diff --git a/about:-sshd_config.md b/sshd_config.md similarity index 51% rename from about:-sshd_config.md rename to sshd_config.md index 7a2b481..db06062 100644 --- a/about:-sshd_config.md +++ b/sshd_config.md @@ -1,18 +1,28 @@ -Listed here are Windows specific details that supplement or override the original sshd configuration manual documented in [OpenBSD manual](https://man.openbsd.org/sshd_config) +Listed here are Windows specific details that supplement or override the original sshd configuration manual documented in [OpenBSD manual](https://man.openbsd.org/sshd_config). If you don't see a configuration entry here, the original man page reference holds true. _______ #### AllowGroups, AllowUsers, DenyGroups, DenyUsers The allow/deny directives are processed in the following order: **DenyUsers**, **AllowUsers**, **DenyGroups**, and finally **AllowGroups**. See PATTERNS in [ssh_config](http://man.openbsd.org/ssh_config.5#PATTERNS) for more information on patterns. -windows specific info to follow... +Note the following for domain accounts: + +Prior to v7.7.0.0, there was no well defined way to specify domain principals (users and groups). To account for a domain principal in [various forms](https://msdn.microsoft.com/en-us/library/windows/desktop/ms724268(v=vs.85).aspx), it is recommended to use the following format while configuring user/group based rules - `user?domain*` - note the `?` instead of `@` to avoid conflict with `username@host` format and `*` added to cover FQDNs. + +From v7.7.0.0 on wards, work group users/groups and internet-connected accounts are strictly resolved to their local account name (no domain part, similar to standard Unix names). Domain users and groups are strictly resolved to NameSamCompatible format - domain_short_name\user_name. All user/group based configuration rules need to adhere to this format. + +- Ex. for domain users - `DenyUsers contoso\admin@192.168.2.23` +- Ex. for local users - `AllowUsers localuser@192.168.2.23` ______ #### AuthenticationMethods Available authentication methods are "password" and "publickey". ______ #### Chroot -Supported from 7.7.0.0
-To setup a sftp-only chroot server, set ForceCommand to `internal-sftp` +Support added in v7.7.0.0 + +This is implemented in Posix compat library, so do not expect it to work in a command shell. + +To setup a sftp-only chroot server, set ForceCommand to `internal-sftp`. You may also set up scp with chroot, by implementing a custom shell that would only allow scp. ______ #### Not supported