MBID\Desktop\OpenSSH-Win32\sshd.exe

Network Information:
Workstation Name: MYCZSW1DL015245
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0`

[bagajjal]

@johnny5janbohac -
Analysis
when we failed to generate user token then we will try using FakeUser. This is a workaround for issue
#727

Code : https://github.com/PowerShell/Win32-OpenSSH/blob/L1-Prod/contrib/win32/win32compat/win32_usertoken_utils.c#L341

Next steps to debug further

1. Does your sshd service run as SYSTEM?

2. If yes, have you tried the workaround mentioned by @dwatley (User Rights Assignment policy via secpol.msc)

3. Make sure all your binaries have "read, execute" permissions to "Authenticated users" account.