Skip to content

ChrootDirectory in sshd_config randomly ignored for Windows server #1544

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Kiroha opened this issue Jan 22, 2020 · 9 comments
Closed

ChrootDirectory in sshd_config randomly ignored for Windows server #1544

Kiroha opened this issue Jan 22, 2020 · 9 comments
Labels
Resolution - Fixed

Comments

@Kiroha
Copy link

Kiroha commented Jan 22, 2020
edited
Loading

"OpenSSH for Windows" version
7.7.2.2

Server OperatingSystem
Windows Server 2019 Datacenter

Client OperatingSystem
Windows Server 2019 Datacenter and Debian Linux
What is failing
ChrootDirectory attribute randomly ignored
Expected output
ChrootDirectory apply at each client connection
Actual output
When my sftp client does multiple connect, randomly the ChrootDirectory is not set

Bug_OpenSSH
@bagajjal
Copy link
Collaborator

bagajjal commented Jan 23, 2020
edited
Loading

@Kiroha - Please provide the sftp server and SSHD logs with DEBUG3 enabled.

@Kiroha
Copy link
Author

Kiroha commented Jan 23, 2020
edited
Loading

Hello :)

Thanks for reply. Below the log :

First attempt => KO
8784 2020-01-23 13:42:44.665 debug3: checking match for 'Group administrators' user yoda_cor_rpa host 127.0.0.1 addr 127.0.0.1 laddr 127.0.0.1 lport 22
8784 2020-01-23 13:42:44.665 debug3: LsaLogonUser Succeeded (Impersonation: 0)
8784 2020-01-23 13:42:44.665 debug1: user l does not match group list administrators at line 84
8784 2020-01-23 13:42:44.665 debug3: match not found
8784 2020-01-23 13:42:44.665 debug3: checking match for 'User yoda_cor_rpa' user l host 127.0.0.1 addr 127.0.0.1 laddr 127.0.0.1 lport 22
8784 2020-01-23 13:42:44.665 debug3: match not found
Second Attempt => OK
7388 2020-01-23 13:43:06.698 debug3: checking match for 'Group administrators' user yoda_cor_rpa host 127.0.0.1 addr 127.0.0.1 laddr 127.0.0.1 lport 22
7388 2020-01-23 13:43:06.698 debug3: LsaLogonUser Succeeded (Impersonation: 0)
7388 2020-01-23 13:43:06.698 debug1: user yoda_cor_rpa does not match group list administrators at line 84
7388 2020-01-23 13:43:06.698 debug3: match not found
7388 2020-01-23 13:43:06.698 debug3: checking match for 'User yoda_cor_rpa' user yoda_cor_rpa host 127.0.0.1 addr 127.0.0.1 laddr 127.0.0.1 lport 22
7388 2020-01-23 13:43:06.698 debug1: user yoda_cor_rpa matched 'User yoda_cor_rpa' at line 87
7388 2020-01-23 13:43:06.698 debug3: match found
7388 2020-01-23 13:43:06.698 debug3: reprocess config:88 setting ChrootDirectory C:/Users/yoda_cor_rpa/SFTP/
7388 2020-01-23 13:43:06.698 debug3: reprocess config:89 setting ForceCommand internal-sftp

Has you can see, randomly the user is l when it's KO and yoda_cor_rpa when it's OK

@jrohbock
Copy link

This seems to be this issue:
ChrootDirectory is inconsistent #1486

See also:
v7.9.0.0p1-Beta breaks with multiple groups #1354
Address Group Matching Issue #380

I was running into that issue (running v7.7.2.2 on Windows Server 2019 Standard installed via Get-WindowsCapability), and in the sshd logs the symptomatic pattern was a line like the following:
user <some-string-that-is-not-the-actual-username-and-usually-just-a-single-character> does not match group list ...

@Kiroha
Copy link
Author

Kiroha commented Jan 24, 2020

This seems to be this issue:
ChrootDirectory is inconsistent #1486

See also:
v7.9.0.0p1-Beta breaks with multiple groups #1354
Address Group Matching Issue #380

I was running into that issue (running v7.7.2.2 on Windows Server 2019 Standard installed via Get-WindowsCapability), and in the sshd logs the symptomatic pattern was a line like the following:
user <some-string-that-is-not-the-actual-username-and-usually-just-a-single-character> does not match group list ...

Right it seems to be exactly the same. Is there a simple way to update the OpenSSH server installed by the get-windowscapability without breaking the potential futur update made by Microsoft ?

@jrohbock
Copy link

Disclaimer: I'm not entirely sure how updates work for Windows OpenSSH as an optional feature/capability.

That said, I get the distinct feeling that you should NOT manually update the Windows OpenSSH server if you've installed it via the Get-WindowsCapability PowerShell cmdlet. I would bet money that if you did do that it would break something.

I think the only supported upgrade path for Windows OpenSSH installed as an optional feature/capability would be applying Windows updates. This comment from a dev seems to indirectly imply that updates for the "Windows official releases" of OpenSSH (a.k.a. versions available as optional feature) are distributed via WU/WSUS. Any version of OpenSSH for Windows downloaded from the releases on Github and manually installed would have to be manually updated.

For the current LTSC release of Windows Server 2019 Standard it doesn't look like any updates for Windows OpenSSH have been released through WU/WSUS (from what I can see). This also seems to be backed up by this comment from another guy running Windows Server (though he's running 1909 on the SAC instead of LTSC).

If this lack of an official update to Windows OpenSSH via WU/WSUS also applies to Windows Server 2019 Datacenter and you absolutely need the new bugfixes, your best bet may be to uninstall the optional feature, install a newer OpenSSH portable release, and just deal with updating it yourself until a newer version of the OpenSSH optional feature comes through the LTSC WU/WSUS pipes. (I'm assuming you're running the LTSC channel because you said you were running "Windows Server 2019 Datacenter" specifically and the docs claim that if you have the year in the name it indicates LTSC and if the year is missing from the name it's SAC.)

I would love for someone with more knowledge on the subject to chime in, as I'm not really 100% sure on any of this.

@maertendMSFT
Copy link
Collaborator

This issue is fixed in the latest release, 8.1. It will be available in-box in an update later this year.

@Julian-13
Copy link

same issue, randomly ignored ChrootDirectory
auth with AD
openssh-portable-8.2.p1_1,1
sftp from windows 10 pro (18363)

@bagajjal
Copy link
Collaborator

bagajjal commented Mar 9, 2021

@Julian-13 - You are not using win32-openssh as your version is 8.2. our latest version is openssh v8.1.

@blubberstahl
Copy link

blubberstahl commented Dec 13, 2023
edited
Loading

Hi,
I still get the issue that the chroot directory is sometimes ignored.
Since the issue had been fixed in 2020 - is there a way to update the native Microsoft implementation of OpenSSH?

Here are the machine details:

PS C:\Windows\system32> Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'

Name  : OpenSSH.Client~~~~0.0.1.0
State : Installed

Name  : OpenSSH.Server~~~~0.0.1.0
State : Installed


PS C:\Windows\system32> systeminfo

Host Name:                 *****
OS Name:                   Microsoft Windows Server 2019 Datacenter
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                *****
Original Install Date:     8/23/2022, 5:49:09 PM
System Boot Time:          12/3/2023, 5:26:11 PM
System Manufacturer:       Microsoft Corporation
System Model:              Virtual Machine
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2297 Mhz
BIOS Version:              Microsoft Corporation Hyper-V UEFI Release v4.0, 12/17/2019
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
Total Physical Memory:     16,383 MB
Available Physical Memory: 6,887 MB
Virtual Memory: Max Size:  18,815 MB
Virtual Memory: Available: 8,949 MB
Virtual Memory: In Use:    9,866 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    *****
Logon Server:              *****
Hotfix(s):                 14 Hotfix(s) Installed.
                           [01]: KB5031990
                           [02]: KB4486153
                           [03]: KB4535680
                           [04]: KB4589208
                           [05]: KB5005112
                           [06]: KB5032196
                           [07]: KB5015896
                           [08]: KB5017400
                           [09]: KB5020374
                           [10]: KB5023789
                           [11]: KB5028316
                           [12]: KB5030505
                           [13]: KB5031589
                           [14]: KB5032306
Network Card(s):           1 NIC(s) Installed.
                           [01]: Microsoft Hyper-V Network Adapter
                                 Connection Name: Ethernet
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: *****
                                 [02]: *****
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Resolution - Fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@Julian-13 @blubberstahl @bagajjal @Kiroha @maertendMSFT @jrohbock