SSHD service is working good if start in PowerShell but not if start as windows service

[ggoyal23]

Please answer the following

"OpenSSH for Windows" version
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.4

Server OperatingSystem
Windows 10 Enterprise

Client OperatingSystem
Windows 10 Enterprise

What is failing

I am using Ansible Windows and connecting to remote machines using OpenSSH and I have an Admin User account.

If i am opening the sshd service as windows service in remote machine, Ansible master is able to ping but not able to install any softwares in remote machine or perform complex steps
But if i am using SSHD in powershell then it is working fine. So, i am not sure what special permission the user is getting when start the sshd in powershell and how to resolve it.

If anyone has some idea, Inputs are really appreciated.

[mgkuhn]

Note that if sshd is runnig as a service, it (and the applications started via it) will have no access to “windows station” WinSta0. In other words, all system calls related in any way to GUI interactions will fail.

I have successfully executed software installers from within sshd running as a service, but only using command-line options to the respective installer that completely suppress any attempt at it using the GUI.

For example: if the installer uses Inno Setup, calling it with the option /VERYSILENT worked for me (recently tested with the Julia Windows 64-bit installer).

I would hope, other Windows installers have similar options to suppress GUI interaction.

A developer can use the Win32 API functions GetProcessWindowStation and then GetUserObjectInformationA to find out the “windows station” to which the current process has access, i.e. to find out if they have access to the GUI desktop or not.

[mgkuhn]

I suspect this is not an sshd bug/problem, but may deserve to be highlighted and explained better in the documentation. See also #998.

[ggoyal23]

Thanks a lot for your response. I solved it by creating a task for sshd in task scheduler and start sshd in PowerShell in hidden mode. Also, we need to stop ssh from windows services.
This is a workaround and is working good. However, i am not able to fix it from windows services. May be sshd service should start from a admin user account and not as a LocalSystem account.

[mgkuhn]

Keep in mind that this is a Microsoft product. The whole point of Windows as an operating system product was always to provide an environment where only one single user at a time can use a GUI application. If you want to be able to have multiple users log in remotely, you have to buy the Windows Server operating systems and configure them as a terminal server, which then has licence implications for commercial applications that can be used there. Windows was specifically designed not to be easily fully usable via something like sshd. OpenSSH for Windows mainly exists to help with remote administration via CMD.EXE and PowerShell. I think the right thing to do is to contact the authors of the installers that you want to use to ensure that they eventually offer a non-GUI mode of using their product, similar to what Inno Setup did with /VERYSILENT.

[d0h0]

Note that if sshd is runnig as a service, it (and the applications started via it) will have no access to “windows station” WinSta0. In other words, all system calls related in any way to GUI interactions will fail.

This sounds like SSHd can be started from the user UI at startup (instead of a service) and then is serviceId 1 and can launch desktop applications?

[mgkuhn]

You could also try to place (a shortcut to?) sshd into %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ to cause it to start up as a normal user process when the Explorer starts after GUI login.

[d0h0]

Thanks for your response.
I tried it and got sshd: fatal: fork of unprivileged child failed in the eventlog. I'll continue investigating... :)

[d0h0]

@ggoyal23
In my case running it as a Windows service works. When I run the provided service installer script install-sshd.ps1 the SSHd service is registered as manual startable service. To activate automatic startup mode, modifying the script in line 59 should be sufficient.

You wrote "But if i am using SSHD in powershell then it is working fine. "
I want to run SSHd with a non-admin account but it does not work. Any hints?

Edit: The answer is, that it is no more possible with newer versions of OpenSSH. The feature UsePrivilegeSeparation was removed with OpenSSH 7.5 released on 2017-03-20 so I'll stick to the psexec/schtask way.

[d0h0]

Summarized the things in stackoverflow land: https://stackoverflow.com/a/65899949/1037303