Skip to content

Domain user login is always denied #1298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
HouzuoGuo opened this issue Nov 28, 2018 · 10 comments
Closed

Domain user login is always denied #1298

HouzuoGuo opened this issue Nov 28, 2018 · 10 comments
Labels
Issue-Discussion-Deprecated/use GitHub discussions Resolution - No Repro

Comments

@HouzuoGuo
Copy link

Please answer the following

If it is a terminal issue then please go through wiki
https://github.com/PowerShell/Win32-OpenSSH/wiki/TTY-PTY-support-in-Windows-OpenSSH

"OpenSSH for Windows" version
7.7.2.1

Server OperatingSystem
Windows 10 Enterprise 64-bit

Client OperatingSystem
(Same as server) Windows 10 Enterprise 64-bit

What is failing
After having installed both OpenSSH server and client via "Manage optional features", and subsequently rebooted the computer, I logged in to my desktop as a domain user "myaddomain\myadusername" and started a PowerShell session. While ssh is running as a system service, my attempt at logging in as myself fails:

PS C:\Users\myadusername> ssh localhost
Connection reset by ::1 port 22

Subsequently I manually stopped sshd system service and launched it manually in an administrator PowerShell session, in another login attempt SSH client prompted for password entry (which was not prompted in the previous attempt):

PS C:\Users\myadusername> ssh localhost
myaddomain\myadusername@localhost's password:
Permission denied, please try again.
myaddomain\myadusername@localhost's password:

My password entry is most likely correct after triple-check. In the meanwhile, sshd program logged the following output:

PS C:\Windows\system32\openssh> sshd -dddd
debug2: load_server_config: filename __PROGRAMDATA__\\ssh/sshd_config
debug2: load_server_config: done config len = 251
debug2: parse_server_config: config __PROGRAMDATA__\\ssh/sshd_config len 251
debug3: __PROGRAMDATA__\\ssh/sshd_config:38 setting AuthorizedKeysFile .ssh/authorized_keys
debug3: __PROGRAMDATA__\\ssh/sshd_config:76 setting Subsystem sftp      sftp-server.exe
debug3: checking syntax for 'Match Group administrators'
debug1: sshd version OpenSSH_for_Windows_7.7, LibreSSL 2.6.5
debug1: private host key #0: ssh-rsa SHA256:8u+Cx2gR9E1ThlKkA07xBnX36LEpjbIBBz3SiojdFgU
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:RnpeLrcyrSP/cSEsP4ExD3oU9/y+DA4BSViB2nfjbW8
debug1: private host key #2: ssh-ed25519 SHA256:WLhDv6ois3dtbqOZv4nM+L4ERSm0arNrnTgYFgcjLYM
debug1: rexec_argv[0]='C:\\Windows\\System32\\OpenSSH\\sshd.exe'
debug1: rexec_argv[1]='-dddd'
debug2: fd 3 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 3 IPV6_V6ONLY
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 251
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
Connection from ::1 port 1486 on ::1 port 22
debug1: Client protocol version 2.0; client software version OpenSSH_for_Windows_7.7
debug1: match: OpenSSH_for_Windows_7.7 pat OpenSSH* compat 0x04000000
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug2: fd 5 setting O_NONBLOCK
debug3: spawning "C:\\Windows\\System32\\OpenSSH\\sshd.exe" "-dddd" "-y"
debug2: Network child is on pid 7408
debug3: send_rexec_state: entering fd = 4 config len 251
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug3: ssh_msg_send: type 0
debug3: ssh_msg_send: type 0
debug3: preauth child monitor started
debug3: recv_rexec_state: entering fd = 3
debug3: ssh_msg_recv entering
debug3: recv_rexec_state: done
debug2: parse_server_config: config __PROGRAMDATA__\\ssh/sshd_config len 251
debug3: __PROGRAMDATA__\\ssh/sshd_config:38 setting AuthorizedKeysFile .ssh/authorized_keys
debug3: __PROGRAMDATA__\\ssh/sshd_config:76 setting Subsystem sftp      sftp-server.exe
debug3: checking syntax for 'Match Group administrators'
debug1: sshd version OpenSSH_for_Windows_7.7, LibreSSL 2.6.5
debug3: ssh_msg_recv entering
debug3: ssh_msg_recv entering
debug2: fd 5 setting O_NONBLOCK
debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug3: send packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug3: receive packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: local server KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 [preauth]
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] [preauth]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] [preauth]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: compression ctos: none [preauth]
debug2: compression stoc: none [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug2: peer client KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c [preauth]
debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa [preauth]
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] [preauth]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] [preauth]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: compression ctos: none [preauth]
debug2: compression stoc: none [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
debug1: kex: client->server cipher: [email protected] MAC:  compression: none [preauth]
debug1: kex: server->client cipher: [email protected] MAC:  compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug3: receive packet: type 30 [preauth]
debug3: mm_key_sign entering [preauth]
debug3: mm_request_send entering: type 6 [preauth]
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect entering: type 7 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_sign
debug3: mm_answer_sign: hostkey proof signature 00000288DD99D070(100)
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: send packet: type 31 [preauth]
debug3: send packet: type 21 [preauth]
debug2: set_newkeys: mode 1 [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug3: send packet: type 7 [preauth]
debug3: receive packet: type 21 [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug2: set_newkeys: mode 0 [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug3: receive packet: type 5 [preauth]
debug3: send packet: type 6 [preauth]
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user myaddomain\\\\myadusername service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug3: mm_getpwnamallow entering [preauth]
debug3: mm_request_send entering: type 8 [preauth]
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
debug3: mm_request_receive_expect entering: type 9 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 8
debug3: mm_answer_pwnamallow
debug2: parse_server_config: config reprocess config len 251
debug3: checking match for 'Group administrators' user myaddomain\\myadusername host ::1 addr ::1 laddr ::1 lport 22
debug3: get_user_token - i am running as myaddomain\\myadusername, returning process token
debug1: user myaddomain\\myadusername matched group list administrators at line 84
debug3: match found
debug3: reprocess config:85 setting AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 9
debug2: monitor_read: 8 used once, disabling now
debug2: input_userauth_request: setting up authctxt for myaddomain\\\\myadusername [preauth]
debug3: mm_inform_authserv entering [preauth]
debug3: mm_request_send entering: type 4 [preauth]
debug2: input_userauth_request: try method none [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" [preauth]
debug3: send packet: type 51 [preauth]
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user myaddomain\\\\myadusername service ssh-connection method keyboard-interactive [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method keyboard-interactive [preauth]
debug1: keyboard-interactive devs  [preauth]
debug1: auth2_challenge: user=myaddomain\\\\myadusername devs= [preauth]
debug1: kbdint_alloc: devices '' [preauth]
debug2: auth2_challenge_start: devices  [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" [preauth]
debug3: send packet: type 51 [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 4 used once, disabling now
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user myaddomain\\\\myadusername service ssh-connection method password [preauth]
debug1: attempt 2 failures 1 [preauth]
debug2: input_userauth_request: try method password [preauth]
debug3: mm_auth_password entering [preauth]
debug3: mm_request_send entering: type 12 [preauth]
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD [preauth]
debug3: mm_request_receive_expect entering: type 13 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 12
debug3: lookup_principal_name: Successfully discovered explicit principal name: 'myaddomain\\myadusername'=>'[email protected]'
debug1: Windows authentication failed for user: [email protected] domain: (null) error: 1326
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 13
Failed password for myaddomain\\myadusername from ::1 port 1486 ssh2
debug3: mm_auth_password: user not authenticated [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" [preauth]
debug3: send packet: type 51 [preauth]

What might have gone wrong?
@NoMoreFood
Copy link

So it looks like you're authenticating with a password. The "error: 1326" equates to "The user name or password is incorrect.". Does your password contain non-ASCII characters?

@HouzuoGuo
Copy link
Author

The password text only includes Latin alphabet letters and US-layout keyboard symbols. In fact a local test user whose password is identical can successfully login to the SSH server.

@NoMoreFood
Copy link

Can you login locally to workstation locally or via RDP using the [email protected] format?

@HouzuoGuo
Copy link
Author

i've been quite curious about the email address as well, these computers only accept domain\user as logon name and won't let anyone sign in via an email address.

It isn't accepted by RDP, SSH, and desktop logon.

@NoMoreFood
Copy link

For accuracy, it's actually the user principal name (UPN). Alot of organizations have their emails match their UPN, but they serve very different purposes. It looks like the code detected the UPN just fine. Are you the administrator of this network? Do you know why UPN-based logins would fail? I can't imagine how the network is functional without it working.

@HouzuoGuo
Copy link
Author

I do not have administrative privilege on this network. Login attempts made using UPN "[email protected]" works on Windows desktop and over RDP, though not without a realm name prefix, successful login attempts were made using name "addomain\[email protected]".

@matherm-aboehm
Copy link

I have the same problem on Windows 10 1909, with "OpenSSH for Windows" version 7.7.2.2 .
Creating a local user with same name and same password just works, but not with domain-only user.
The password contains only US-ASCII characters.
Debug log message is the same (not including actual UPN):
debug1: Windows authentication failed for user: [email protected] domain: (null) error: 1326

I need to use the domain user for SSH sessions.
Please reopen this issue and look for a fix.

@sasilik
Copy link

sasilik commented Sep 30, 2020

I am using domain user for login and it works. I use only username without any domain or upn for login and in sshd_config I have AllowUsers row with "domain\username"

@NoMoreFood
Copy link

@matherm-aboehm Many changes / fixes were made with domain login and name resolution since that version. Please try the latest version.

@matherm-aboehm
Copy link

Sorry, my fault. I was misguided by the initial post. I thought I can use this issue tracker for the official Microsoft version which can be installed with "optional features" of Windows 10.
If this issue is actually fixed in the latest version, then someone needs to communicate it to Microsoft, so that they update their version appropriately.

@tgauth tgauth mentioned this issue Jan 4, 2023
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Issue-Discussion-Deprecated/use GitHub discussions Resolution - No Repro
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@HouzuoGuo @sasilik @NoMoreFood @manojampalam @maertendMSFT @matherm-aboehm