Windows OpenSSH Allow Deny Settings

Trying to configure restrictions on SFTP accesss and Windows OpenSSH Allow Deny Settings are not working.

You would be forgiven for tearing out your hair trying to get permissions working.

The following is the information provided by Microsoft and is consistent with OpenSSH documentation for Linux and Windows deployments.

Which brings me to my issue. If the following is as simple as it looks, why is it giving me so much trouble ?

Controlling which users and groups can connect to the server is done using the AllowGroups, AllowUsers, DenyGroups, and DenyUsers directives. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. All account names must be specified in lower case. See PATTERNS in ssh_config for more information on patterns for wildcards.

When configuring user/group based rules with a domain user or group, use the following format: user?domain*. Windows allows multiple of formats for specifying domain principals, but many conflict with standard Linux patterns. For that reason, * is added to cover FQDNs. Also, this approach uses “?”, instead of @, to avoid conflicts with the username@host format.

Work group users/groups and internet-connected accounts are always resolved to their local account name (no domain part, similar to standard Unix names). Domain users and groups are strictly resolved to NameSamCompatible format – domain_short_name\user_name. All user/group based configuration rules need to adhere to this format.

https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_server_configuration

I configured OpenSSH and have access for an Administrator account and a standard user account.

However, no combination of AllowUsers, DenyUsers, AllowGroups, DenyGroups would provide a sensible outcome.

It seems that the opposite would apply with my standard user always getting access and my administrator being denied.

So with many thanks to ParisNakitaKejser for his Youtube video which addresses the very simple settings for Deny and Allow both Users and Groups without the suggested ‘Patterns’ and gives the ultimate solution.

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

This setting is there by default with OpenSSH on Windows. It is the cause of this grief. Comment the lines out:

#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Restart OpenSSH and all the Allow / Deny permissions will work correctly!

Leave a Reply

Your email address will not be published. Required fields are marked *