Skip to content

Connection reset when using ssh installed through winget #2073

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
3 tasks done
wbehrens-on-gh opened this issue May 31, 2023 · 9 comments
Closed
3 tasks done

Connection reset when using ssh installed through winget #2073

wbehrens-on-gh opened this issue May 31, 2023 · 9 comments
Labels
Area-Authentication

Comments

@wbehrens-on-gh
Copy link

Prerequisites

  • Write a descriptive title.
  • Make sure you are able to repro it on the latest version
  • Search the existing issues.

Steps to reproduce

Currently my organization is using a local AD setup. The docs claim that only Azure AD is unsupported so I assume this should work.

  • On both machines run winget install Microsoft.OpenSSH.Beta
  • ssh wbehrens@<my ip>
  • Get client_loop: send disconnect: Connection reset

Expected behavior

A connection to be made to the remote windows server

Actual behavior

Conenction reset

Error details

No response

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.19041.2673
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19041.2673
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version

9.2.2.0

Visuals

Here are some of the logs when running with -v and -d(after issuing Stop-Service sshd) using the same setup as above.

image
image
@tgauth
Copy link
Collaborator

tgauth commented May 31, 2023

When running the server with sshd -d only the "currently logged on user" can login and only using "key based auth." Are those criteria being met?

It's also possible to enable logging in sshd_config & restart the sshd service.

More details on either option can be found at: https://github.com/PowerShell/Win32-OpenSSH/wiki/Troubleshooting-Steps

Please provide updated logs when available

@wbehrens-on-gh
Copy link
Author

wbehrens-on-gh commented May 31, 2023
edited
Loading

When running the server with sshd -d only the "currently logged on user" can login and only using "key based auth." Are those criteria being met?

I can verify that it is being met.

sshd.log

4040 2023-05-31 12:40:33.854 debug2: fd 3 setting O_NONBLOCK
4040 2023-05-31 12:40:33.854 debug3: sock_set_v6only: set socket 3 IPV6_V6ONLY
4040 2023-05-31 12:40:33.854 debug1: Bind to port 22 on ::.
4040 2023-05-31 12:40:33.854 Server listening on :: port 22.
4040 2023-05-31 12:40:33.854 debug2: fd 4 setting O_NONBLOCK
4040 2023-05-31 12:40:33.854 debug1: Bind to port 22 on 0.0.0.0.
4040 2023-05-31 12:40:33.854 Server listening on 0.0.0.0 port 22.
4040 2023-05-31 12:40:33.854 debug3: pselect: installing signal handler for 7, previous 00007FF63634C020
4040 2023-05-31 12:40:33.854 debug3: pselect: installing signal handler for 8, previous 00007FF63634C020
4040 2023-05-31 12:40:33.854 debug3: pselect_notify_setup: initializing
4040 2023-05-31 12:40:33.854 debug2: fd 7 setting O_NONBLOCK
4040 2023-05-31 12:40:33.854 debug2: fd 5 setting O_NONBLOCK
4040 2023-05-31 12:40:33.854 debug3: pselect_notify_setup: pid 4040 saved 4040 pipe0 7 pipe1 5
4040 2023-05-31 12:41:54.989 debug3: fd 6 is not O_NONBLOCK
4040 2023-05-31 12:41:54.989 debug3: spawning "C:\\Program Files\\OpenSSH\\sshd.exe" -R as subprocess
4040 2023-05-31 12:41:55.005 debug3: send_rexec_state: entering fd = 10 config len 2205
4040 2023-05-31 12:41:55.005 debug3: ssh_msg_send: type 0
4040 2023-05-31 12:41:55.005 debug3: send_rexec_state: done
1668 2023-05-31 12:41:55.037 debug1: inetd sockets after dupping: 4, 4
1668 2023-05-31 12:41:55.037 debug3: process_channel_timeouts: setting 0 timeouts
1668 2023-05-31 12:41:55.037 debug3: channel_clear_timeouts: clearing
1668 2023-05-31 12:41:55.037 Connection from [REDACTED: Client IP] port 63894 on [REDACTED: Server IP] port 22
1668 2023-05-31 12:41:55.037 debug1: Local version string SSH-2.0-OpenSSH_for_Windows_9.2
1668 2023-05-31 12:41:55.037 debug1: Remote protocol version 2.0, remote software version OpenSSH_for_Windows_9.2
1668 2023-05-31 12:41:55.037 debug1: compat_banner: match: OpenSSH_for_Windows_9.2 pat OpenSSH* compat 0x04000000
1668 2023-05-31 12:41:55.037 debug2: fd 4 setting O_NONBLOCK
1668 2023-05-31 12:41:55.052 debug3: spawning "C:\\Program Files\\OpenSSH\\sshd.exe" -y as user
1668 2023-05-31 12:41:55.068 debug2: Network child is on pid 10928
1668 2023-05-31 12:41:55.068 debug3: send_rexec_state: entering fd = 6 config len 2205
1668 2023-05-31 12:41:55.068 debug3: ssh_msg_send: type 0
1668 2023-05-31 12:41:55.068 debug3: send_rexec_state: done
1668 2023-05-31 12:41:55.068 debug3: ssh_msg_send: type 0
1668 2023-05-31 12:41:55.068 debug3: ssh_msg_send: type 0
1668 2023-05-31 12:41:55.068 debug3: preauth child monitor started
1668 2023-05-31 12:41:55.083 debug3: append_hostkey_type: ssh-rsa key not permitted by HostkeyAlgorithms [preauth]
1668 2023-05-31 12:41:55.083 debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
1668 2023-05-31 12:41:55.083 debug3: send packet: type 20 [preauth]
1668 2023-05-31 12:41:55.083 debug1: SSH2_MSG_KEXINIT sent [preauth]
1668 2023-05-31 12:41:55.083 debug3: receive packet: type 20 [preauth]
1668 2023-05-31 12:41:55.099 debug1: SSH2_MSG_KEXINIT received [preauth]
1668 2023-05-31 12:41:55.099 debug2: local server KEXINIT proposal [preauth]
1668 2023-05-31 12:41:55.099 debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 [preauth]
1668 2023-05-31 12:41:55.099 debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
1668 2023-05-31 12:41:55.099 debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] [preauth]
1668 2023-05-31 12:41:55.099 debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] [preauth]
1668 2023-05-31 12:41:55.099 debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
1668 2023-05-31 12:41:55.099 debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
1668 2023-05-31 12:41:55.099 debug2: compression ctos: none,[email protected] [preauth]
1668 2023-05-31 12:41:55.099 debug2: compression stoc: none,[email protected] [preauth]
1668 2023-05-31 12:41:55.099 debug2: languages ctos:  [preauth]
1668 2023-05-31 12:41:55.099 debug2: languages stoc:  [preauth]
1668 2023-05-31 12:41:55.099 debug2: first_kex_follows 0  [preauth]
1668 2023-05-31 12:41:55.099 debug2: reserved 0  [preauth]
1668 2023-05-31 12:41:55.099 debug2: peer client KEXINIT proposal [preauth]
1668 2023-05-31 12:41:55.099 debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c [preauth]
1668 2023-05-31 12:41:55.099 debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256 [preauth]
1668 2023-05-31 12:41:55.099 debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] [preauth]
1668 2023-05-31 12:41:55.099 debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] [preauth]
1668 2023-05-31 12:41:55.099 debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
1668 2023-05-31 12:41:55.099 debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
1668 2023-05-31 12:41:55.099 debug2: compression ctos: none,[email protected],zlib [preauth]
1668 2023-05-31 12:41:55.099 debug2: compression stoc: none,[email protected],zlib [preauth]
1668 2023-05-31 12:41:55.099 debug2: languages ctos:  [preauth]
1668 2023-05-31 12:41:55.099 debug2: languages stoc:  [preauth]
1668 2023-05-31 12:41:55.099 debug2: first_kex_follows 0  [preauth]
1668 2023-05-31 12:41:55.099 debug2: reserved 0  [preauth]
1668 2023-05-31 12:41:55.099 debug1: kex: algorithm: curve25519-sha256 [preauth]
1668 2023-05-31 12:41:55.099 debug1: kex: host key algorithm: ssh-ed25519 [preauth]
1668 2023-05-31 12:41:55.099 debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none [preauth]
1668 2023-05-31 12:41:55.099 debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none [preauth]
1668 2023-05-31 12:41:55.099 debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
1668 2023-05-31 12:41:55.115 debug3: receive packet: type 30 [preauth]
1668 2023-05-31 12:41:55.115 debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
1668 2023-05-31 12:41:55.115 debug3: mm_sshkey_sign: entering [preauth]
1668 2023-05-31 12:41:55.115 debug3: mm_request_send: entering, type 6 [preauth]
1668 2023-05-31 12:41:55.115 debug3: mm_sshkey_sign: waiting for MONITOR_ANS_SIGN [preauth]
1668 2023-05-31 12:41:55.115 debug3: mm_request_receive_expect: entering, type 7 [preauth]
1668 2023-05-31 12:41:55.115 debug3: mm_request_receive: entering [preauth]
1668 2023-05-31 12:41:55.115 debug3: mm_request_receive: entering
1668 2023-05-31 12:41:55.115 debug3: monitor_read: checking request 6
1668 2023-05-31 12:41:55.115 debug3: mm_answer_sign: entering
1668 2023-05-31 12:41:55.115 debug3: mm_answer_sign: ssh-ed25519 KEX signature len=83
1668 2023-05-31 12:41:55.115 debug3: mm_request_send: entering, type 7
1668 2023-05-31 12:41:55.115 debug2: monitor_read: 6 used once, disabling now
1668 2023-05-31 12:41:55.115 debug3: send packet: type 31 [preauth]
1668 2023-05-31 12:41:55.115 debug3: send packet: type 21 [preauth]
1668 2023-05-31 12:41:55.115 debug2: ssh_set_newkeys: mode 1 [preauth]
1668 2023-05-31 12:41:55.115 debug1: rekey out after 134217728 blocks [preauth]
1668 2023-05-31 12:41:55.115 debug1: SSH2_MSG_NEWKEYS sent [preauth]
1668 2023-05-31 12:41:55.115 debug1: Sending SSH2_MSG_EXT_INFO [preauth]
1668 2023-05-31 12:41:55.115 debug3: send packet: type 7 [preauth]
1668 2023-05-31 12:41:55.115 debug1: expecting SSH2_MSG_NEWKEYS [preauth]
1668 2023-05-31 12:41:55.131 debug3: receive packet: type 21 [preauth]
1668 2023-05-31 12:41:55.131 debug1: SSH2_MSG_NEWKEYS received [preauth]
1668 2023-05-31 12:41:55.131 debug2: ssh_set_newkeys: mode 0 [preauth]
1668 2023-05-31 12:41:55.131 debug1: rekey in after 134217728 blocks [preauth]
1668 2023-05-31 12:41:55.131 debug1: KEX done [preauth]
1668 2023-05-31 12:41:55.193 debug3: receive packet: type 5 [preauth]
1668 2023-05-31 12:41:55.193 debug3: send packet: type 6 [preauth]
1668 2023-05-31 12:41:55.193 debug3: receive packet: type 50 [preauth]
1668 2023-05-31 12:41:55.193 debug1: userauth-request for user wbehrens service ssh-connection method none [preauth]
1668 2023-05-31 12:41:55.193 debug1: attempt 0 failures 0 [preauth]
1668 2023-05-31 12:41:55.193 debug3: mm_getpwnamallow: entering [preauth]
1668 2023-05-31 12:41:55.193 debug3: mm_request_send: entering, type 8 [preauth]
1668 2023-05-31 12:41:55.193 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
1668 2023-05-31 12:41:55.193 debug3: mm_request_receive_expect: entering, type 9 [preauth]
1668 2023-05-31 12:41:55.193 debug3: mm_request_receive: entering [preauth]
1668 2023-05-31 12:41:55.193 debug3: mm_request_receive: entering
1668 2023-05-31 12:41:55.193 debug3: monitor_read: checking request 8
1668 2023-05-31 12:41:55.193 debug3: mm_answer_pwnamallow: entering
1668 2023-05-31 12:41:55.193 debug2: parse_server_config_depth: config reprocess config len 2205
1668 2023-05-31 12:41:55.193 debug3: checking match for 'Group administrators' user [REDACTED: Company Name]\\wbehrens host [REDACTED] addr [REDACTED] laddr [REDACTED] lport 22
1668 2023-05-31 12:41:55.208 debug3: lookup_principal_name: Successfully discovered explicit principal name: '[REDACTED: Company Name]\\wbehrens'=>'wbehrens@[REDACTED: Company Name].com'
1668 2023-05-31 12:41:55.224 debug1: generate_s4u_user_token: LsaLogonUser() failed. User '[REDACTED: Company Name]\\wbehrens' Status: 0xC000006D SubStatus 0.
1668 2023-05-31 12:41:55.224 debug3: get_user_token - unable to generate token for user [REDACTED: Company Name]\\wbehrens
1668 2023-05-31 12:42:02.017 debug3: lookup_principal_name: Successfully discovered explicit principal name: '[REDACTED: Company Name]\\wbehrens'=>'wbehrens@[REDACTED: Company Name].com'
1668 2023-05-31 12:42:02.017 debug1: generate_s4u_user_token: LsaLogonUser() failed. User '[REDACTED: Company Name]\\wbehrens' Status: 0xC000006D SubStatus 0.
1668 2023-05-31 12:42:02.017 error: get_user_token - unable to generate token on 2nd attempt for user [REDACTED: Company Name]\\wbehrens
1668 2023-05-31 12:42:02.017 fatal: ga_init, unable to resolve user [REDACTED: Company Name]\\wbehrens
1668 2023-05-31 12:42:02.017 debug1: do_cleanup
1668 2023-05-31 12:42:02.017 debug1: Killing privsep child 10928

@tgauth
Copy link
Collaborator

tgauth commented May 31, 2023

This issue has the same status (0xC000006D) for generate_s4u_user_token - #1703 (comment)

Please review the troubleshooting suggestions listed there

@wbehrens-on-gh
Copy link
Author

The SID begins with S-1-5 not S-1-12. Is this possibly the same as #1363?

@tgauth
Copy link
Collaborator

tgauth commented May 31, 2023

It might be - is it possible to test if a local user login works?

@wbehrens-on-gh
Copy link
Author

After some testing it seems to be an issue with AD permissions as our sys admin is able to login with his domain account but nobody else can. The solutions talked about in #1363 didn't resolve it either

@wbehrens-on-gh
Copy link
Author

I've add AllowUser mydomain\myuser to my sshd_config. when I run sshd with net start sshd I get this on the client

debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: ENABLE_VIRTUAL_TERMINAL_INPUT is supported. Reading the VTSequence from console
debug1: ENABLE_VIRTUAL_TERMINAL_PROCESSING is supported. Console supports the ansi parsing
client_loop: send disconnect: Connection reset

If I run sshd as myuser on the server and try and connect it works fine. so something about it running as a service seems to mess up the connection?

@tgauth
Copy link
Collaborator

tgauth commented Jun 12, 2023

Hmm, this seems similar to #1745 (comment)

In Local Security Policy, suggest checking under local policies -> user rights assignment to see if any policy is blocking remote access for non-sys admins, like "access this computer from the network" or "deny access to this computer from the network"

@wbehrens-on-gh
Copy link
Author

I solved this by explicitly allowing all domain users on the system AllowUsers mydomain\* then commented out all match blocks and set PubkeyAuthentication no.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area-Authentication
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tgauth @maertendMSFT @wbehrens-on-gh