Running as Standalone fails on posix_spawn

[jchristman]

Please answer the following:

"OpenSSH for Windows" version
1.0.0.0

Server OperatingSystem
Windows 10 Pro

Client OperatingSystem
Linux kali 4.12.0-kali2-686 #1 SMP Debian 4.12.12-2kali1 (2017-09-13) i686 GNU/Linux

What is failing

I'm trying to come up with a way to run this in standalone mode to require as little modification to the Windows machine in question as possible. I want to be able to drop a zip file on a Windows machine that I can use to easily tunnel with. I have created an sshd user for the priv sep via:

net user sshd "" /add

I have run FixHostFilePermissions.ps1 (output shown below) and the server starts just fine. However, similar to Issue 1035, my server is breaking on the posix_spawn to the unprivileged user despite LsaLogonAsUser succeeding. I have output some results of commands below to see if you can help me. I understand this is not the typical way to do it because I'm not running as a service with an NT SERVICE\sshd user, but I feel like it should work when I'm running sshd.exe as a NT AUTHORITY\System and it is able to get a token for the regular sshd user.

Actual output

whoami:

PS C:\Windows\temp\tmp> whoami
nt authority\system

sshd_config:

PS C:\Windows\temp\tmp> type sshd_config
Port 2222_config
ListenAddress 0.0.0.0
PasswordAuthentication yes
PermitRootLogin yes
AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts yes
PermitTTY yes

HostKey ssh_host_dsa_key
HostKey ssh_host_ecdsa_key
HostKey ssh_host_ed25519_key
HostKey ssh_host_rsa_key

Host file permissions:

PS C:\Windows\temp\tmp> powershell.exe -ExecutionPolicy Bypass .\FixHostFilePermissions.ps1
  [*] C:\Windows\temp\tmp\sshd_configs .\FixHostFilePermissions.ps1
      looks good

  [*] C:\Windows\temp\tmp\ssh_host_dsa_key
      looks good

  [*] C:\Windows\temp\tmp\ssh_host_dsa_key.pub
      looks good

  [*] C:\Windows\temp\tmp\ssh_host_ecdsa_key
      looks good

  [*] C:\Windows\temp\tmp\ssh_host_ecdsa_key.pub
      looks good

  [*] C:\Windows\temp\tmp\ssh_host_ed25519_key
      looks good

  [*] C:\Windows\temp\tmp\ssh_host_ed25519_key.pub
      looks good

  [*] C:\Windows\temp\tmp\ssh_host_rsa_key
      looks good

  [*] C:\Windows\temp\tmp\ssh_host_rsa_key.pub
      looks good

   Done.

Permissions on my local directory:

PS C:\Windows\temp\tmp> icacls .
. BUILTIN\Users:(RX)
  NT AUTHORITY\SYSTEM:(I)(OI)(CI)(S,RD)

Client:

root@kali:~# ssh -D 8080 -p 2222 [email protected]
Connection reset by 192.168.86.160 port 2222

Server:

PS C:\Windows\temp\tmp> C:\Windows\temp\tmp\sshd.exe -D -ddd -f sshd_config
debug2: load_server_config: filename sshd_configfig
debug2: load_server_config: done config len = 267
debug2: parse_server_config: config sshd_config len 267
debug3: sshd_config:1 setting Port 2222
debug3: sshd_config:2 setting ListenAddress 0.0.0.0
debug3: sshd_config:3 setting PasswordAuthentication yes
debug3: sshd_config:4 setting PermitRootLogin yes
debug3: sshd_config:5 setting AllowAgentForwarding yes
debug3: sshd_config:6 setting AllowTcpForwarding yes
debug3: sshd_config:7 setting GatewayPorts yes
debug3: sshd_config:8 setting PermitTTY yes
debug3: sshd_config:10 setting HostKey ssh_host_dsa_key
debug3: sshd_config:11 setting HostKey ssh_host_ecdsa_key
debug3: sshd_config:12 setting HostKey ssh_host_ed25519_key
debug3: sshd_config:13 setting HostKey ssh_host_rsa_key
debug1: sshd version OpenSSH_7.6, LibreSSL 2.5.3
debug1: private host key #0: ssh-dss SHA256:w9ctwELu8H/2gp8CJDh69QRigo8r7CTHrR8SU0tmorM
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:avRn0ChFI8SWqO/3F2nwpYDQKubzelAuqmoO3bM7dWk
debug1: private host key #2: ssh-ed25519 SHA256:zANZ7FC/FFQIIcjjGiY4rqvcsAPHx7IUXt2oZn2qLL8
debug1: private host key #3: ssh-rsa SHA256:0BgIpZPmdkdRO1Td0LuSXfglMNZiB/EzQCYMPv0hh00
debug1: rexec_argv[0]='C:\\Windows\\temp\\tmp\\sshd.exe'
debug1: rexec_argv[1]='-D'
debug1: rexec_argv[2]='-ddd'
debug1: rexec_argv[3]='-f'
debug1: rexec_argv[4]='sshd_config'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 2222 on 0.0.0.0.
Server listening on 0.0.0.0 port 2222.
debug3: fd 4 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 7 config len 267
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
Connection from 192.168.86.33 port 37126 on 192.168.86.160 port 2222
debug1: Client protocol version 2.0; client software version OpenSSH_7.5p1 Debian-10
debug1: match: OpenSSH_7.5p1 Debian-10 pat OpenSSH* compat 0x04000000
debug1: Local version string SSH-2.0-OpenSSH_7.6
debug2: fd 4 setting O_NONBLOCK
debug3: LsaLogonUser succeeded
debug3: spawning "C:\\Windows\\temp\\tmp\\sshd.exe" "-D" "-ddd" "-f" "sshd_config" "-y"
debug3: send_rexec_state: entering fd = 5 config len 267
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug3: ssh_msg_send: type 0
debug3: ssh_msg_send: type 0
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug1: do_cleanup

sshd user

PS C:\Windows\temp\tmp> net user sshd
User name                    sshd
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/29/2018 9:00:52 PM
Password expires             3/12/2018 9:00:52 PM
Password changeable          1/29/2018 9:00:52 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Users
Global Group memberships     *None

Help is much appreciated! Thanks!

[manojampalam]

can you do icacls on sshd.exe and ensure "users" have "RX" on it ?

[jchristman]

Yeah the sshd.exe had RX for Users. Ended up doing a

icacls * /grant Users:RX
icacls *key* /remove Users

That fixed the problem. It's weird though cause I could have sworn I tried that a while back. Thanks for the help.