We suggest using Windows accounts to access the SSH Server in the following situations:
- You wish to provide the accounts with full access to SSH functionality; including access to arbitrary files and execution of arbitrary programs; limited only by an account's Windows security permissions.
- You wish to provide limited access to only a subset of SSH functionality, but leveraging existing user identities and group memberships configured in Active Directory.
If your plans do not fit these criteria, we recommend using virtual accounts instead.
Security context
The main SSH Server service runs as Local System. It must run as Local System to provide login to Windows accounts.
However - when a Windows account logs into the SSH Server:
- The SSH session thread that serves the connection runs in the security context of the logged-in Windows user.
- Any child process started by the SSH session runs in the security context of the Windows user.
Child processes include the SSH Server's SFTP subsystem; and any terminal shell or exec requests started by the user. All of these are started in the security context of the logged-in account, and run subject to its Windows permissions.
Default settings
If settings are not changed from defaults, the SSH Server will:
- Permit login using any local or domain Windows account that has the Windows security privilege to Log on locally.
- Permit such users to access the server in any way that their Windows permissions allow.
Disabling Windows accounts
If you do not wish to use Windows accounts, preventing login to them is straightforward. Using Easy SSH Server settings:
In the screenshot, the Windows accounts tab in Easy settings is empty, and Allow login to any Windows accountis disabled.
If you have:
- configured no additional Windows groups besides the default, Everyone;
- created no Windows account settings entries (i.e. none are visible on this tab);
then disabling Allow login to any Windows account will prevent login with Windows accounts in the SSH Server.
Disabling Windows accounts in Advanced settings
To disable login into Windows accounts using Advanced SSH Server settings:
- Ensure no Windows account settings entries are configured.
- Ensure the only Windows group settings entry is the default, Everyone.
- Disable login for the Everyone group, as shown:
Permitting individual Windows accounts
A common usage scenario is to permit access to a handful of individual Windows accounts, usually as administrators; and to use virtual accounts for other users.
In the screenshot, we are:
- Preventing login to Windows accounts by default. We do this by disabling the setting Allow login to any Windows account on the Windows accounts tab of Easy settings.
- Adding a single account settings entry for a user with administrative rights, permitting full access.
Leveraging the Active Directory
It is possible to configure the SSH Server to provide access to Active Directory users by configuring only Windows group settings entries; without having to configure SSH account settings entries for individual Windows accounts.
Using the SSH Server this way requires advanced knowledge of both Windows and SSH Server settings. For guidance with using the SSH Server this way, we recommend the following sections of the SSH Server Users' Guide:
- Configuring groups and accounts in Bitvise SSH Server
- Using Bitvise SSH Server in a domain
- Network vs. interactive logon
The following page may also be relevant:
Windows profile loading
If you plan to use Bitvise SSH Server heavily, whether with Windows or virtual accounts, note:
- There are several SSH Server settings which may cause a user's Windows profile to be loaded as part of SSH session login.
- Loading a profile for a Windows domain account may take a long time, delaying SSH login.
- Most versions of Windows; including current desktop and server versions; contain an apparent OS issuewhich causes Windows to run out of kernel memory after a large number of profiles have been loaded.
- When Windows has run out of memory, new profiles cannot be loaded, and SSH sessions fail to work. Windows must be restarted to restore functionality.
- From time to time, a Windows profile can become corrupted. It is then necessary to re-create the profile to restore functionality.
To avoid this issue, do not enable settings which may cause a Windows profile to be loaded. These settings are discussed in our SSH Server Usage FAQ, Q260.
For sessions that access terminal shell or run exec requests, it is not possible to disable Windows profile loading. Terminal shell and exec requests run third-party software which may require the Windows profile to function.
This affects mainly installations that may load hundreds or thousands of Windows profiles per day. Installations with a two-digit daily number of sessions that may load profiles are unlikely to notice issues.
No comments:
Post a Comment