Configure OpenSSH using Service Account.

[akshay8043]

Troubleshooting steps
https://github.com/PowerShell/Win32-OpenSSH/wiki/Troubleshooting-Steps

Terminal issue? please go through wiki
https://github.com/PowerShell/Win32-OpenSSH/wiki/TTY-PTY-support-in-Windows-OpenSSH

Please answer the following

"OpenSSH for Windows" version
((Get-Item (Get-Command sshd).Source).VersionInfo.FileVersion)
Latest

Server OperatingSystem
((Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows nt\CurrentVersion\" -Name ProductName).ProductName)
Win10 Pro

What is failing
Unable to run openssh service using Domain Service account.
Also, I want to use Chroot for that same service account.

Actual output

[akshay8043]

error 1297 when starting service using service account

[mgkuhn]

Your description is extremely brief. Could you please provide a sequence of instructions (e.g. command lines) that will allow us to exactly reproduce this error?

[scratchbuild1]

Can I resurrect this issue? I'm also interested in running OpenSSH on Windows under a service account (instead of SYSTEM). The steps to reproduce the issue are:
(0.) Install OpenSSH 8.9.1 on Windows Server 2016.

1. Create a local account on the Windows machine where OpenSSH server is installed.
2. Grant the account "Log on as a service" rights on the machine.
3. Go to the properties of the OpenSSH SSH Server service (in services.msc), go to the "Log On" tab, and specify "This Account" to log on as when starting the service. Enter the username and password created in step 1.
4. Stop and restart the service.
5. The service fails to start, and gives this error:

Windows could not start the OpenSSH SSH Server service on Local Computer. Error 1297: A Privilege that the service requires to function properly does not exist in the service account configuration.

[mgkuhn]

Perhaps have e.g. a look at the !am_system() branches in get_user_token() in win32compat/win32_usertoken_utils.c to get an idea what privileges are required?

[scratchbuild1]

I'm not really a developer, so I might be wrong, but it looks like it needs to be able to create a process-level token. There is a "User Right" in Windows for that, but it's considered to be a pretty big one, i.e. I'm not sure how big of a security win it would be to have it not be running as SYSTEM but give it the process token rights. That's the part where I don't know enough about coding to know how important that right is to the overall picture, or how hard it would be to re-work it so it doesn't need that. I'll explore doing it with user rights and report back in a few days...

[scratchbuild1]

Update: Adding the token-related user rights doesn't seem to allow it to run as a service account. Same error message as above is still produced. So, since it seems like it's doing some intentional checking before proceeding, this may be more in the realm of a "feature request," i.e. to add the ability to run as a non-admin service account.

[christopherpickering]

I had the same issues and ended up comparing a few servers to get this working. I added my service account (DOMAIN\user-name) as an administrator and then made sure administrator existed on some policies (I don't know which are not required as admin already existed in many):

(run secpol.msc > local policies > user rights management)

Administrator exists in the following policies. The bold item was the last I updated before it started working.

• Access Credential Manager as a trusted caller
• Access this computer from the network
• Act as part of the operating system
• Adjust memory quotas for a process
• Allow log on locally
• Allow log on through remote desktop
• Back up files and directories
• Bypass traverse checking
• Change the system time
• Change the time zone
• Create a pagefile
• Create a token object
• Create global objects
• Create symbolic links
• Debug programs
• Enable computer and user accounts to be trusted for ...
• Force shutdown from a remote system
• Generate security audits
• Impersonate a client after authentication
• Increase scheduling priority
• Load and unload device drivers
• Lock pages in memory
• Log on as a batch job
• Log on as a service
• Manage auditing and security log
• Modify firmware environment values
• Perform volume maintenance tasks
• Profile single processes
• Profile system performance
• Remove computer from docking station
• Replace a process level token
• Restore files and directories
• Shut down the system
• Synchronize directory service data
• Take ownership of files or other objects

[t1m0thyj]

I had the same issues and ended up comparing a few servers to get this working. I added my service account (DOMAIN\user-name) as an administrator and then made sure administrator existed on some policies (I don't know which are not required as admin already existed in many):

(run secpol.msc > local policies > user rights management)

I only had to add my user account (which has admin rights) to these 2 policies:

• Act as part of the operating system
• Replace a process level token

[AlexL00]

I was able to run it under a virtual service account, "NT Service\sshd." This account was used in previous versions. I couldn't find information about why it was switched to run in the SYSTEM context, which is far less secure due to reduced service isolation. The topic was partly discussed in #681 regarding running the service in the network service context. I'm currently using version v8.1.0.0p1-Beta (an update is already scheduled). However, my findings might help in running the service under a domain service account context.

Security Policies Needed:

• SeBackupPrivilege
• SeServiceLogonRight
• SeAssignPrimaryTokenPrivilege
• SeTcbPrivilege
• SeRestorePrivilege
• SeImpersonatePrivilege

File Permissions:

• C:\ProgramData\ssh → Full Control
• C:\Program Files\OpenSSH-Win64 → Full Control
• C:\ProgramData\ssh\ssh_host_dsa_key → Generic Read
• C:\ProgramData\ssh\ssh_host_dsa_key.pub → Generic Read
• C:\ProgramData\ssh\ssh_host_ecdsa_key → Generic Read
• C:\ProgramData\ssh\ssh_host_ecdsa_key.pub → Generic Read
• C:\ProgramData\ssh\ssh_host_ed25519_key → Generic Read
• C:\ProgramData\ssh\ssh_host_ed25519_key.pub → Generic Read
• C:\ProgramData\ssh\ssh_host_rsa_key → Generic Read
• C:\ProgramData\ssh\ssh_host_rsa_key.pub → Generic Read

Registry Permission:

• HKLM\SOFTWARE\OpenSSH → Read