Open
Description
Issue
- OpenSSH doesn't support SSH with AAD (Azure active directory) credentials.
How to check if the user is an AAD user or not?
- Execute "whoami /user" on cmd.exe. If the SID starts with "S-1-12-1" then it's an AAD user.
Root cause
- Windows OS fails to generate an S4U token for an AAD user.
- OpenSSH generates an S4U token for a user in the below scenarios.
1. Key-based authentication.
After authenticating user with ssh keys, ssh server generates an S4U token to create the child processes (like interactive shell / sshd.exe / sftp-server.exe) in user context.
2. To retrieve user group information.
If sshd_config has a "Match group" block then the SSH server retries the user group information by first generating the S4U token
Impacted scenarios
- Password based authentication fails if sshd_config has a "Match group" block. fyi, default sshd_config ($env:programdata\ssh\sshd_config) has a "Match group" block.
- Key-based authentication always fails
Workaround
Work involved
- Majority of the work is on the Windows operating system side.
- There are few changes required on the OpenSSH side like retrieve the group information of an AAD user.
Proposed timeline -
As of today, there is no commitment from the windows team.
We had few meetings with the windows team. The work is spawned across three different teams in windows. Windows couldn't prioritize our feature request (create S4U token for AAD user) as we don't have a partner request (or) strong business justification that shows the $ revenue impact. If any partner team is blocked then request you to follow up with the windows team directly.