Category Archives: Security

View Windows OpenSSH Active Settings

I was trying to view Windows OpenSSH Active Settings, while working on the configuration of OpenSSH on Windows.

I found references to using the -T parameter to see what configuration settings were active, but it was giving an error.

PS C:\windows\system32> C:\windows\System32\OpenSSH\sshd.exe -T
'Match Group' in configuration but 'user' not in connection test specification.

Which did not make any sense, but I did some searching and found a suggestion of using another parameter with it

PS C:\windows\system32> C:\windows\System32\OpenSSH\sshd.exe -T -C user=thowden

Which gave me the result I wanted with all or at least a lot of parameter settings displayed based on either the sshd_config settings or any defaults not already set.

Of interest was that this function of -T not working is also addressed by the same issue that messes with the access control permissions. See Windows OpenSSH Allow Deny Settings for related info.

This setting is there by default with OpenSSH on Windows. It is the cause of this grief. Comment the lines out:

#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Restart OpenSSH and this command

PS C:\windows\system32> C:\windows\System32\OpenSSH\sshd.exe -T

Will now work as expected without needing to add the -C etc…

An update, only minutes later. It appears that the ‘Match’ setting is the issue, and not specifically the Match Group Administrators. Adding a different Match instruction to sshd_config triggered the same error:

PS C:\windows\system32> C:\windows\System32\OpenSSH\sshd.exe -T
'Match User' in configuration but 'user' not in connection test specification.

The Win32-OpenSSH at GitHub is the source of many questions and some answers with sorting out an installation of OpenSSH on Windows.

Note that the version installed for Windows Server 2019 is version 7.7p1 while Windows 10 users will get a later version. Much later at version 8.x. For the server users, you will need to wait for Windows Server 2022 to get an updated version.

Windows OpenSSH Allow Deny Settings

Trying to configure restrictions on SFTP accesss and Windows OpenSSH Allow Deny Settings are not working.

You would be forgiven for tearing out your hair trying to get permissions working.

The following is the information provided by Microsoft and is consistent with OpenSSH documentation for Linux and Windows deployments.

Which brings me to my issue. If the following is as simple as it looks, why is it giving me so much trouble ?

Controlling which users and groups can connect to the server is done using the AllowGroups, AllowUsers, DenyGroups, and DenyUsers directives. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. All account names must be specified in lower case. See PATTERNS in ssh_config for more information on patterns for wildcards.

When configuring user/group based rules with a domain user or group, use the following format: user?domain*. Windows allows multiple of formats for specifying domain principals, but many conflict with standard Linux patterns. For that reason, * is added to cover FQDNs. Also, this approach uses “?”, instead of @, to avoid conflicts with the username@host format.

Work group users/groups and internet-connected accounts are always resolved to their local account name (no domain part, similar to standard Unix names). Domain users and groups are strictly resolved to NameSamCompatible format – domain_short_name\user_name. All user/group based configuration rules need to adhere to this format.

I configured OpenSSH and have access for an Administrator account and a standard user account.

However, no combination of AllowUsers, DenyUsers, AllowGroups, DenyGroups would provide a sensible outcome.

It seems that the opposite would apply with my standard user always getting access and my administrator being denied.

So with many thanks to ParisNakitaKejser for his Youtube video which addresses the very simple settings for Deny and Allow both Users and Groups without the suggested ‘Patterns’ and gives the ultimate solution.

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

This setting is there by default with OpenSSH on Windows. It is the cause of this grief. Comment the lines out:

#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Restart OpenSSH and all the Allow / Deny permissions will work correctly!