I just installed OpenSSH Server on a Windows Server 2019, in a domain environment, and I noticed that by default, pretty much every user can connect to the server via SSH. It's as if AD authentication was working (because I can login to the server via SSH using a domain account/password), but the permissions aren't applied, or even validated.
Basically, let's say I have 2 users, normalUser and adminUser. normalUser isn't part of any AD Groups that would give him access to WS2019SERVER, but adminUser is. Well, both users will be able to login to the server via SSH without any problem.
If I login via SSH and do a "whoami /groups", this is what I get (if it can help).
normalUser:
Group Name Type SID Attributes
======================================================================= ================ =============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
adminUser:
Group Name Type SID Attributes
==================================================================== ================ =============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Event Log Readers Alias S-1-5-32-573 Mandatory group, Enabled by default, Enabled group
How to to prevent normalUser from SSHing into the server? I played with AllowGroup
and DenyGroup
in C:\ProgramData\ssh\sshd_config but it's not working (if anything, I managed to somehow block adminUser, but not normalUser?!).
Thank you,
Aura
Best Answer
Found the solution here:
https://github.com/MicrosoftDocs/windowsserverdocs/issues/2119
Basically, I added:
AllowGroups DOMAIN\ALLOWED_GROUP
To C:\ProgramData\ssh\sshd_config
And it worked. The reason it wasn't working at the beginning was because I was playing with a mix of AllowGroups, DenyGroups, AllowUsers and DenyUsers. But AllowGroups will ONLY allow users that are part of the listed group(s) SSH access. No need to handle all the others in DenyGroups or DenyUsers (ex: DenyUsers DOMAIN* and then allow the group via AllowGroups DOMAIN\ALLOWED_GROUP).