From 5335d43fb6cad9048c7d7ae32662c67f138b5898 Mon Sep 17 00:00:00 2001 From: manojampalam Date: Sun, 15 May 2016 12:30:05 -0700 Subject: [PATCH] added support for domain\user for key-based auth --- contrib/win32/openssh/install-sshd.ps1 | 3 ++ .../win32compat/ssh-agent/authagent-request.c | 31 +++++++++++++++++-- 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/contrib/win32/openssh/install-sshd.ps1 b/contrib/win32/openssh/install-sshd.ps1 index 2f174ca..5d0d1ac 100644 --- a/contrib/win32/openssh/install-sshd.ps1 +++ b/contrib/win32/openssh/install-sshd.ps1 @@ -4,6 +4,8 @@ $scriptdir = Split-Path $scriptpath $sshdpath = Join-Path $scriptdir "sshd.exe" $sshagentpath = Join-Path $scriptdir "ssh-agent.exe" +$ntrights = Join-Path $scriptdir "ntrights.exe -u `"NT SERVICE\SSHD`" +r SeAssignPrimaryTokenPrivilege" + if (-not (Test-Path $sshdpath)) { throw "sshd.exe is not present in script path" } @@ -25,5 +27,6 @@ cmd.exe /c 'sc.exe sdset ssh-agent D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPW New-Service -Name sshd -BinaryPathName $sshdpath -Description "SSH Deamon" -StartupType Manual -DependsOn ssh-agent | Out-Null sc.exe config sshd obj= "NT SERVICE\SSHD" +cmd.exe /c $ntrights Write-Host -ForegroundColor Green "sshd and ssh-agent services successfully installed" diff --git a/contrib/win32/win32compat/ssh-agent/authagent-request.c b/contrib/win32/win32compat/ssh-agent/authagent-request.c index e6157da..a548bcf 100644 --- a/contrib/win32/win32compat/ssh-agent/authagent-request.c +++ b/contrib/win32/win32compat/ssh-agent/authagent-request.c @@ -50,9 +50,10 @@ InitLsaString(LSA_STRING *lsa_string, const char *str) } } +#define MAX_USER_LEN 256 static HANDLE generate_user_token(wchar_t* user) { - HANDLE lsa_handle = 0, token = 0;; + HANDLE lsa_handle = 0, token = 0; LSA_OPERATIONAL_MODE mode; ULONG auth_package_id; NTSTATUS ret, subStatus; @@ -64,7 +65,33 @@ generate_user_token(wchar_t* user) { LUID logonId; QUOTA_LIMITS quotas; DWORD cbProfile; - BOOL domain_user = (wcschr(user, L'@') != NULL)? TRUE : FALSE; + BOOL domain_user; + + /* prep user name - TODO: implment an accurate check if user is domain account*/ + if (wcsnlen(user, MAX_USER_LEN) == MAX_USER_LEN) { + debug("user length is not supported"); + goto done; + } + + if (wcschr(user, L'\\') != NULL) { + wchar_t *un = NULL, *dn = NULL; + DWORD un_len = 0, dn_len = 0; + dn = user; + dn_len = wcschr(user, L'\\') - user; + un = wcschr(user, L'\\') + 1; + un_len = wcsnlen(user, MAX_USER_LEN) - dn_len - 1; + if (dn_len == 0 || un_len == 0) { + debug("cannot get user token - bad user name"); + goto done; + } + memcpy(user_copy, un, un_len * sizeof(wchar_t)); + user_copy[un_len] = L'@'; + memcpy(user_copy + un_len + 1, dn, dn_len * sizeof(wchar_t)); + user_copy[dn_len + 1 + un_len] = L'\0'; + user = user_copy; + } + + domain_user = (wcschr(user, L'@') != NULL) ? TRUE : FALSE; InitLsaString(&logon_process_name, "ssh-agent"); if (domain_user)