SSH Public Key Fails After Domain Migration

[luckerby]

Using OpenSSH 7.7.2.0 on a Windows Server 2016 Standard. On the server-side, LogLevel is set to DEBUG3.

Multiple users are connecting to the OpenSSH instance. We have one user that has recently been migrated to another Active Directory domain, within the same forest.

The user initially had a single SID, we'll name this SID1. After the user was migrated intra-forest, his "main" SID, the one stored in the objectSid AD attribute, has been overwritten by a new value, SID2, and his previous SID (SID1) is now stamped on the sIDHistory AD attribute. So far, expected behavior for the AD migration that took place.

Now the user is unable to connect to the OpenSSH server. The server-side log shows the following:

3996 2019-02-15 13:05:05.975 debug1: trying public key file C:\\Users\\joey\\.ssh/authorized_keys
3996 2019-02-15 13:05:05.978 debug3: Bad permissions. Try removing permissions for user: **S-1-5-21-XXX-XXXX-XXXX-1230** on file C:\\Users\\joey\\.ssh/authorized_keys.
3996 2019-02-15 13:05:05.979 Authentication refused.
3996 2019-02-15 13:05:05.979 debug3: mm_answer_keyallowed: publickey authentication test: RSA key is not allowed
3996 2019-02-15 13:05:05.979 Failed publickey for joey@contoso from 10.140.10.59 port 29161 ssh2: RSA SHA256:KpbeDfo2Hs+/tLLwQy5JD2AEaXc/QsvBTq1UQCLevMw

What's interesting is that the referenced SID (in bold) is actually the original SID the user had - SID1 - and which is now stamped in the sIDHistory attribute.

Using Process Monitor to see exactly what happens against the user's public key, stored in the authorized_keys file, reveals that after the owner is checked, the file is immediately closed. There's no subsequent attempt to read from the file:

We've tried re-generating the SSH keys altogether, including running Repair-AuthorizedKeyPermission server-side, but to no avail.

This looks to be a bug - at least in version I'm using - which trips the code that checks the public key file's owner when there's at least one entry in the sIDHistory attribute.

[NoMoreFood]

The message itself makes sense. The original authorized_keys file has the old SID embedded in the ACE within the file security descriptor and the message is telling you to remove the old SID because it has no idea it's associated with the current user (yes, arguably a bug). Can you try manually removing the user's permission on the file and adding it back in? That should rewrite the security descriptor with the new SID. At the very least, the repair script can probably be updated to accommodate this.

[NoMoreFood]

Actually, I now have a patched binary if you want to give it a try. Let me know if you want me to compile them for you.

The code changes are here: PowerShell/openssh-portable@latestw_all...NoMoreFood:sidhistory_issue

[luckerby]

@NoMoreFood, removing the existing user account and re-adding it back solved the problem (checking the actual SIDs present on the authorized_keys file itself can be done with icacls authorized_keys /save <output_file>.

I also saw the pending pull request. I can go ahead and compile/build myself, the only question is what are the dependencies required (already have Visual Studio installed).

[NoMoreFood]

I believe the only major dependencies are the Windows 8.1 SDK and Visual Studio 2015 build tools (both of which are available as components in the Visual Studio 2017 installer).

[NoMoreFood]

If interested, you can test using these binaries: https://github.com/NoMoreFood/openssh-portable/releases/tag/v7.9-merge-1