sshd in interactive mode does not work when logging in as non-admin

[zyincse]

Please answer the following

"OpenSSH for Windows" version
maybe v0.0.11.0 or v0.0.9.0 ,sorry i forgot.

OS details
windows 7

What is failing
I use secureCRT to connect ssh server in windows 7 in vmware station(the same computer),
I have input name and password,but I can't connect it. More accurately, i connect ssh server just a moment.
log in sshd.log:
1132 18:13:31 517 error: Couldn't create pid file "./sshd.pid": Permission denied
1132 18:13:31 641 Accepted password for Administrator from 192.168.1.23 port 11491 ssh2
1132 18:13:31 654 error: Error retrieving user environment variables. RegOpenKeyExW returned 5
1132 18:13:31 655 fatal: ERROR. Cannot create process (1314).\n

Expected output
connect.

Actual output
Connection was reset.

Thank you

[bagajjal]

Try changing the sshd_config as mentioned in this issue #493.
If you still have the issue then please share the sshd_config.

[zyincse]

@bagajjal
Thank you!
by the method in #493 ,the error: Couldn't create pid file "./sshd.pid": Permission denied had been solved,
and I still have two problems:
3528 09:40:36 459 error: Error retrieving user environment variables. RegOpenKeyExW returned 5
3528 09:40:36 460 fatal: ERROR. Cannot create process (1314).\n

[bagajjal]

Are you running the sshd.exe in the administrator mode?

[zyincse]

@bagajjal
It run when windows start ,user is administrator
so I think I run sshd.exe in the administrator mode.

[manojampalam]

1314 - A required privilege is not held by the client.

You need to provide your account the following privilege "Replace a process level token"
secpol.msc
LocalPolicies -> User Rights Assignment
Click the policy that says "Replace a process level token" and add your account. Log off and log in.

Currently, due to logic around PTY support in Windows, only admins can successfully spawn off the session process. i.e you need to logon as an admin if you run sshd in interactive mode.

[bagajjal]

[mabrowning]

I actually had to do this for "NT Service\sshd" as well... v0.0.12.0

I did run the ./install-sshd.ps1 script, but this step was also required. Unfortunately, I couldn't find a command line equivalent for use in psexec, so had to resort to the secpol GUI through terminal services.

[razrjk]

I cloned and built on May 19. Used the scripts to configure. Win10 configured okay. Win 7 required using the using the Local Security Policy UI to set "NT Service\sshd" in "Replace a process level token". Symptom was that sshd -d worked, but sshd did not.

[bagajjal]

@razrjk the install script should have added this privilege automatically. Can you double check the script you used?

[razrjk]

To be clear. My Win10 and Win7 sshd services are both now working using domain credentials and logon passwords. I installed using the PS script. Win 7 required the manual security policy settings to get rid of the (1314) error.

[razrjk]

My Win10 sshd server is functioning correctly, and supports git, which I assume is binary data stream transfer. There are no errors in the log.
My Win7 sshd server supports remote execution and text stream, but does not support git clone, and the Win7 sshd does have the error: Error retrieving user environment variables. RegOpenKeyExW returned 5

[bagajjal]

@razrjk RegOpenKeyExW (error 5) is fixed in the may end release..

[manojampalam]

@razrjk RegOpenKeyExW issue is tracked here - #645
Can you open a separate issue detailing the git issue?

[alexander-n-lunev]

Hello. When trying to login non-administrator user having error 1260 "Cannot create process". Admins logging fine, simple users not. Tried to include it in group that is in AllowGroups, with no result. Debug logs tells that it is something with ssh-shellhost.exe (permissions for this user is read-execute).

1572 22:45:55:112 Starting session: shell on console for nina from ip.ad.dre.ss port 65372 id 0
... skip
1572 22:45:55:174 debug1: Executing command: C:\\OpenSSH-Win64\\ssh-shellhost.exe 
1572 22:45:55:221 fatal: ERROR. Cannot create process (1260).\n
1572 22:45:55:221 debug1: do_cleanup
1572 22:45:55:221 debug1: session_pty_cleanup: session 0 release console

upd:
C:\OpenSSH-Win64>ssh -V
OpenSSH_7.6p1, LibreSSL 2.5.3

[bagajjal]

@alexander-n-lunev - sshd is running as "NT Service/sshd" (you can check this in task manager, check for sshd process)?

Error 1260 means, ERROR_ACCESS_DISABLED_BY_POLICY 1260 (0x4EC)
This program is blocked by group policy. For more information, contact your system administrator.
please check your system policy.

[alexander-n-lunev]

@bagajjal thank you! Indeed, AppLocker rules was in place. Added rule for ssh users group to run all from OpenSSH folder and everything started to work. Thank you again!

[manojampalam]

With changes in underlying architecture starting from 1.0.0.0, sshd needs to run as SYSTEM and the original restrictions detailed earlier in this thread are no longer applicable.