Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Public Cert Auth fails, but only for Domain Accounts and only when using the sshd Service (as opposed to running sshd myself directly) #1213

Closed
pldmgg opened this issue Jul 17, 2018 · 7 comments
Closed

Public Cert Auth fails, but only for Domain Accounts and only when using the sshd Service (as opposed to running sshd myself directly) #1213

pldmgg opened this issue Jul 17, 2018 · 7 comments
Milestone
7.7.2.0p1-Beta

Comments

@pldmgg
Copy link

pldmgg commented Jul 17, 2018
edited
Loading

EDIT : Just noticed that this issue (#1213) is a duplicate of #1177

The below version info applies to both Client (initiating ssh connection) and Server (Remote Host).

"OpenSSH for Windows" version

PS C:\Users\zeroadmin> ((Get-Item (Get-Command sshd).Source).VersionInfo.FileVersion)
7.7.1.0
PS C:\Users\zeroadmin> ((Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows nt\CurrentVersion\" -Name ProductName).ProductName)
Windows Server 2016 Standard Evaluation
PS C:\Users\zeroadmin> Get-Command ssh.exe

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Application     ssh.exe                                            7.7.1.0    C:\Program Files\OpenSSH-Win64\ssh.exe

What is failing
Public Certificate Authentication is failing but ONLY for Domain Accounts and ONLY when running the sshd Service. In other words, Public Certificate Authentication DOES work when I run sshd.exe -ddd manually (i.e. NOT using the service), or if I use the sshd Service and connect with a Local User account on the Remote Host.

Failure Output from SSHD Using SSHD Service When Connecting with Domain Account

debug2: load_server_config: filename __PROGRAMDATA__\\ssh/sshd_config
debug2: load_server_config: done config len = 524
debug2: parse_server_config: config __PROGRAMDATA__\\ssh/sshd_config len 524
debug3: __PROGRAMDATA__\\ssh/sshd_config:15 setting HostCertificate C:/ProgramData/ssh/ssh_host_rsa_key-cert.pub
debug3: __PROGRAMDATA__\\ssh/sshd_config:39 setting AuthorizedKeysFile C:/ProgramData/ssh/authorized_keys
debug3: __PROGRAMDATA__\\ssh/sshd_config:77 setting Subsystem sftp	sftp-server.exe
debug3: __PROGRAMDATA__\\ssh/sshd_config:78 setting Subsystem powershell    C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe -sshs -NoLogo -NoProfile
debug3: checking syntax for 'Match User *'
debug1: sshd version OpenSSH_for_Windows_7.7, LibreSSL 2.6.4
debug1: private host key #0: ssh-rsa SHA256:iyzAg2Dvbgf6/X+4qtdUrDXOqHGQMEyWHCv8PDYBcoI
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:YKX6HycKy4DshQCOntO2H1P/rfnxE7KCRfMA04Uf31g
debug1: private host key #2: ssh-ed25519 SHA256:oy92lnnLpcmlJqeZD++ukwcXqMjTAWnt4pZ/2vxvrJw
debug1: host certificate: #0 type 4 RSA-CERT
debug1: rexec_argv[0]='C:\\Program Files\\OpenSSH-Win64\\sshd.exe'
debug1: rexec_argv[1]='-ddd'
debug1: rexec_argv[2]='-E'
debug1: rexec_argv[3]='C:\\Program Files\\OpenSSH-Win64\\logs.txt'
debug2: fd 4 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug2: fd 5 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug2: load_server_config: filename __PROGRAMDATA__\\ssh/sshd_config
debug2: load_server_config: done config len = 524
debug2: parse_server_config: config __PROGRAMDATA__\\ssh/sshd_config len 524
debug3: __PROGRAMDATA__\\ssh/sshd_config:15 setting HostCertificate C:/ProgramData/ssh/ssh_host_rsa_key-cert.pub
debug3: __PROGRAMDATA__\\ssh/sshd_config:39 setting AuthorizedKeysFile C:/ProgramData/ssh/authorized_keys
debug3: __PROGRAMDATA__\\ssh/sshd_config:77 setting Subsystem sftp	sftp-server.exe
debug3: __PROGRAMDATA__\\ssh/sshd_config:78 setting Subsystem powershell    C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe -sshs -NoLogo -NoProfile
debug3: checking syntax for 'Match User *'
debug1: sshd version OpenSSH_for_Windows_7.7, LibreSSL 2.6.4
debug1: private host key #0: ssh-rsa SHA256:iyzAg2Dvbgf6/X+4qtdUrDXOqHGQMEyWHCv8PDYBcoI
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:YKX6HycKy4DshQCOntO2H1P/rfnxE7KCRfMA04Uf31g
debug1: private host key #2: ssh-ed25519 SHA256:oy92lnnLpcmlJqeZD++ukwcXqMjTAWnt4pZ/2vxvrJw
debug1: host certificate: #0 type 4 RSA-CERT
debug1: rexec_argv[0]='C:\\Program Files\\OpenSSH-Win64\\sshd.exe'
debug1: rexec_argv[1]='-ddd'
debug1: rexec_argv[2]='-E'
debug1: rexec_argv[3]='C:\\Program Files\\OpenSSH-Win64\\logs.txt'
debug2: fd 4 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug2: fd 5 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug3: fd 6 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 9 config len 524
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
Connection from 192.168.2.55 port 52827 on 192.168.2.47 port 22
debug1: Client protocol version 2.0; client software version OpenSSH_for_Windows_7.7
debug1: match: OpenSSH_for_Windows_7.7 pat OpenSSH* compat 0x04000000
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug2: fd 6 setting O_NONBLOCK
debug3: spawning "C:\\Program Files\\OpenSSH-Win64\\sshd.exe" "-ddd" "-E" "C:\\Program Files\\OpenSSH-Win64\\logs.txt" "-y"
debug2: Network child is on pid 5276
debug3: send_rexec_state: entering fd = 5 config len 524
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug3: ssh_msg_send: type 0
debug3: ssh_msg_send: type 0
debug3: preauth child monitor started
debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug3: send packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug3: receive packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: local server KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 [preauth]
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: compression ctos: none [preauth]
debug2: compression stoc: none [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug2: peer client KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c [preauth]
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa [preauth]
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: compression ctos: none [preauth]
debug2: compression stoc: none [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: ssh-rsa-cert-v01@openssh.com [preauth]
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug3: receive packet: type 30 [preauth]
debug3: mm_key_sign entering [preauth]
debug3: mm_request_send entering: type 6 [preauth]
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect entering: type 7 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_sign
debug3: mm_answer_sign: hostkey proof signature 000001AA6C099E80(271)
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: send packet: type 31 [preauth]
debug3: send packet: type 21 [preauth]
debug2: set_newkeys: mode 1 [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug3: send packet: type 7 [preauth]
debug3: receive packet: type 21 [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug2: set_newkeys: mode 0 [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug3: receive packet: type 5 [preauth]
debug3: send packet: type 6 [preauth]
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user zeroadmin@zero service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug3: mm_getpwnamallow entering [preauth]
debug3: mm_request_send entering: type 8 [preauth]
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
debug3: mm_request_receive_expect entering: type 9 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 8
debug3: mm_answer_pwnamallow
debug2: parse_server_config: config reprocess config len 524
debug3: checking match for 'User *' user zeroadmin@zero host 192.168.2.55 addr 192.168.2.55 laddr 192.168.2.47 lport 22
debug1: user zeroadmin@zero matched 'User *' at line 85
debug3: match found
debug3: reprocess config:86 setting ForceCommand powershell.exe -NoProfile
debug3: reprocess config:87 setting TrustedUserCAKeys C:/ProgramData/ssh/ca_pub_key_of_client_signer.pub
debug3: reprocess config:88 setting AuthorizedPrincipalsFile C:/ProgramData/ssh/authorized_principals
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 9
debug2: monitor_read: 8 used once, disabling now
debug2: input_userauth_request: setting up authctxt for zeroadmin@zero [preauth]
debug3: mm_inform_authserv entering [preauth]
debug3: mm_request_send entering: type 4 [preauth]
debug2: input_userauth_request: try method none [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" [preauth]
debug3: send packet: type 51 [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 4 used once, disabling now
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user zeroadmin@zero service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
debug1: userauth_pubkey: test pkalg ssh-rsa-cert-v01@openssh.com pkblob RSA-CERT SHA256:3u9k1/x6rTQ7r7kkNV1ShwfQZXImezftCJD/FBxze6U CA RSA SHA256:3mmzNKLb6/cECDwcWsUCVz1T63FmAiCOeN3ak24Ocuo [preauth]
debug3: mm_key_allowed entering [preauth]
debug3: mm_request_send entering: type 22 [preauth]
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
debug3: mm_request_receive_expect entering: type 23 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 22
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 000001AA6C0FE2E0
debug1: trying authorized principals file C:/ProgramData/ssh/authorized_principals
debug3: C:/ProgramData/ssh/authorized_principals:4: matched principal "zeroadmin@zero"
debug3: found certificate option "permit-agent-forwarding" len 0
debug3: found certificate option "permit-pty" len 0
debug1: cert: key options: agent-forwarding pty
debug1: principals: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
Accepted certificate ID "vault-ldap-zeroadmin-deef64d7fc7aad343bafb924355d528707d06572267b37ed0890ff141c737ba5" (serial 4332202668122882872) signed by RSA CA SHA256:3mmzNKLb6/cECDwcWsUCVz1T63FmAiCOeN3ak24Ocuo via C:/ProgramData/ssh/ca_pub_key_of_client_signer.pub
debug3: mm_answer_keyallowed: publickey authentication test: RSA-CERT key is allowed
debug3: mm_request_send entering: type 23
debug3: send packet: type 60 [preauth]
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa-cert-v01@openssh.com [preauth]
Postponed publickey for zeroadmin@zero from 192.168.2.55 port 52827 ssh2 [preauth]
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user zeroadmin@zero service ssh-connection method publickey [preauth]
debug1: attempt 2 failures 0 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
debug3: userauth_pubkey: have ssh-rsa-cert-v01@openssh.com signature for RSA-CERT SHA256:3u9k1/x6rTQ7r7kkNV1ShwfQZXImezftCJD/FBxze6U CA RSA SHA256:3mmzNKLb6/cECDwcWsUCVz1T63FmAiCOeN3ak24Ocuo [preauth]
debug3: mm_key_allowed entering [preauth]
debug3: mm_request_send entering: type 22 [preauth]
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
debug3: mm_request_receive_expect entering: type 23 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 22
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 000001AA6C0FE040
debug1: trying authorized principals file C:/ProgramData/ssh/authorized_principals
debug3: C:/ProgramData/ssh/authorized_principals:4: matched principal "zeroadmin@zero"
debug3: found certificate option "permit-agent-forwarding" len 0
debug3: found certificate option "permit-pty" len 0
debug1: cert: key options: agent-forwarding pty
debug1: principals: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
Accepted certificate ID "vault-ldap-zeroadmin-deef64d7fc7aad343bafb924355d528707d06572267b37ed0890ff141c737ba5" (serial 4332202668122882872) signed by RSA CA SHA256:3mmzNKLb6/cECDwcWsUCVz1T63FmAiCOeN3ak24Ocuo via C:/ProgramData/ssh/ca_pub_key_of_client_signer.pub
debug3: mm_answer_keyallowed: publickey authentication: RSA-CERT key is allowed
debug3: mm_request_send entering: type 23
debug3: mm_sshkey_verify entering [preauth]
debug3: mm_request_send entering: type 24 [preauth]
debug3: mm_sshkey_verify: waiting for MONITOR_ANS_KEYVERIFY [preauth]
debug3: mm_request_receive_expect entering: type 25 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 24
debug3: mm_answer_keyverify: publickey 000001AA6C0FE2E0 signature verified
debug1: auth_activate_options: setting new authentication options
debug3: mm_request_send entering: type 25
Accepted publickey for zeroadmin@zero from 192.168.2.55 port 52827 ssh2: RSA-CERT ID vault-ldap-zeroadmin-deef64d7fc7aad343bafb924355d528707d06572267b37ed0890ff141c737ba5 (serial 4332202668122882872) CA RSA SHA256:3mmzNKLb6/cECDwcWsUCVz1T63FmAiCOeN3ak24Ocuo
debug1: monitor_child_preauth: zeroadmin@zero has been authenticated by privileged process
debug3: mm_get_keystate: Waiting for new keys
debug3: mm_request_receive_expect entering: type 26
debug3: mm_request_receive entering
debug3: mm_get_keystate: GOT new keys
debug1: auth_activate_options: setting new authentication options [preauth]
debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa-cert-v01@openssh.com [preauth]
debug3: send packet: type 52 [preauth]
debug3: mm_request_send entering: type 26 [preauth]
debug3: mm_send_keystate: Finished sending state [preauth]
debug1: monitor_read_log: child log fd closed
debug3: generate_s4u_user_token: Unable to discover upn for user 'z': 1332
debug1: generate_s4u_user_token: LsaLogonUser() failed: -1073741726 SubStatus 0.
debug3: unable to generate token for user zero\\zeroadmin
debug3: generate_s4u_user_token: Unable to discover upn for user 'z': 1332
debug1: generate_s4u_user_token: LsaLogonUser() failed: -1073741726 SubStatus 0.
unable to generate token on 2nd attempt for user zero\\zeroadmin
unable to get security token for user zero\\zeroadmin
fork of unprivileged child failed
debug1: do_cleanup

Success Output from SSHD Using sshd -ddd When Connecting with Domain Account

debug2: load_server_config: filename __PROGRAMDATA__\\ssh/sshd_config
debug2: load_server_config: done config len = 524
debug2: parse_server_config: config __PROGRAMDATA__\\ssh/sshd_config len 524
debug3: __PROGRAMDATA__\\ssh/sshd_config:15 setting HostCertificate C:/ProgramData/ssh/ssh_host_rsa_key-cert.pub
debug3: __PROGRAMDATA__\\ssh/sshd_config:39 setting AuthorizedKeysFile C:/ProgramData/ssh/authorized_keys
debug3: __PROGRAMDATA__\\ssh/sshd_config:77 setting Subsystem sftp	sftp-server.exe
debug3: __PROGRAMDATA__\\ssh/sshd_config:78 setting Subsystem powershell    C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe -sshs -NoLogo 
-NoProfile
debug3: checking syntax for 'Match User *'
debug1: sshd version OpenSSH_for_Windows_7.7, LibreSSL 2.6.4
debug1: private host key #0: ssh-rsa SHA256:iyzAg2Dvbgf6/X+4qtdUrDXOqHGQMEyWHCv8PDYBcoI
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:YKX6HycKy4DshQCOntO2H1P/rfnxE7KCRfMA04Uf31g
debug1: private host key #2: ssh-ed25519 SHA256:oy92lnnLpcmlJqeZD++ukwcXqMjTAWnt4pZ/2vxvrJw
debug1: host certificate: #0 type 4 RSA-CERT
debug1: rexec_argv[0]='C:\\Program Files\\OpenSSH-Win64\\sshd.exe'
debug1: rexec_argv[1]='-ddd'
debug2: fd 3 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 3 IPV6_V6ONLY
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 524
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
Connection from 192.168.2.55 port 52817 on 192.168.2.47 port 22
debug1: Client protocol version 2.0; client software version OpenSSH_for_Windows_7.7
debug1: match: OpenSSH_for_Windows_7.7 pat OpenSSH* compat 0x04000000
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug2: fd 5 setting O_NONBLOCK
debug3: spawning "C:\\Program Files\\OpenSSH-Win64\\sshd.exe" "-ddd" "-y"
debug2: Network child is on pid 4204
debug3: send_rexec_state: entering fd = 4 config len 524
debug3: recv_rexec_state: entering fd = 3
debug3: ssh_msg_recv entering
debug3: ssh_msg_send: type 0
debug3: recv_rexec_state: done
debug3: send_rexec_state: done
debug3: ssh_msg_send: type 0
debug2: parse_server_config: config __PROGRAMDATA__\\ssh/sshd_config len 524
debug3: __PROGRAMDATA__\\ssh/sshd_config:15 setting HostCertificate C:/ProgramData/ssh/ssh_host_rsa_key-cert.pub
debug3: ssh_msg_send: type 0
debug3: preauth child monitor started
debug3: __PROGRAMDATA__\\ssh/sshd_config:39 setting AuthorizedKeysFile C:/ProgramData/ssh/authorized_keys
debug3: __PROGRAMDATA__\\ssh/sshd_config:77 setting Subsystem sftp	sftp-server.exe
debug3: __PROGRAMDATA__\\ssh/sshd_config:78 setting Subsystem powershell    C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe -sshs -NoLogo 
-NoProfile
debug3: checking syntax for 'Match User *'
debug1: sshd version OpenSSH_for_Windows_7.7, LibreSSL 2.6.4
debug3: ssh_msg_recv entering
debug3: ssh_msg_recv entering
debug2: fd 5 setting O_NONBLOCK
debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug3: send packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug3: receive packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: local server KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchang
e-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 [preauth]
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,um
ac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,um
ac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: compression ctos: none [preauth]
debug2: compression stoc: none [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug2: peer client KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchang
e-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14
-sha1,ext-info-c [preauth]
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-
ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,
ssh-rsa [preauth]
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,um
ac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,um
ac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: compression ctos: none [preauth]
debug2: compression stoc: none [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: ssh-rsa-cert-v01@openssh.com [preauth]
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug3: receive packet: type 30 [preauth]
debug3: mm_key_sign entering [preauth]
debug3: mm_request_send entering: type 6 [preauth]
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect entering: type 7 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_sign
debug3: mm_answer_sign: hostkey proof signature 00000153E4327C10(271)
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: send packet: type 31 [preauth]
debug3: send packet: type 21 [preauth]
debug2: set_newkeys: mode 1 [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug3: send packet: type 7 [preauth]
debug3: receive packet: type 21 [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug2: set_newkeys: mode 0 [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug3: receive packet: type 5 [preauth]
debug3: send packet: type 6 [preauth]
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user zeroadmin@zero service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug3: mm_getpwnamallow entering [preauth]
debug3: mm_request_send entering: type 8 [preauth]
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
debug3: mm_request_receive_expect entering: type 9 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 8
debug3: mm_answer_pwnamallow
debug2: parse_server_config: config reprocess config len 524
debug3: checking match for 'User *' user zeroadmin@zero host 192.168.2.55 addr 192.168.2.55 laddr 192.168.2.47 lport 22
debug1: user zeroadmin@zero matched 'User *' at line 85
debug3: match found
debug3: reprocess config:86 setting ForceCommand powershell.exe -NoProfile
debug3: reprocess config:87 setting TrustedUserCAKeys C:/ProgramData/ssh/ca_pub_key_of_client_signer.pub
debug3: reprocess config:88 setting AuthorizedPrincipalsFile C:/ProgramData/ssh/authorized_principals
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 9
debug2: monitor_read: 8 used once, disabling now
debug2: input_userauth_request: setting up authctxt for zeroadmin@zero [preauth]
debug3: mm_inform_authserv entering [preauth]
debug3: mm_request_send entering: type 4 [preauth]
debug2: input_userauth_request: try method none [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" [preauth]
debug3: send packet: type 51 [preauth]
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user zeroadmin@zero service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
debug1: userauth_pubkey: test pkalg ssh-rsa-cert-v01@openssh.com pkblob RSA-CERT SHA256:3u9k1/x6rTQ7r7kkNV1ShwfQZXImezftCJD/FBxze6U CA RSA 
SHA256:3mmzNKLb6/cECDwcWsUCVz1T63FmAiCOeN3ak24Ocuo [preauth]
debug3: mm_key_allowed entering [preauth]
debug3: mm_request_send entering: type 22 [preauth]
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
debug3: mm_request_receive_expect entering: type 23 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 22
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 00000153E4388E80
debug1: trying authorized principals file C:/ProgramData/ssh/authorized_principals
debug3: C:/ProgramData/ssh/authorized_principals:4: matched principal "zeroadmin@zero"
debug3: found certificate option "permit-agent-forwarding" len 0
debug3: found certificate option "permit-pty" len 0
debug1: cert: key options: agent-forwarding pty
debug1: principals: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
Accepted certificate ID "vault-ldap-zeroadmin-deef64d7fc7aad343bafb924355d528707d06572267b37ed0890ff141c737ba5" (serial 4332202668122882872) signed by RSA 
CA SHA256:3mmzNKLb6/cECDwcWsUCVz1T63FmAiCOeN3ak24Ocuo via C:/ProgramData/ssh/ca_pub_key_of_client_signer.pub
debug3: mm_answer_keyallowed: publickey authentication test: RSA-CERT key is allowed
debug3: mm_request_send entering: type 23
debug3: send packet: type 60 [preauth]
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa-cert-v01@openssh.com [preauth]
Postponed publickey for zeroadmin@zero from 192.168.2.55 port 52817 ssh2 [preauth]
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user zeroadmin@zero service ssh-connection method publickey [preauth]
debug1: attempt 2 failures 0 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
debug3: userauth_pubkey: have ssh-rsa-cert-v01@openssh.com signature for RSA-CERT SHA256:3u9k1/x6rTQ7r7kkNV1ShwfQZXImezftCJD/FBxze6U CA RSA 
SHA256:3mmzNKLb6/cECDwcWsUCVz1T63FmAiCOeN3ak24Ocuo [preauth]
debug3: mm_key_allowed entering [preauth]
debug3: mm_request_send entering: type 22 [preauth]
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
debug3: mm_request_receive_expect entering: type 23 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 22
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 00000153E4388C50
debug1: trying authorized principals file C:/ProgramData/ssh/authorized_principals
debug3: C:/ProgramData/ssh/authorized_principals:4: matched principal "zeroadmin@zero"
debug3: found certificate option "permit-agent-forwarding" len 0
debug3: found certificate option "permit-pty" len 0
debug1: cert: key options: agent-forwarding pty
debug1: principals: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
Accepted certificate ID "vault-ldap-zeroadmin-deef64d7fc7aad343bafb924355d528707d06572267b37ed0890ff141c737ba5" (serial 4332202668122882872) signed by RSA 
CA SHA256:3mmzNKLb6/cECDwcWsUCVz1T63FmAiCOeN3ak24Ocuo via C:/ProgramData/ssh/ca_pub_key_of_client_signer.pub
debug3: mm_answer_keyallowed: publickey authentication: RSA-CERT key is allowed
debug3: mm_request_send entering: type 23
debug3: mm_sshkey_verify entering [preauth]
debug3: mm_request_send entering: type 24 [preauth]
debug3: mm_sshkey_verify: waiting for MONITOR_ANS_KEYVERIFY [preauth]
debug3: mm_request_receive_expect entering: type 25 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 24
debug3: mm_answer_keyverify: publickey 00000153E4388FD0 signature verified
debug1: auth_activate_options: setting new authentication options
debug3: mm_request_send entering: type 25
Accepted publickey for zeroadmin@zero from 192.168.2.55 port 52817 ssh2: RSA-CERT ID 
vault-ldap-zeroadmin-deef64d7fc7aad343bafb924355d528707d06572267b37ed0890ff141c737ba5 (serial 4332202668122882872) CA RSA 
SHA256:3mmzNKLb6/cECDwcWsUCVz1T63FmAiCOeN3ak24Ocuo
debug1: monitor_child_preauth: zeroadmin@zero has been authenticated by privileged process
debug3: mm_get_keystate: Waiting for new keys
debug3: mm_request_receive_expect entering: type 26
debug3: mm_request_receive entering
debug3: mm_get_keystate: GOT new keys
debug1: auth_activate_options: setting new authentication options [preauth]
debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa-cert-v01@openssh.com [preauth]
debug3: send packet: type 52 [preauth]
debug3: mm_request_send entering: type 26 [preauth]
debug3: mm_send_keystate: Finished sending state [preauth]
debug3: ReadFileEx() ERROR:109, io:00000153E42C4E60
debug3: read - no more data, io:00000153E42C4E60
debug1: monitor_read_log: child log fd closed
debug1: Not running as SYSTEM: skipping loading user profile
debug3: spawning "C:\\Program Files\\OpenSSH-Win64\\sshd.exe" "-ddd" "-z"
User child is on pid 472
debug3: send_rexec_state: entering fd = 6 config len 524
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug3: ssh_msg_send: type 0
debug3: ssh_msg_send: type 0
debug3: ssh_msg_send: type 0
debug3: recv_rexec_state: entering fd = 3
debug3: ssh_msg_recv entering
debug3: recv_rexec_state: done
debug2: parse_server_config: config __PROGRAMDATA__\\ssh/sshd_config len 524
debug3: __PROGRAMDATA__\\ssh/sshd_config:15 setting HostCertificate C:/ProgramData/ssh/ssh_host_rsa_key-cert.pub
debug3: __PROGRAMDATA__\\ssh/sshd_config:39 setting AuthorizedKeysFile C:/ProgramData/ssh/authorized_keys
debug3: __PROGRAMDATA__\\ssh/sshd_config:77 setting Subsystem sftp	sftp-server.exe
debug3: __PROGRAMDATA__\\ssh/sshd_config:78 setting Subsystem powershell    C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe -sshs -NoLogo 
-NoProfile
debug3: checking syntax for 'Match User *'
debug1: sshd version OpenSSH_for_Windows_7.7, LibreSSL 2.6.4
debug3: ssh_msg_recv entering
debug3: ssh_msg_recv entering
debug2: fd 4 setting O_NONBLOCK
debug2: parse_server_config: config reprocess config len 524
debug3: checking match for 'User *' user zero\\zeroadmin host 192.168.2.55 addr 192.168.2.55 laddr 192.168.2.47 lport 22
debug1: user zero\\zeroadmin matched 'User *' at line 85
debug3: match found
debug3: reprocess config:86 setting ForceCommand powershell.exe -NoProfile
debug3: reprocess config:87 setting TrustedUserCAKeys C:/ProgramData/ssh/ca_pub_key_of_client_signer.pub
debug3: reprocess config:88 setting AuthorizedPrincipalsFile C:/ProgramData/ssh/authorized_principals
debug3: ssh_msg_recv entering
debug3: monitor_apply_keystate: packet_set_state
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: ssh_packet_set_postauth: called
debug3: ssh_packet_set_state: done
debug3: notify_hostkeys: key 0: ssh-rsa SHA256:iyzAg2Dvbgf6/X+4qtdUrDXOqHGQMEyWHCv8PDYBcoI
debug3: notify_hostkeys: key 1: ecdsa-sha2-nistp256 SHA256:YKX6HycKy4DshQCOntO2H1P/rfnxE7KCRfMA04Uf31g
debug3: notify_hostkeys: key 2: ssh-ed25519 SHA256:oy92lnnLpcmlJqeZD++ukwcXqMjTAWnt4pZ/2vxvrJw
debug3: notify_hostkeys: sent 3 hostkeys
debug3: send packet: type 80
debug1: active: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Entering interactive session for SSH2.
debug2: fd 7 setting O_NONBLOCK
debug2: fd 8 setting O_NONBLOCK
debug1: server_init_dispatch
debug3: receive packet: type 90
debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug2: session_new: allocate (allocated 0 max 10)
debug3: session_unused: session id 0 unused
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug3: send packet: type 91
debug3: receive packet: type 80
debug1: server_input_global_request: rtype no-more-sessions@openssh.com want_reply 0
debug3: receive packet: type 98
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_pty_req: session 0 alloc console
debug3: send packet: type 99
debug3: receive packet: type 98
debug1: server_input_channel_req: channel 0 request shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
Starting session: forced-command (config) 'powershell.exe -NoProfile' on console for zero\\zeroadmin from 192.168.2.55 port 52817 id 0
debug2: fd 9 setting O_NONBLOCK
debug2: fd 10 setting O_NONBLOCK
debug2: fd 11 setting O_NONBLOCK
debug2: fd 12 setting O_NONBLOCK
debug2: fd 13 setting O_NONBLOCK
debug2: fd 14 setting O_NONBLOCK
debug1: Executing command: "C:\\Program Files\\OpenSSH-Win64\\ssh-shellhost.exe" "c:\\windows\\system32\\cmd.exe" /c powershell.exe -NoProfile
debug2: fd 4 setting TCP_NODELAY
debug2: channel 0: rfd 11 isatty
debug3: fd 11 is O_NONBLOCK
debug3: fd 10 is O_NONBLOCK
debug3: fd 13 is O_NONBLOCK
debug3: send packet: type 99
debug2: channel 0: read<=0 rfd 11 len 0
debug2: channel 0: read failed
debug2: channel 0: close_read
debug2: channel 0: input open -> drain
debug2: channel 0: ibuf_empty delayed efd 13/(0)
debug2: notify_done: reading
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 8480
debug1: session_exit_message: session 0 channel 0 pid 8480
debug2: channel 0: request exit-status confirm 0
debug3: send packet: type 98
debug1: session_exit_message: release channel 0
debug2: channel 0: write failed
debug2: channel 0: close_write
debug2: channel 0: send eow
debug2: channel 0: output open -> closed
debug3: mm_request_send entering: type 30
debug3: mm_request_receive entering
debug2: channel 0: read 0 from efd 13
debug3: monitor_read: checking request 30
debug3: mm_answer_pty_cleanup entering
debug2: channel 0: closing read-efd 13
debug1: session_by_tty: unknown tty console
debug2: channel 0: ibuf empty
debug2: channel 0: send eof
debug3: send packet: type 96
debug2: channel 0: input drain -> closed
debug2: channel 0: send close
debug3: send packet: type 97
debug3: channel 0: will not send data after close
debug3: receive packet: type 97
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: is dead
debug2: channel 0: gc: notify user
debug1: session_by_channel: session 0 channel 0
debug1: session_close_by_channel: channel 0 child 0
Close session: user zero\\zeroadmin from 192.168.2.55 port 52817 id 0
debug3: session_unused: session id 0 unused
debug2: channel 0: gc: user detached
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: server-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 server-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1)
debug3: WSARecv - WSARecv() ERROR: io:000002D6BD2E26A0 10054
debug3: recv - from CB ERROR:108, io:000002D6BD2E26A0
Read error from remote host 192.168.2.55 port 52817: Unknown error
debug1: do_cleanup
debug3: mm_request_receive entering
debug1: do_cleanup
@pldmgg pldmgg mentioned this issue Jul 17, 2018
Closed
@NoMoreFood
Copy link

In your case, it's having an issue turning your Domain\UserName into a user principal name. Can you confirm a user principal name is assigned for these accounts under the Account tab in Active Directory? Also, what OS is your domain controller running?

@pldmgg
Copy link
Author

pldmgg commented Jul 17, 2018
edited
Loading

@NoMoreFood That was it! I set the UPN attribute for zero\zeroadmin and it all worked.

But the UPN attribute isn't mandatory...is there a different way that sshd can lookup the user in AD?

(FYI, Domain Controller is Windows 2012 R2)

@NoMoreFood
Copy link

@pldmgg Good to hear. @manojampalam Can you possibly check with any AD / Kerberos gurus to see if there is some of alternate format we can pass into ClientUpn for KERB_S4U_LOGON that will work for users that do not have their upn attribute defined in AD? I'm not sure if there's some sort of "default" upn that we should fallback to. Right now we're falling back to NetBiosDomain\SamAccountName which I think has zero chance of working for Kerberos S4U.

@NoMoreFood
Copy link

NoMoreFood commented Jul 17, 2018
edited
Loading

@manojampalam Disregard previous request. Unbeknownst to me before now, apparently all accounts have an implicit UPN that defaults to SamAccountName@DnsDomainName; I have always explicitly set them in my forests. I will submit a pull request to try one and then the other.

@NoMoreFood
Copy link

Pull request created: PowerShell/openssh-portable#332

@pldmgg
Copy link
Author

pldmgg commented Jul 19, 2018

@NoMoreFood Awesome! Thank you!

@manojampalam manojampalam mentioned this issue Jul 20, 2018
Closed
manojampalam pushed a commit to PowerShell/openssh-portable that referenced this issue Jul 20, 2018
@NoMoreFood @manojampalam
Use Implicit User Principal Name If Explicit Does Not Exist (#332)
3669643 
Modified user principal name lookup to default to the implicit form (SamAccountName@DnsDomainName) if no explicit user principal name attribute is found on the account.

PowerShell/Win32-OpenSSH#1213
@manojampalam manojampalam added this to the 7.7.2.0p1-Beta milestone Jul 27, 2018
@manojampalam
Copy link
Contributor

manojampalam commented Jul 27, 2018
edited
Loading

Fixed in latest release

@pldmgg pldmgg mentioned this issue Sep 5, 2018
Closed
manojampalam pushed a commit to manojampalam/openssh-portable that referenced this issue Oct 2, 2018
Merged PR 4061: Latest changes from GitHub and additional fixes to ad…
0fb2a30 
…dress VS warnings.

Includes:
- Fix descriptor leaks in win32 fstat implementation: PowerShell/Win32-OpenSSH#1209
- Modified user principal name lookup to default to the implicit form (SamAccountName@DnsDomainName) if no explicit user principal name attribute is found on the account: PowerShell/Win32-OpenSSH#1213
@JimJingNeocis JimJingNeocis mentioned this issue Oct 1, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
7.7.2.0p1-Beta
Development

No branches or pull requests
3 participants
@pldmgg @NoMoreFood @manojampalam