Skip to content

Run SSHD service as Network Service #681

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
manojampalam opened this issue Apr 20, 2017 · 6 comments
Closed

Run SSHD service as Network Service #681

manojampalam opened this issue Apr 20, 2017 · 6 comments
Labels
Issue-Bug Resolution - Fixed

Comments

@manojampalam
Copy link
Contributor

manojampalam commented Apr 20, 2017
edited
Loading

Please answer the following

"OpenSSH for Windows" version
0.0.12.0

OS details
All

What is failing
SSHD runs as NT Service\SSHD requiring adding configuration at startup (ex. setting up privileges for this new account)

Expected output
Run SSHD service as Network Service with "Unrestricted" sidtype. This is consistent with how rest Windows of the services are configured.

Actual output
@manojampalam manojampalam added this to the April-End milestone Apr 20, 2017
@manojampalam manojampalam mentioned this issue Apr 25, 2017
Merged
manojampalam added a commit to PowerShell/openssh-portable that referenced this issue Apr 25, 2017
@manojampalam
Run SSHD as NetworkService (#121)
1ff1b07 
PowerShell/Win32-OpenSSH#681
@manojampalam manojampalam mentioned this issue Apr 25, 2017
Closed
@rgl
Copy link

rgl commented Apr 26, 2017

But is that the way to go? I mean, shouldn't the aim be to run each service in its own account (i.e. for privilege separation)?

@manojampalam
Copy link
Contributor Author

That's true. Running sshd in its own account provides isolation from other services running as Network Service. On the other hand, this requires additional configuration (setting up privileges on the service account) and potentially others that Network Service typically enjoys being a built in account. We are evaluating the security benefits Vs ease of configuration.
Perhaps, running it as Network Service would be alright and secure on most systems and could be moved to its own service account on sensitive systems.

@rgl
Copy link

rgl commented Apr 27, 2017

Besides, it would show us (at least me ;-) how to do this on Windows :-)

@DarwinJS
Copy link

This is really an installation issue right? Or does the service need to be tested under both contexts as well?

@manojampalam
Copy link
Contributor Author

@DarwinJS service should be able to run under any context, as long as the account has the required privileges and permissions to open up network ports.

@manojampalam manojampalam modified the milestones: May-Mid, April-End May 4, 2017
@manojampalam manojampalam reopened this May 10, 2017
manojampalam added a commit to PowerShell/openssh-portable that referenced this issue May 10, 2017
@manojampalam
Revert recent change and run sshd back in service account (#134)
9491729 
PowerShell/Win32-OpenSSH#681
@manojampalam manojampalam added this to the Beta milestone May 10, 2017
@manojampalam
Copy link
Contributor Author

In the interest of security, SSHD service will continue to run in its service account context.

@AlexL00 AlexL00 mentioned this issue Aug 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Issue-Bug Resolution - Fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rgl @DarwinJS @bingbing8 @manojampalam