Allow AuthorizedKeysCommandUser to be 'nt authority\\system'

[rofuentes]

"OpenSSH for Windows" version
((Get-Item (Get-Command 'C:\Program Files\OpenSSH\OpenSSH-Win64\sshd').Source).VersionInfo.FileVersion)
8.1.0.0

Server OperatingSystem
((Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ProductName).ProductName)
Windows Server 2019 Datacenter

Client OperatingSystem
n/a

What is failing
I am unable to run an AuthorizedKeysCommand binary under the Windows SYSTEM account. However, I can run it under another account with Administrator privileges. I would prefer to not need a separate/default Administrator account to run the command, since users may be allowed to SSH into a brand new Windows image with no active Administrative accounts.

Expected output
AuthorizedKeysCommandUser set to user account w/ Administrator privs

6328 2020-02-04 22:30:44.331 debug1: C:\ProgramData\ssh\ak.cmd:3: matching key found: RSA SHA256:
6328 2020-02-04 22:30:44.331 debug1: C:\ProgramData\ssh\ak.cmd:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
6328 2020-02-04 22:30:44.331 Accepted key RSA SHA256: found at C:\ProgramData\ssh\ak.cmd:3
6328 2020-02-04 22:30:44.331 debug1: auth_activate_options: setting new authentication options
6328 2020-02-04 22:30:44.331 Accepted publickey for rofuentes from port 43000 ssh2: RSA SHA256:
6328 2020-02-04 22:30:44.331 debug1: monitor_child_preauth: rofuentes has been authenticated by privileged process
6328 2020-02-04 22:30:44.362 debug1: auth_activate_options: setting new authentication options [preauth]

Actual output
AuthorizedKeysCommandUser set to SYSTEM

6268 2020-02-04 21:37:52.209 error: lookup_principal_name: User principal name lookup failed for user 'nt authority\system' (explicit: 1212, implicit: 1212)
6268 2020-02-04 21:37:52.209 debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'nt authority\system' Status: 0xC0000062 SubStatus 0.
6268 2020-02-04 21:37:52.209 error: lookup_principal_name: User principal name lookup failed for user 'nt authority\system' (explicit: 1212, implicit: 1212)
6268 2020-02-04 21:37:52.209 debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'nt authority\system' Status: 0xC0000062 SubStatus 0.
6268 2020-02-04 21:37:52.209 error: get_user_token - unable to generate token on 2nd attempt for user nt authority\system
6268 2020-02-04 21:37:52.209 error: unable to get security token for user nt authority\system
6268 2020-02-04 21:37:52.209 fatal: posix_spawn: eother

[rofuentes]

@manojampalam who added support for AuthorizedKeysCommand in PowerShell/openssh-portable#409

[illfelder]

/cc @bagajjal

Any ideas how to make authorized keys command work with the System user? I don't have an alternative Administrator account by default.

[NoMoreFood]

Can you try the attached @rofuentes. I suspect I can see where the problem is.
Note: Attached superseded and removed; see below.

For reference, specific code change is here: NoMoreFood/openssh-portable@d84fa96. I have not tested it so if you could that'd be great.

[rofuentes]

@NoMoreFood unfortunately, the fix did not appear to work. We still get an error when running AuthrorizedKeysCommand as SYSTEM

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

AuthorizedKeysCommand C:\ProgramData\ssh\ak.cmd
#AuthorizedKeysCommandUser Administrator # Works
AuthorizedKeysCommandUser SYSTEM # Generates error below

020-02-14 23:22:51.969 debug1: userauth-request for user user service ssh-connection method none [preauth]
2028 2020-02-14 23:22:51.969 debug1: attempt 0 failures 0 [preauth]
2028 2020-02-14 23:22:52.016 debug1: userauth-request for user user service ssh-connection method publickey [preauth]
2028 2020-02-14 23:22:52.016 debug1: attempt 1 failures 0 [preauth]
2028 2020-02-14 23:22:52.016 debug1: userauth_pubkey: test pkalg ecdsa-sha2-nistp256 pkblob ECDSA SHA256:vXOFC9dBojfYqt7vmqmL2fSK4ITNgHHjD/Un+3ntOAM [preauth]
2028 2020-02-14 23:22:52.016 debug1: trying public key file C:\\Users\\user\\.ssh/authorized_keys
2028 2020-02-14 23:22:52.016 debug1: Could not open authorized keys 'C:\\Users\\user\\.ssh/authorized_keys': No such file or directory
2028 2020-02-14 23:22:52.032 error: lookup_principal_name: User principal name lookup failed for user 'nt authority\\system' (explicit: 1212, implicit: 1212)
2028 2020-02-14 23:22:52.032 debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'nt authority\\system' Status: 0xC0000062 SubStatus 0.
2028 2020-02-14 23:22:52.032 error: lookup_principal_name: User principal name lookup failed for user 'nt authority\\system' (explicit: 1212, implicit: 1212)
2028 2020-02-14 23:22:52.032 debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'nt authority\\system' Status: 0xC0000062 SubStatus 0.
2028 2020-02-14 23:22:52.032 error: get_user_token - unable to generate token on 2nd attempt for user nt authority\\system
2028 2020-02-14 23:22:52.032 error: unable to get security token for user nt authority\\system
2028 2020-02-14 23:22:52.032 fatal: posix_spawn: eother
2028 2020-02-14 23:22:52.032 debug1: do_cleanup
2028 2020-02-14 23:22:52.032 debug1: Killing privsep child 940 

It seems like SYSTEM is not recognized as a user, is a local user account required to run AuthorizedKeysCommand?

[NoMoreFood]

You're correct and I thought my fixed would have addressed that. I'll run it through the debugger --- should be simple to fix. As a workaround, you can probably run it as COMPUTERNAME$

[NoMoreFood]

Please try attached. Seems to work for me.

sshd.zip

[rofuentes]

@NoMoreFood Thank you, but this new binary produces a similar error for me

4352 2020-02-16 23:29:10.564 debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'system' Status: 0xC000006D SubStatus 0. 
4352 2020-02-16 23:29:10.564 debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'system' Status: 0xC000006D SubStatus 0.

I tried setting AuthorizedKeysCommandUser to various iterations (ex. capitalization, prefixed with computer name) of both the system account and computername. Would it be possible for you to provide me with either the entire sshd configuration you are using? Just the AuthorizedKeysCommand and AuthorizedKeysCommandUser statements will work as well. Are you running sshd as a user other than SYSTEM? I'm curious how you are getting it to work.

[rofuentes]

Copying the security descriptor from a binary that can run as SYSTEM to my keys command batch file results in a different error:

Get-Acl 'C:\Program Files\OpenSSH\OpenSSH-Win64\sshd.exe' | Set-Acl -Path "C:\ProgramData\ssh\ak.cmd"

1260 2020-02-19 22:34:43.025 debug1: trying public key file C:\\Users\\user\\.ssh/authorized_keys
1260 2020-02-19 22:34:43.025 debug1: Could not open authorized keys 'C:\\Users\\user\\.ssh/authorized_keys': No such file or directory
1260 2020-02-19 22:34:43.025 error: Permissions on AuthorizedKeysCommand:"C:\\ProgramData\\ssh\\ak.cmd" are too open
1260 2020-02-19 22:34:43.025 Failed publickey for container-test\\user from 1 port 51875 ssh2: RSA

I reduced permissions to the following, back to the previous error:

C:\ProgramData\ssh>icacls C:\ProgramData\ssh\ak.cmd
C:\ProgramData\ssh\ak.cmd NT AUTHORITY\SYSTEM:(RX)
                          CONTAINER-TEST\user:(RX)

Successfully processed 1 files; Failed processing 0 files

PS C:\ProgramData\ssh> Get-Acl "C:\ProgramData\ssh\ak.cmd" |Format-List


Path   : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\ssh\ak.cmd
Owner  : BUILTIN\Administrators
Group  : CONTAINER-TEST\None
Access : NT AUTHORITY\SYSTEM Allow  ReadAndExecute, Synchronize
         CONTAINER-TEST\user Allow  ReadAndExecute, Synchronize
Audit  :

2824 2020-02-20 00:03:53.256 debug1: KEX done [preauth]
2824 2020-02-20 00:03:53.633 debug1: userauth-request for user container-test\\\\user service ssh-connection method none [preauth]
2824 2020-02-20 00:03:53.633 debug1: attempt 0 failures 0 [preauth]
2824 2020-02-20 00:03:53.680 debug1: userauth-request for user container-test\\\\user service ssh-connection method publickey [preauth]
2824 2020-02-20 00:03:53.680 debug1: attempt 1 failures 0 [preauth]
2824 2020-02-20 00:03:53.680 debug1: userauth_pubkey: test pkalg ecdsa-sha2-nistp256 pkblob ECDSA SHA256: [preauth]
2824 2020-02-20 00:03:53.680 debug1: trying public key file C:\\Users\\user\\.ssh/authorized_keys
2824 2020-02-20 00:03:53.680 debug1: Could not open authorized keys 'C:\\Users\\user\\.ssh/authorized_keys': No such file or directory
2824 2020-02-20 00:03:53.695 debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'system' Status: 0xC000006D SubStatus 0.
2824 2020-02-20 00:03:53.695 debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'system' Status: 0xC000006D SubStatus 0.
2824 2020-02-20 00:03:53.695 error: get_user_token - unable to generate token on 2nd attempt for user system
2824 2020-02-20 00:03:53.695 error: unable to get security token for user system

[bkatyl]

@NoMoreFood I tried the binary provided in #1546 (comment) and it definitely gets further than the current 8.1.0.0 release. Here's what I tried, the logs, and points to where I think the issue may be. Do you still have the changes that produced the Feb 15th binary?

sshd_config: It's worth noting that system and "nt authority\system" has the same behavior in the sshd_config.

AuthorizedKeysCommand C:/ProgramData/ssh/authorized_keys_command.bat %u
AuthorizedKeysCommandUser system

Log Output using debug3:

6316 2020-12-04 07:22:24.426 debug3: subprocess: AuthorizedKeysCommand command "C:/ProgramData/ssh/authorized_keys_command.bat testuser" running as system (flags 0x6)
6316 2020-12-04 07:22:24.428 debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'system' Status: 0xC000006D SubStatus 0.
6316 2020-12-04 07:22:24.428 debug3: get_user_token - unable to generate token for user system
6316 2020-12-04 07:22:24.428 debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'system' Status: 0xC000006D SubStatus 0.
6316 2020-12-04 07:22:24.428 error: get_user_token - unable to generate token on 2nd attempt for user system
6316 2020-12-04 07:22:24.428 error: unable to get security token for user system

From the errors it looks to be failing here. My guess is that it's unable to make a user token for the system user when doing the LsaLogonUser here
In reading the LsaLogonUser function (ntsecapi.h) documentation, remarks sections it mentions "You must call LsaLogonUser separately to update PKINIT device credentials for LOCAL_SYSTEM and NETWORK_SERVICE". Could this behavior difference contribute to the error above where it is unable to generate a token for the LOCAL_SYSTEM user?

[illfelder]

/cc @manojampalam can you provide any guidance on this issue? It doesn't look like I can set up authorized key command to act as the system user. @NoMoreFood provided a binary that gets us closer to a working solution (it can find the system user unlike the shipped version) but I'm not sure the solution for the remaining issue that we can't generate a token.

Any ideas?

[NoMoreFood]

Try running it as the computer account (e.g. MYCOMPNAME$). I'd be inclined to look into it more depth, but I haven't seen much activity on this project by Microsoft and other contributors so I don't want to dive in too deep if pull requests are just going to pile up.

[bkatyl]

Unfortuntely using the computer account name as the AuthorizedKeysCommandUser didn't work as both Release 8.1.0.0 and the binary from above produced the same error which is below. I also tried uppercase and lowercase, just in case. It might be worth noting that the machine is not domain joined.

config:

AuthorizedKeysCommand C:/ProgramData/ssh/authorized_keys_command.bat %u
AuthorizedKeysCommandUser ssh-2019-1$

Logs

5944 2020-12-11 23:42:22.878 debug1: get_passwd: LookupAccountName() failed: 1332.
5944 2020-12-11 23:42:22.878 error: AuthorizedKeysCommandUser "ssh-2019-1$" not found: No such file or directory

[illfelder]

Looks like @bkatyl put together two PRs with a fix!

PowerShell/openssh-portable#478
PowerShell/openssh-portable#479