[Feature request] SSH with AAD credentials

[bagajjal]

Issue

• OpenSSH doesn't support SSH with AAD (Azure active directory) credentials.

How to check if the user is an AAD user or not?
   - Execute "whoami /user" on cmd.exe. If the SID starts with "S-1-12-1" then it's an AAD user.

Root cause

• Windows OS fails to generate an S4U token for an AAD user.
• OpenSSH generates an S4U token for a user in the below scenarios.
      1. Key-based authentication.
      After authenticating user with ssh keys, ssh server generates an S4U token to create the child processes (like interactive shell / sshd.exe / sftp-server.exe) in user context.
      2. To retrieve user group information.
      If sshd_config has a "Match group" block then the SSH server retries the user group information by first generating the S4U token

Impacted scenarios

• Password based authentication fails if sshd_config has a "Match group" block. fyi, default sshd_config ($env:programdata\ssh\sshd_config) has a "Match group" block.
• Key-based authentication always fails

Workaround

• get_passwd: LookupAccountName() failed: 1332. #1476 (comment)

Work involved

• Majority of the work is on the Windows operating system side.
• There are few changes required on the OpenSSH side like retrieve the group information of an AAD user.

Proposed timeline -
As of today, there is no commitment from the windows team.
We had few meetings with the windows team. The work is spawned across three different teams in windows. Windows couldn't prioritize our feature request (create S4U token for AAD user) as we don't have a partner request (or) strong business justification that shows the $ revenue impact.  If any partner team is blocked then request you to follow up with the windows team directly.

[glima]

Update: workaround is only for password-based auth, key-based needs are totally out-of-luck, still :(

[bagajjal]

@glima - it's expected behavior till windows OS fixes the problem.

[scyto]

Is there an update to this issue, we have moved entirely to AAD for user and administrator login to workstations.
This is pretty annoying.

The workaround linked to use ssh azuread\[email protected]@ip-of-host doesn't work for us.

[bagajjal]

@scyto - No. It's deprioritized because of no strong business justification.

[JustinGrote]

How about vscode or powershell remoting to a Windows Server? Seems like a strong business case to me :)

[marcelo-paredes]

I also believe this is important. Imagine a case where you are trying to remote Visual Studio Code or IntelliJ IDEA into your AAD joined machine. Without this change your only option is to create a separate local user so you can connect to your machine via SSH for remoting with your favorite IDE. Some companies/organizations will allow that, others, you may be left with no options.

[OscarXvita]

How about vscode or powershell remoting to a Windows Server? Seems like a strong business case to me :)

Powershell remoting doesn't support AAD as well I think. My workaround is to create a local user for ssh/ps remote only.

[JustinGrote]

PowerShell remoting does support custom transports now, so someone could theoretically write one.

[hansingt]

Any updates on this? It is the end of 2022 and still no support for Azure AD Users on OpenSSH.

The workaround described here does not work for me. (What's the user to use in the azuread\[email protected]? Only the username, or the full E-Mail? Anything else?) And what if I have enabled 2FA on my Account? Will my Password be a Personal Token then?

[wcscr]

Can we get an update on this issue? I've also been unable to get the referenced workaround to work.

[daisukekobayashi]

The workaround described here worked for me.

My company uses email address to sign in to Azure AD. And I needed to use my email address in the [email protected] parts.

For example, if my company's email address was [email protected], I would use format below to use ssh.

$ ssh azuread\[email protected]@ipaddress

[mcx808]

The workaround described here worked for me.

I've just setup a Windows 11 workstation and this worked for me too. It does take about 40 seconds to login like this though, so I had to increase the VSCode SSH timeout settings to be able to connect. Looking forward to this being resolved by key authentication.

[talha5389]

@mcx808 @daisukekobayashi U sing workaround, were you able to authenticate with key pair authentication or with password based auth?

I cannot get it working with key pair auth even with workaround. Workaround only seems to work with password auth

[mcx808]

@mcx808 @daisukekobayashi U sing workaround, were you able to authenticate with key pair authentication or with password based auth?

I cannot get it working with key pair auth even with workaround. Workaround only seems to work with password auth

No, password authentication only. Until this ticket gets a resolution key based auth won't work with Windows AAD.

[kimyu92]

I have a strong use case for remote development.

My org uses domain joined and I would like to use key-based authentication for C# dev kit against windows machine. However, running sshd as service/daemon, eg. Start-Service sshd simply won't work unless using remote desktop to fire up sshd in foreground.

I believe this is still causing some issues with remote debugging with C# dev kit 🤦‍♂️

TBH, the whole windows development experience is kinda appalling.
Here are related issues:

• User principal name lookup failed for user  #1934
• VSCode Remote between two AAD-joined Windows PCs is not very seamless #1707
• AD user cannot be authenticated by Key when sshd server is running by system(Password works), but key auth is working for user if user starts openssh by himeself with .\sshd.exe -d #1543

Any resolution for key-based auth of windows domain joined / AD would be highly appreciated. 🙏

cc @maertendMSFT @vthiebaut10 @tgauth @anmenaga

Here is the attached ssh logs from server

77248 2023-11-06 22:20:29.133 debug3: fd 6 is not O_NONBLOCK
77248 2023-11-06 22:20:29.133 debug3: spawning "C:\\Program Files\\OpenSSH\\sshd.exe" -R as subprocess
77248 2023-11-06 22:20:29.149 debug3: send_rexec_state: entering fd = 10 config len 2206
77248 2023-11-06 22:20:29.149 debug3: ssh_msg_send: type 0
77248 2023-11-06 22:20:29.149 debug3: send_rexec_state: done
52192 2023-11-06 22:20:29.261 debug1: inetd sockets after dupping: 4, 4
52192 2023-11-06 22:20:29.261 debug3: process_channel_timeouts: setting 0 timeouts
52192 2023-11-06 22:20:29.261 debug3: channel_clear_timeouts: clearing
52192 2023-11-06 22:20:29.261 Connection from [redacted_ip] port 57559 on [redacted_ip] port 22
52192 2023-11-06 22:20:29.277 debug1: Local version string SSH-2.0-OpenSSH_for_Windows_9.4
52192 2023-11-06 22:20:29.277 debug1: Remote protocol version 2.0, remote software version OpenSSH_9.0
52192 2023-11-06 22:20:29.277 debug1: compat_banner: match: OpenSSH_9.0 pat OpenSSH* compat 0x04000000
52192 2023-11-06 22:20:29.277 debug2: fd 4 setting O_NONBLOCK
52192 2023-11-06 22:20:29.308 debug3: spawning "C:\\Program Files\\OpenSSH\\sshd.exe" -y as user
52192 2023-11-06 22:20:29.308 debug2: Network child is on pid 49216
52192 2023-11-06 22:20:29.308 debug3: send_rexec_state: entering fd = 6 config len 2206
52192 2023-11-06 22:20:29.308 debug3: ssh_msg_send: type 0
52192 2023-11-06 22:20:29.308 debug3: send_rexec_state: done
52192 2023-11-06 22:20:29.308 debug3: ssh_msg_send: type 0
52192 2023-11-06 22:20:29.308 debug3: ssh_msg_send: type 0
52192 2023-11-06 22:20:29.308 debug3: preauth child monitor started
52192 2023-11-06 22:20:29.361 debug3: append_hostkey_type: ssh-rsa key not permitted by HostkeyAlgorithms [preauth]
52192 2023-11-06 22:20:29.361 debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
52192 2023-11-06 22:20:29.361 debug3: send packet: type 20 [preauth]
52192 2023-11-06 22:20:29.361 debug1: SSH2_MSG_KEXINIT sent [preauth]
52192 2023-11-06 22:20:29.420 debug3: receive packet: type 20 [preauth]
52192 2023-11-06 22:20:29.420 debug1: SSH2_MSG_KEXINIT received [preauth]
52192 2023-11-06 22:20:29.420 debug2: local server KEXINIT proposal [preauth]
52192 2023-11-06 22:20:29.420 debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 [preauth]
52192 2023-11-06 22:20:29.420 debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
52192 2023-11-06 22:20:29.420 debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] [preauth]
52192 2023-11-06 22:20:29.420 debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] [preauth]
52192 2023-11-06 22:20:29.420 debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
52192 2023-11-06 22:20:29.420 debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
52192 2023-11-06 22:20:29.420 debug2: compression ctos: none,[email protected] [preauth]
52192 2023-11-06 22:20:29.420 debug2: compression stoc: none,[email protected] [preauth]
52192 2023-11-06 22:20:29.420 debug2: languages ctos:  [preauth]
52192 2023-11-06 22:20:29.420 debug2: languages stoc:  [preauth]
52192 2023-11-06 22:20:29.420 debug2: first_kex_follows 0  [preauth]
52192 2023-11-06 22:20:29.420 debug2: reserved 0  [preauth]
52192 2023-11-06 22:20:29.420 debug2: peer client KEXINIT proposal [preauth]
52192 2023-11-06 22:20:29.420 debug2: KEX algorithms: [email protected],curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c [preauth]
52192 2023-11-06 22:20:29.420 debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256 [preauth]
52192 2023-11-06 22:20:29.420 debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] [preauth]
52192 2023-11-06 22:20:29.420 debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] [preauth]
52192 2023-11-06 22:20:29.420 debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
52192 2023-11-06 22:20:29.420 debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
52192 2023-11-06 22:20:29.420 debug2: compression ctos: none,[email protected],zlib [preauth]
52192 2023-11-06 22:20:29.420 debug2: compression stoc: none,[email protected],zlib [preauth]
52192 2023-11-06 22:20:29.420 debug2: languages ctos:  [preauth]
52192 2023-11-06 22:20:29.420 debug2: languages stoc:  [preauth]
52192 2023-11-06 22:20:29.420 debug2: first_kex_follows 0  [preauth]
52192 2023-11-06 22:20:29.420 debug2: reserved 0  [preauth]
52192 2023-11-06 22:20:29.420 debug1: kex: algorithm: curve25519-sha256 [preauth]
52192 2023-11-06 22:20:29.420 debug1: kex: host key algorithm: ssh-ed25519 [preauth]
52192 2023-11-06 22:20:29.420 debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none [preauth]
52192 2023-11-06 22:20:29.420 debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none [preauth]
52192 2023-11-06 22:20:29.420 debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
52192 2023-11-06 22:20:29.546 debug3: receive packet: type 30 [preauth]
52192 2023-11-06 22:20:29.546 debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
52192 2023-11-06 22:20:29.546 debug3: mm_sshkey_sign: entering [preauth]
52192 2023-11-06 22:20:29.546 debug3: mm_request_send: entering, type 6 [preauth]
52192 2023-11-06 22:20:29.546 debug3: mm_sshkey_sign: waiting for MONITOR_ANS_SIGN [preauth]
52192 2023-11-06 22:20:29.546 debug3: mm_request_receive_expect: entering, type 7 [preauth]
52192 2023-11-06 22:20:29.546 debug3: mm_request_receive: entering [preauth]
52192 2023-11-06 22:20:29.546 debug3: mm_request_receive: entering
52192 2023-11-06 22:20:29.546 debug3: monitor_read: checking request 6
52192 2023-11-06 22:20:29.546 debug3: mm_answer_sign: entering
52192 2023-11-06 22:20:29.546 debug3: mm_answer_sign: ssh-ed25519 KEX signature len=83
52192 2023-11-06 22:20:29.546 debug3: mm_request_send: entering, type 7
52192 2023-11-06 22:20:29.546 debug2: monitor_read: 6 used once, disabling now
52192 2023-11-06 22:20:29.546 debug3: send packet: type 31 [preauth]
52192 2023-11-06 22:20:29.546 debug3: send packet: type 21 [preauth]
52192 2023-11-06 22:20:29.546 debug2: ssh_set_newkeys: mode 1 [preauth]
52192 2023-11-06 22:20:29.546 debug1: rekey out after 134217728 blocks [preauth]
52192 2023-11-06 22:20:29.546 debug1: SSH2_MSG_NEWKEYS sent [preauth]
52192 2023-11-06 22:20:29.546 debug1: Sending SSH2_MSG_EXT_INFO [preauth]
52192 2023-11-06 22:20:29.546 debug3: send packet: type 7 [preauth]
52192 2023-11-06 22:20:29.546 debug1: expecting SSH2_MSG_NEWKEYS [preauth]
52192 2023-11-06 22:20:29.695 debug3: receive packet: type 21 [preauth]
52192 2023-11-06 22:20:29.695 debug1: SSH2_MSG_NEWKEYS received [preauth]
52192 2023-11-06 22:20:29.695 debug2: ssh_set_newkeys: mode 0 [preauth]
52192 2023-11-06 22:20:29.695 debug1: rekey in after 134217728 blocks [preauth]
52192 2023-11-06 22:20:29.695 debug1: KEX done [preauth]
52192 2023-11-06 22:20:29.877 debug3: receive packet: type 5 [preauth]
52192 2023-11-06 22:20:29.877 debug3: send packet: type 6 [preauth]
52192 2023-11-06 22:20:29.995 debug3: receive packet: type 50 [preauth]
52192 2023-11-06 22:20:29.995 debug1: userauth-request for user myorg\\\\john.doe service ssh-connection method none [preauth]
52192 2023-11-06 22:20:29.995 debug1: attempt 0 failures 0 [preauth]
52192 2023-11-06 22:20:29.995 debug3: mm_getpwnamallow: entering [preauth]
52192 2023-11-06 22:20:29.995 debug3: mm_request_send: entering, type 8 [preauth]
52192 2023-11-06 22:20:29.995 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
52192 2023-11-06 22:20:29.995 debug3: mm_request_receive_expect: entering, type 9 [preauth]
52192 2023-11-06 22:20:29.995 debug3: mm_request_receive: entering [preauth]
52192 2023-11-06 22:20:29.995 debug3: mm_request_receive: entering
52192 2023-11-06 22:20:29.995 debug3: monitor_read: checking request 8
52192 2023-11-06 22:20:29.995 debug3: mm_answer_pwnamallow: entering
52192 2023-11-06 22:20:29.995 debug2: parse_server_config_depth: config reprocess config len 2206
52192 2023-11-06 22:20:29.995 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
52192 2023-11-06 22:20:29.995 debug3: mm_request_send: entering, type 9
52192 2023-11-06 22:20:29.995 debug2: monitor_read: 8 used once, disabling now
52192 2023-11-06 22:20:30.008 debug3: process_channel_timeouts: setting 0 timeouts [preauth]
52192 2023-11-06 22:20:30.008 debug3: channel_clear_timeouts: clearing [preauth]
52192 2023-11-06 22:20:30.008 debug2: input_userauth_request: setting up authctxt for myorg\\\\john.doe [preauth]
52192 2023-11-06 22:20:30.008 debug3: mm_inform_authserv: entering [preauth]
52192 2023-11-06 22:20:30.008 debug3: mm_request_send: entering, type 4 [preauth]
52192 2023-11-06 22:20:30.008 debug2: input_userauth_request: try method none [preauth]
52192 2023-11-06 22:20:30.008 debug3: user_specific_delay: user specific delay 0.000ms [preauth]
52192 2023-11-06 22:20:30.008 debug3: ensure_minimum_time_since: elapsed 13.000ms, delaying 12.078ms (requested 6.270ms) [preauth]
52192 2023-11-06 22:20:30.008 debug3: mm_request_receive: entering
52192 2023-11-06 22:20:30.008 debug3: monitor_read: checking request 4
52192 2023-11-06 22:20:30.008 debug3: mm_answer_authserv: service=ssh-connection, style=
52192 2023-11-06 22:20:30.008 debug2: monitor_read: 4 used once, disabling now
52192 2023-11-06 22:20:30.027 debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-with-mic,keyboard-interactive" [preauth]
52192 2023-11-06 22:20:30.027 debug3: send packet: type 51 [preauth]
52192 2023-11-06 22:20:30.211 debug3: receive packet: type 50 [preauth]
52192 2023-11-06 22:20:30.211 debug1: userauth-request for user myorg\\\\john.doe service ssh-connection method publickey [preauth]
52192 2023-11-06 22:20:30.211 debug1: attempt 1 failures 0 [preauth]
52192 2023-11-06 22:20:30.211 debug2: input_userauth_request: try method publickey [preauth]
52192 2023-11-06 22:20:30.211 debug2: userauth_pubkey: valid user myorg\\\\john.doe querying public key rsa-sha2-512 [redacted] [preauth]
52192 2023-11-06 22:20:30.211 debug1: userauth_pubkey: publickey test pkalg rsa-sha2-512 pkblob RSA SHA256:[redacted] [preauth]
52192 2023-11-06 22:20:30.211 debug3: mm_key_allowed: entering [preauth]
52192 2023-11-06 22:20:30.211 debug3: mm_request_send: entering, type 22 [preauth]
52192 2023-11-06 22:20:30.211 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
52192 2023-11-06 22:20:30.211 debug3: mm_request_receive_expect: entering, type 23 [preauth]
52192 2023-11-06 22:20:30.211 debug3: mm_request_receive: entering [preauth]
52192 2023-11-06 22:20:30.211 debug3: mm_request_receive: entering
52192 2023-11-06 22:20:30.211 debug3: monitor_read: checking request 22
52192 2023-11-06 22:20:30.211 debug3: mm_answer_keyallowed: entering
52192 2023-11-06 22:20:30.211 debug1: trying public key file C:\\Users\\john.doe\\.ssh/authorized_keys
52192 2023-11-06 22:20:30.211 debug1: C:\\Users\\john.doe\\.ssh/authorized_keys:1: matching key found: RSA SHA256:[redacted]
52192 2023-11-06 22:20:30.211 debug1: C:\\Users\\john.doe\\.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
52192 2023-11-06 22:20:30.211 debug3: C:\\Users\\john.doe\\.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
52192 2023-11-06 22:20:30.211 Accepted key RSA SHA256:[redacted] found at C:\\Users\\john.doe\\.ssh/authorized_keys:1
52192 2023-11-06 22:20:30.211 debug2: auth_check_authkeys_file: C:\\Users\\john.doe\\.ssh/authorized_keys: processed 1/1 lines
52192 2023-11-06 22:20:30.211 debug3: mm_answer_keyallowed: publickey authentication test: RSA key is allowed
52192 2023-11-06 22:20:30.211 debug3: mm_request_send: entering, type 23
52192 2023-11-06 22:20:30.211 debug3: send packet: type 60 [preauth]
52192 2023-11-06 22:20:30.211 debug2: userauth_pubkey: authenticated 0 pkalg rsa-sha2-512 [preauth]
52192 2023-11-06 22:20:30.211 debug3: user_specific_delay: user specific delay 0.000ms [preauth]
52192 2023-11-06 22:20:30.211 debug3: ensure_minimum_time_since: elapsed 0.000ms, delaying 6.270ms (requested 6.270ms) [preauth]
52192 2023-11-06 22:20:30.227 Postponed publickey for myorg\\\\john.doe from [redacted_ip] port 57559 ssh2 [preauth]
52192 2023-11-06 22:20:30.396 debug3: receive packet: type 50 [preauth]
52192 2023-11-06 22:20:30.396 debug1: userauth-request for user myorg\\\\john.doe service ssh-connection method [email protected] [preauth]
52192 2023-11-06 22:20:30.396 debug1: attempt 2 failures 0 [preauth]
52192 2023-11-06 22:20:30.396 debug2: input_userauth_request: try method [email protected] [preauth]
52192 2023-11-06 22:20:30.396 debug2: userauth_pubkey: valid user myorg\\\\john.doe attempting public key rsa-sha2-512 [redacted] [preauth]
52192 2023-11-06 22:20:30.396 debug3: userauth_pubkey: [email protected] have rsa-sha2-512 signature for RSA SHA256:[redacted] [preauth]
52192 2023-11-06 22:20:30.396 debug3: mm_key_allowed: entering [preauth]
52192 2023-11-06 22:20:30.396 debug3: mm_request_send: entering, type 22 [preauth]
52192 2023-11-06 22:20:30.396 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
52192 2023-11-06 22:20:30.396 debug3: mm_request_receive_expect: entering, type 23 [preauth]
52192 2023-11-06 22:20:30.396 debug3: mm_request_receive: entering [preauth]
52192 2023-11-06 22:20:30.396 debug3: mm_request_receive: entering
52192 2023-11-06 22:20:30.396 debug3: monitor_read: checking request 22
52192 2023-11-06 22:20:30.396 debug3: mm_answer_keyallowed: entering
52192 2023-11-06 22:20:30.396 debug1: trying public key file C:\\Users\\john.doe\\.ssh/authorized_keys
52192 2023-11-06 22:20:30.397 debug1: C:\\Users\\john.doe\\.ssh/authorized_keys:1: matching key found: RSA SHA256:[redacted]
52192 2023-11-06 22:20:30.397 debug1: C:\\Users\\john.doe\\.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
52192 2023-11-06 22:20:30.397 debug3: C:\\Users\\john.doe\\.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
52192 2023-11-06 22:20:30.397 Accepted key RSA SHA256:[redacted] found at C:\\Users\\john.doe\\.ssh/authorized_keys:1
52192 2023-11-06 22:20:30.397 debug2: auth_check_authkeys_file: C:\\Users\\john.doe\\.ssh/authorized_keys: processed 1/1 lines
52192 2023-11-06 22:20:30.397 debug3: mm_answer_keyallowed: publickey authentication: RSA key is allowed
52192 2023-11-06 22:20:30.397 debug3: mm_request_send: entering, type 23
52192 2023-11-06 22:20:30.397 debug3: mm_sshkey_verify: entering [preauth]
52192 2023-11-06 22:20:30.397 debug3: mm_request_send: entering, type 24 [preauth]
52192 2023-11-06 22:20:30.397 debug3: mm_request_receive: entering
52192 2023-11-06 22:20:30.397 debug3: monitor_read: checking request 24
52192 2023-11-06 22:20:30.398 debug3: mm_answer_keyverify: publickey RSA signature using rsa-sha2-512 verified
52192 2023-11-06 22:20:30.398 debug1: auth_activate_options: setting new authentication options
52192 2023-11-06 22:20:30.398 debug3: mm_request_send: entering, type 25
52192 2023-11-06 22:20:30.398 Accepted publickey for myorg\\john.doe from [redacted_ip] port 57559 ssh2: RSA SHA256:[redacted]
52192 2023-11-06 22:20:30.398 debug1: monitor_child_preauth: user myorg\\john.doe authenticated by privileged process
52192 2023-11-06 22:20:30.398 debug3: mm_get_keystate: Waiting for new keys
52192 2023-11-06 22:20:30.398 debug3: mm_request_receive_expect: entering, type 26
52192 2023-11-06 22:20:30.398 debug3: mm_request_receive: entering
52192 2023-11-06 22:20:30.403 debug3: mm_get_keystate: GOT new keys
52192 2023-11-06 22:20:30.403 debug3: mm_sshkey_verify: waiting for MONITOR_ANS_KEYVERIFY [preauth]
52192 2023-11-06 22:20:30.403 debug3: mm_request_receive_expect: entering, type 25 [preauth]
52192 2023-11-06 22:20:30.403 debug3: mm_request_receive: entering [preauth]
52192 2023-11-06 22:20:30.403 debug1: auth_activate_options: setting new authentication options [preauth]
52192 2023-11-06 22:20:30.403 debug2: userauth_pubkey: authenticated 1 pkalg rsa-sha2-512 [preauth]
52192 2023-11-06 22:20:30.403 debug3: user_specific_delay: user specific delay 0.000ms [preauth]
52192 2023-11-06 22:20:30.403 debug3: ensure_minimum_time_since: elapsed 2.000ms, delaying 4.270ms (requested 6.270ms) [preauth]
52192 2023-11-06 22:20:30.403 debug3: send packet: type 52 [preauth]
52192 2023-11-06 22:20:30.403 debug3: mm_request_send: entering, type 26 [preauth]
52192 2023-11-06 22:20:30.403 debug3: mm_send_keystate: Finished sending state [preauth]
52192 2023-11-06 22:20:30.405 debug1: monitor_read_log: child log fd closed
52192 2023-11-06 22:20:30.406 debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism
52192 2023-11-06 22:20:30.945 error: lookup_principal_name: User principal name lookup failed for user 'myorg\\john.doe' (explicit: 5, implicit: 5)
52192 2023-11-06 22:20:30.945 debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'myorg\\john.doe' Status: 0xC0000062 SubStatus 0.
52192 2023-11-06 22:20:30.947 debug3: get_user_token - unable to generate token for user myorg\\john.doe
52192 2023-11-06 22:20:33.653 error: lookup_principal_name: User principal name lookup failed for user 'myorg\\john.doe' (explicit: 5, implicit: 5)
52192 2023-11-06 22:20:33.653 debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'myorg\\john.doe' Status: 0xC0000062 SubStatus 0.
52192 2023-11-06 22:20:33.653 error: get_user_token - unable to generate token on 2nd attempt for user myorg\\john.doe
52192 2023-11-06 22:20:33.653 error: unable to get security token for user myorg\\john.doe
52192 2023-11-06 22:20:33.653 fatal: fork of unprivileged child failed
52192 2023-11-06 22:20:33.653 debug1: do_cleanup
77248 2023-11-06 22:20:33.664 debug2: pselect_notify_done: reading

Client ssh log

...
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/john.doe/.ssh/id_rsa RSA SHA256:[redacted] explicit agent
debug1: Server accepts key: /Users/john.doe/.ssh/id_rsa RSA SHA256:[redacted] explicit agent
Authenticated to jd.test ([redacted_ip]:22) using "publickey".
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: filesystem
client_loop: send disconnect: Broken pipe

[ozbillwang]

daisukekobayashi

Thanks for the solution. Bit mine is different case.

I can login Linux Machine with Azure AD by command az network bastion ssh

az network bastion ssh --name "${bastionName}" --resource-group "${bastionRG}" --subscription ${bastionSubID} --target-resource-id "${vmId}" --auth-type AAD

But there is a use case to ask for setting a ssh tunnel first.

So I set it

az network bastion tunnel --name "${bastionName}" --resource-group "${bastionRG}" --subscription ${bastionSubID} --target-resource-id "${vmId}" --resource-port 22 --port 8888

After that, I'd like to login with ssh command with azure ad , but I can't

ssh -o PreferredAuthentications=password -p 8888 azuread\[email protected]@localhost

or

ssh -p 8888 azuread\[email protected]@localhost

get this error

Authorized uses only. All activity may be monitored and reported.
azuread\[email protected]@localhost: Permission denied (publickey).

[watsonlu]

I think I got this to work with public key auth.

I did the following in sshd_config:

• Uncommented the AuthorizedKeyFile
• Uncommented the PubkeyAuthentication line
• Uncommented the PasswordAuthentication line and set it to "No"

Last line is key

After adding my public key to the keyfile I was able to log in with my azure ad user when I previously could not with the "get_user_token - unable to generate token" error.

[shmerl]

Was something changed that it started working, or it was simply dependent on that configuration?

I'll give it a try. What version of openssh are you using?

[mcx808]

I think I got this to work with public key auth.

I did the following in sshd_config:

• Uncommented the AuthorizedKeyFile
• Uncommented the PubkeyAuthentication line
• Uncommented the PasswordAuthentication line and set it to "No"

Last line is key

After adding my public key to the keyfile I was able to log in with my azure ad user when I previously could not with the "get_user_token - unable to generate token" error.

@watsonlu Can you give some details about your system? I've tried again after applying all the available Windows 11 updates and it's still not working for me.

[GavIngram]

My use case needs to be able to SSH using a key pair into an Entra user. This issue is almost 3 years old now, is there a chance it will get resolved?

[denjolras]

Same for Me.
I'm waiting since 3 years.
The only "workaround" is not clean.. I'm using a local user on the windows :-(