Licensing / Multi-user access / CAL

[agordon]

Hello,

Does using OpenSSH on windows requires client access license (CAL) for every connection?

In particular,

1. Does OpenSSH running on a windows server require as many CALs as there are SSH users?
2. Does OpenSSH running on Windows 10 Home allows multiple users to connect with SSH at the same time?
   (assuming users connected through SSH only run command-line programs, never GUI or RDS etc)

Sorry if this is slightly off-topic for the github repository, but there doesn't seem to be any reliable information regarding SSH connection licensing anywhere...

Any feedback is highly appreciated.

Thanks!

[bagajjal]

You can have as many ssh connections as you want at the same time through any ssh client.
What do you mean by client access license? Users can connect with password based authentication or key based authentication (users have to generate pub/private keys).
For more information look at our wiki links
https://github.com/PowerShell/Win32-OpenSSH/wiki/SSH-remote-sessions-on-Windows

[agordon]

Hello @bagajjal ,

I'm not asking about the technical possibility of multiple connections - that is obviously possible.
I'm asking about the legality and licensing requirements of such connections.

For example, to the best of my understanding, On "windows 10 home" only one user is allowed to be connected remotely at a single time (e.g. with remote desktop).

Another example: for desktop windows licenses (e.g. "Windows 10 pro"), you are not allowed to use them as servers (see here: https://www.microsoft.com/en-us/licensing/product-licensing/faq-product-licensing.aspx , under "Windows client operating system" , question "Can I use Windows Pro or Enterprise like a "server" to host applications?" the answer is a clear "no").

And so my question is:
Does "Win32-OpenSSH" (which is clearly a type of a "server" program) falls under these or similar licensing restrictions, or does it not ?
Or concretely, if I have a "windows 10 pro" desktop and I run Win32-OpenSSH on it - are multiple users allowed to connect (legally, from micrsoft's licensing POV).

EDIT:
Follow-up: It seems "file services" is allowed on "Windows 10 pro" - does that mean that running SFTP server is OK ?

Thanks!

[fswgm]

Let's answer this in two parts, with the easy part first.
1: "Does OpenSSH running on a windows server require as many CALs as there are SSH users?"
asdasd
2: "Does OpenSSH running on Windows 10 Home allows multiple users to connect with SSH at the same time?"

The answer to question 1 is the easy one. You need a Windows Server CAL (>= version on the server) for every user or device that is accessing that server - directly or indirectly. It doesn't matter what protocol is being used. OpenSSH is the same as any other type of access to that server.

Now to the hard question. You asked "...does it allow...", and the answer to that question is, "quite probably". But I don't think that's what you're really looking to have answered. Windows 10 will allow up to 20 TCP connections. So technically, it probably allows it. But I assume, based on the category of this question, that you meant "is this legit?" The answer to that is a much easier, "No."

I've attached the pertinent info below, from the Oct. 2017 Product Terms, but the document linked in earlier replies also includes some of this. Number 5 is your deal-killer. While the software may function, and allow you to create this non-compliance scenario, it is indeed non-compliant. The only way to rectify it is to limit the software to only allow a single user (of a device licensed for Windows, as mentioned), or install it on a Windows Server OS (and ensure proper CAL coverage).

Also, when Microsoft says "file services" in that context, you can likely assume - absent any useful clarification from them - that that means "Windows File and Printer sharing". I would not assume it means any other type of file sharing.

Hope that helps;
Wes Miller

****** Microsoft Product Terms, October, 2017 ******
Desktop Operating Systems
Device License

1. Customer may install one copy of the software on a Licensed Device or within a local virtual hardware system on a Licensed Device for each License it acquires.
2. Customer may use the software on up to two processors.
3. Local use is permitted for any user.
4. Remote use is permitted for the Primary User of the Licensed Device and for any other user from another Licensed Device or a Windows VDA Licensed Device.
5. Only one user may access and use the software at a time.
6. Customer may connect up to 20 devices to the Licensed Device for file sharing, printing, Internet Information Services, Internet Connection Sharing or telephony services.
7. An unlimited number of connections are allowed for KMS activation or similar technology.

[joeyaiello]

@agordon that's a really good question! I want to make sure I get the language exactly right, let me get back to you. :)

[joeyaiello]

Just wanted to give an update here that I'm still talking to folks about this. Hoping to provide a real update soon.

[mslicensing]

Wes Miller is generally correct, but there's a very important exception here as well as an alternative.
The Exception
Any device or using connecting to a "Web workload" does not require a CAL. This rule, in effect for Windows Server 2012 and later makes it possible to run Windows Server as a web Server without having to license external users (anyone who is not an employee or an onsite contractor).
The Product Terms say (in the rights for the Core/CAL model, which includes only Windows Server)

"CALs are not required to access server software running a Web Workload or HPC Workload."

A Web Workload is defined in Product Terms quite broadly.

Web Workload (also referred to as “Internet Web Solutions”) are publicly available web pages, websites, web applications, web services, and/or POP3 mail serving. For clarity, access to content, information, and applications served by the software within an Internet Web Solution is not limited to Customer’s or its affiliates’ employees.
Software in Internet Web Solutions is used to run:
· web server software (for example, Microsoft Internet Information Services), and management or security agents (for example, the System Center Operations Manager agent);
· database engine software (for example, Microsoft SQL Server) solely to support Internet Web Solutions; or
· the Domain Name System (DNS) service to provide resolution of Internet names to IP addresses as long as that is not the sole function of that instance of the software.

The Alternative
The alternative, which comes into play if the server is NOT running a Web workload, still costs money, but it can be cost-effective if you have a large number of external users accessing a Windows server. You can purchase an External Connector (EC) for a physical device (which means a single EC works for all the VMs on a host) that eliminates the need for CALs for external users.
An External Connector costs about 50x the cost of a CAL, so if you have more than 50 external users accessing something other than a Web workload, the EC is less expensive. Keep in mind, however, that each Windows Server device accessed by external users would require its own EC, while once a user has been assigned a CAL, it will work with any number of Windows Servers. So number of users per server is important.
Let's say I have 20 Windows Servers accessed by 10,000 external users. With a ratio of 500 users per server, the EC is clearly less expensive
But if I have 20 Windows Servers accessed by 500 external users, a ratio of 25:1 can be better met by purchasing CALs for the users.

[agordon]

@mslicensing ,
Thank you for providing more details. Just to verify: are you an official MS account and that is an official MS response? The @mslicensing user has no credentials/bio/email/website/links whatsoever ( @joeyaiello - can you confirm this?).

Now to discuss things in a more concrete way:

1. Based on your explanation of "Web Workload" - If I have "Windows Server 2012" and running OpenSSH on it, can users from the "internet" (not intranet) connect to it and run a local EXE program without requiring CALs ? Is that still considered "web workload" ?

2. How does "web workload" relates to "SFTP-Server" ? "SFTP-SERVER" is part of OpenSSH, and allows file uploading/download (similar to FTP, or somewhat similar to CIFS/SMB).
   If I have "Windows Server 2012", can I run SFTP server and allow as many internet users as I want to connect to it without requiring CALs ?

3. Your reply does not mention Windows Desktop Clients (e.g. Windows 7 Pro, Windows 10 Home, etc.).
   Does this mean windows desktop client are never allowed to give access to other users through OpenSSH / SFTP ? That is, if I have a Windows 10 Home and install OpenSSH/SFTP server on it, only I am allowed to access it remotely using OpenSSH/SFTP (as I am the "primary user" of the desktop client machine, similar in situation to Remote Desktop on a Windows Desktop Client)?

Thanks!

[mslicensing]

I am not an official Microsoft account. MSlicensing is my professional Twitter handle and I decided to reuse it here. I am not endorsed by Microsoft in any way. Microsoft doesn't like me. (And I have some opinions about them.)
I am an independent Microsoft licensing consultant, whose organization has cost MS about half a billion dollars over the last few years by counselling customers how to save money and be compliant. I worked with Wes Miller at Directions on Microsoft a few years back, before going out on my own. Great guy whose views (on many things) I respect a lot.
I'm not technical, and the general rule of thumb I use for customers asking about this is whether customers are accessing the server via HTTP or POP3. I would guess that FTP workloads, and thus SFTP workloads, are not Web workloads. Of course, I'd also need CALs or ECs if the server is running even a Web workload on Windows Server 2008 R2 or earlier.
So maybe my contribution on this thread related to Web workloads isn't really useful if HTTP and OpenSSH are never used together.
But the advice on External Connectors is still valid. They can substitute for CALs and are far easier to manage than CALs. It's probably easier for an organization to track the number of Windows Servers that they have opened up for access by external users than to track the number of unique users accessing those servers, and wondering when the ratio may tip over in favor of ECs. (ECs cost somewhere between $1,100 to $1,600 depending on your organization's volume licensing discount.)
The only time I'd use CALs for this is when I had, say, one partner or customer that wanted access to a specific server and I could limit access to a small number of users via authentication. (The Web Workload rule is agnostic about authentication. Do it, or don't do it. Makes no difference.)
It can be a bummer when you've bought a bunch of CALs and then discover demand is greater than expected, and you have to chuck the CALs and buy ECs instead. (And no, Microsoft won't give you trade-in credits for the CALs that are now worthless.)

One thing I'll add that may have tangential value. It should be fairly obvious that SharePoint is a Web workload but it may not be well known that, since SharePoint 2013, external users can access SharePoint without requiring SharePoint CALs, or ECs, or some special version of SharePoint. Ditto for Exchange (there's an exception with Exchange I won't mention unless someone asks), and Lync/Skype.

Paul DeGroot
Principal Consultant
Pica Communications

[mslicensing]

I should address the Windows desktop issue as well. There are no CALs or ECs for the desktop OS. The only limit I know of is in the OEM EULA (which applies even to corporate desktops, since MS doesn't sell Windows OS through volume licensing, but only upgrades to Windows obtained elsewhere, usually the OEM.

The Windows 10 OEM EULA says

Device connections. You may allow up to 20 other devices to access the software installed on the licensed
device for the purpose of using the following software features: file services, print services, Internet
information services, and Internet connection sharing and telephony services on the licensed device. You
may allow any number of devices to access the software on the licensed device to synchronize data
between devices. This section does not mean, however, that you have the right to install the software, or
use the primary function of the software ﴾other than the features listed in this section﴿, on any of these
other devices.

The current Product Terms generally confirm the EULA. It appears to make it a bit more restrictive, with no mention of data syncing. So take that as either an unlimited right to sync data or a complete prohibition on it. (Love that MS ambiguity.) If this every came up in an audit I'd demand that MS show me where it is prohibited. From Product Terms

Customer may connect up to 20 devices to the Licensed Device for file sharing, printing, Internet Information Services, Internet Connection Sharing or telephony services.

Some history
The Windows 8 EULA is similar to Windows 10,
Windows 7 EULA allows 20 connections but limits it to File Services, Print Services, Internet Information Services and Internet Connection Sharing and Telephony Services. It does not address access to sync data.
The Windows XP EULA has a max of 10 device connections, sync limited to one user at a time.

Paul DeGroot
Principal Consultant
Pica Communications

[agordon]

@mslicensing - thanks again. very useful information.

Continuing in the Windows Desktop context:

1. I would say that SFTP is a type of "file sharing" (it is literally "Secure File Tranfer Protocol", a way for remote users to upload/download files). Based on your information, I would say that up to 20 users can use it. Does this mean "20 users in total", or "20 users simultaneously" (that is - there could be a 1,000 theoretical users, but at any given point in time only 20 can be connected to SFTP)?

2. With OpenSSH, things are less clear. It is perhaps similar to "Remote Desktop without GUI" - something like the ability of a remote user to connect to the Windows Desktop machine and execute local programs (something like PowerShell scripts). Would you say this still falls under the "20 users limit", or does "Remote Desktop" presents further restrictions on a Windows Desktop machine ?

Thanks again!
This type of information is so hard to get...

[mslicensing]

MS doesn't specify this, but the general consensus is that this is a maximum of 20 concurrent connections.
Q. 2 may require deeper analysis and my expectation there is that we won't get an answer from the documentation.

But here are some other situations where MS addresses PC-to-PC communication.
First, the Primary User of a Windows device (the person who uses it more than 50% of the time) can freely access the PC from any other device. Read those words slowly. Any. Other. Device. No restrictions. A good example here is something like GoToMyPC. This "primary user right" is what makes it legal for anyone to connect to their PC at work from their iPad, Mac, friend's PC, etc.,

Second, any other device can connect to a Windows device and use it remotely (in any mode, gui or command line) if the accessing device is licensed for the same version and edition of Windows. I generally treat this to include legal downgrades. So if my PC is licensed for Windows 10 and yours is running Windows 7, I can connect to your PC because Windows 7 is a legal downgrade from Windows 10.
Here is the Product Terms language

Remote use is permitted for the Primary User of the Licensed Device and for any other user from another Licensed Device or a Windows VDA Licensed Device.

This doesn't allow much concurrency, however. The next rule says

Only one user may access and use the software at a time.

This combination of rules means that you can theoretically create a farm of physical Windows devices that external users could access, but you'd have to detect their Windows version and edition of the accessing device and match it to something on your side. Then they have reasonable freedom to do anything. But there's no concurrency there. These cannot be virtual devices. That opens a whole new can of worms.

Maybe you can describe a specific scenario. How many devices to be accessed? From how many devices? Are users all part of the same organization or could they come from anywhere?

Without that I'd see if I could squeeze what I'm doing into what is permitted. How far can you stretch "file services"?

[agordon]

@mslicensing,

My first scenario is simple (or at least sounds simple to me):

1. a Windows machine (preferably virtual, but can be physical).
2. Preferably Desktop (e.g. Windows 10 Home), but can be Server.
3. Running OpenSSH server in the windows machine (technically, this server listens on TCP port 22)
4. Windows machine is open to the internet (i.e. anyone can connect to my IP on TCP port 22)
5. The Windows machine has X number of users defined (e.g. "user1", "user2", etc.).
6. People from the internet can connect to my Windows machine using the SSH client, assuming I give
   them a user/password. I have no knowledge of which type of computer they use, but most
   likely they are using Mac OS X or Linux. Could also be Android/iPhone/iPad clients.
7. Once they are connected, they see a terminal (somewhat equivalent to "cmd.exe" screen)
8. On said terminal They can type commands and run EXE files (for example, "gordon.exe" which is a program I compiled and I allow anyone to run it without restrictions, so this part does not impose
   any further restrictions. The program (e.g. "gordon.exe") technically run on my windows machine,
   and the results are shown on their remote terminal (similar to Remote Desktop, but without gui).

Under this scenario, can 20 concurrent users connect to my machine in the manner described above?

As a variation: if only one user is defined on the windows machine (e.g. "Administrator"),
is it legal to give the password for that user to 20 users and have them connect using SSH,
and run the "gordon.exe" file as describe above ?

Second Scenario, for SFTP:
Same steps 1-6 as above,
but instead of seeing a terminal/cmd.exe screen, they see a list of files.
They can then give an "upload" command to send files to my windows machine,
or a "download" command to get files from my windows machine to their local computer.

These are the exact scenarios - I'm really looking for a legal way to provide such publicly available machine.
Of course I want to make it as cheap as possible, which is why the idea of having a Desktop machine
and limiting access to 20 concurrent users sounds very good (if it is indeed allowed).

Thanks!

[mslicensing]

At first glance, I would say the second scenario is legal, under the category of "File Services." The rights I have been quoting are for the Professional edition, but I just checked Windows 7 Home Premium and it allows 20 connections for

file services, print services, Internet information services, and Internet connection sharing and telephony services

I can't see the first scenario being legal or doing it legally it won't meet your requirements. If you licensed the OS via a volume licensing program (e.g., you buy a Windows Pro upgrade through the Open License program) and you can limit it to people who are using the same version and edition of Windows as your Windows box is licensed for, then the Licensed Device Right (access from a device with the same Windows license) would apply. But your users, including the Macs and Android devices would also need Windows Pro licenses. Sounds like a dead end.
If the machine is virtual, none of this works, because the Primary User Right and the Licensed Device Right apply only to physical devices. Only recently has MS allowed hosting of Windows desktops, and you would need to be an approved hoster, with many hoops to jump through as well as financial and reporting responsibilities. And your users would not get a free pass. Someone would need to pay Microsoft somewhere between $70 and $100 a year for each unique device accessing the hosted image.

Paul

[mgkuhn]

At the technical level, is the problem perhaps that Windows does not currently notice that a new user has logged into it via sshd, because sshd does not currently (as of 0.0.24.0) behave like a terminal service and create a new session id for each user login (and keeps instead all user processes within session 0, which is only meant for services, i.e. the user does not show up when you run QUERY SESSION)? #996

[mslicensing]

One of the fundamental principles of Microsoft licensing is this one, from Microsoft Product Terms:
"Multiplexing or pooling to reduce direct connections with the software does not reduce the number of required Licenses."
That applies to things liked pooled database connections and it would apply here. The fact that Windows may see only a single session, does not excuse you from having to license every endpoint that ultimately communications through that session.

[agordon]

@joeyaiello - any updates on an official answer for SSH connection licensing?

[agordon]

@joeyaiello - follow-up two years later :) any updates on an official answer for SSH connection licensing?

[mgkuhn]

A process started by sshd does not have access to any window station WinSta0 (as you can query with GetProcessWindowStation), and so it can't really interact with the Windows desktop or any GUI applications that rely on it, and therefore can't really invoke the vast majority of Windows applications. You could argue that what sshd gives you is more similar to what an HTTP server gives you: only very restricted access to some facilities of the operating system (file system, command-line shell).

[bagajjal]

@maertendMSFT is the current PM for OpenSSH.

[fswgm]

A process started by sshd does not have access to any window station WinSta0 (as you can query with GetProcessWindowStation), and so it can't really interact with the Windows desktop or any GUI applications that rely on it, and therefore can't really invoke the vast majority of Windows applications. You could argue that what sshd gives you is more similar to what an HTTP server gives you: only very restricted access to some facilities of the operating system (file system, command-line shell).

Markus - this may be the case, but the rules as I noted in 2017 haven't changed. If Microsoft wants to demarcate SSH as not needing to meet the regular licensing rules of the Windows client, the entry in the Product Terms should be updated to reflect that. As of right now, it's not special-cased.

#926 (comment)

[agordon]

@bagajjal @maertendMSFT - fours years later, another ping ...