Skip to content

SSHD service is working good if start in PowerShell but not if start as windows service #1676

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ggoyal23 opened this issue Oct 6, 2020 · 9 comments
Closed

SSHD service is working good if start in PowerShell but not if start as windows service #1676

ggoyal23 opened this issue Oct 6, 2020 · 9 comments

Comments

@ggoyal23
Copy link

ggoyal23 commented Oct 6, 2020

Please answer the following

"OpenSSH for Windows" version
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.4

Server OperatingSystem
Windows 10 Enterprise

Client OperatingSystem
Windows 10 Enterprise

What is failing

I am using Ansible Windows and connecting to remote machines using OpenSSH and I have an Admin User account.

If i am opening the sshd service as windows service in remote machine, Ansible master is able to ping but not able to install any softwares in remote machine or perform complex steps
But if i am using SSHD in powershell then it is working fine. So, i am not sure what special permission the user is getting when start the sshd in powershell and how to resolve it.

If anyone has some idea, Inputs are really appreciated.
@mgkuhn
Copy link

mgkuhn commented Dec 5, 2020

Note that if sshd is runnig as a service, it (and the applications started via it) will have no access to “windows station” WinSta0. In other words, all system calls related in any way to GUI interactions will fail.

I have successfully executed software installers from within sshd running as a service, but only using command-line options to the respective installer that completely suppress any attempt at it using the GUI.

For example: if the installer uses Inno Setup, calling it with the option /VERYSILENT worked for me (recently tested with the Julia Windows 64-bit installer).

I would hope, other Windows installers have similar options to suppress GUI interaction.

A developer can use the Win32 API functions GetProcessWindowStation and then GetUserObjectInformationA to find out the “windows station” to which the current process has access, i.e. to find out if they have access to the GUI desktop or not.

@mgkuhn
Copy link

mgkuhn commented Dec 5, 2020

I suspect this is not an sshd bug/problem, but may deserve to be highlighted and explained better in the documentation. See also #998.

@ggoyal23
Copy link
Author

Thanks a lot for your response. I solved it by creating a task for sshd in task scheduler and start sshd in PowerShell in hidden mode. Also, we need to stop ssh from windows services.
This is a workaround and is working good. However, i am not able to fix it from windows services. May be sshd service should start from a admin user account and not as a LocalSystem account.

@mgkuhn
Copy link

mgkuhn commented Dec 11, 2020

Keep in mind that this is a Microsoft product. The whole point of Windows as an operating system product was always to provide an environment where only one single user at a time can use a GUI application. If you want to be able to have multiple users log in remotely, you have to buy the Windows Server operating systems and configure them as a terminal server, which then has licence implications for commercial applications that can be used there. Windows was specifically designed not to be easily fully usable via something like sshd. OpenSSH for Windows mainly exists to help with remote administration via CMD.EXE and PowerShell. I think the right thing to do is to contact the authors of the installers that you want to use to ensure that they eventually offer a non-GUI mode of using their product, similar to what Inno Setup did with /VERYSILENT.

@d0h0
Copy link

d0h0 commented Jan 20, 2021

Note that if sshd is runnig as a service, it (and the applications started via it) will have no access to “windows station” WinSta0. In other words, all system calls related in any way to GUI interactions will fail.

This sounds like SSHd can be started from the user UI at startup (instead of a service) and then is serviceId 1 and can launch desktop applications?

@mgkuhn
Copy link

mgkuhn commented Jan 20, 2021

You could also try to place (a shortcut to?) sshd into %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ to cause it to start up as a normal user process when the Explorer starts after GUI login.

@d0h0
Copy link

d0h0 commented Jan 20, 2021
edited
Loading

Thanks for your response.
I tried it and got sshd: fatal: fork of unprivileged child failed in the eventlog. I'll continue investigating... :)

@d0h0
Copy link

d0h0 commented Jan 21, 2021
edited
Loading

@ggoyal23
In my case running it as a Windows service works. When I run the provided service installer script install-sshd.ps1 the SSHd service is registered as manual startable service. To activate automatic startup mode, modifying the script in line 59 should be sufficient.

You wrote "But if i am using SSHD in powershell then it is working fine. "
I want to run SSHd with a non-admin account but it does not work. Any hints?

Edit: The answer is, that it is no more possible with newer versions of OpenSSH. The feature UsePrivilegeSeparation was removed with OpenSSH 7.5 released on 2017-03-20 so I'll stick to the psexec/schtask way.

@d0h0
Copy link

d0h0 commented Jan 26, 2021

Summarized the things in stackoverflow land: https://stackoverflow.com/a/65899949/1037303

@frostming frostming mentioned this issue Jan 4, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mgkuhn @d0h0 @ggoyal23