Spin up ssh-sk-helper in user context when called from ssh-agent (#560)

contrib/win32/openssh/install-sshd.ps1

@@ -90,7 +90,7 @@ wevtutil im `"$etwman`"
 $agentDesc = "Agent to hold private keys used for public key authentication."
 New-Service -Name ssh-agent -DisplayName "OpenSSH Authentication Agent" -BinaryPathName `"$sshagentpath`" -Description $agentDesc -StartupType Manual | Out-Null
 sc.exe sdset ssh-agent "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RP;;;AU)"
-sc.exe privs ssh-agent SeImpersonatePrivilege
+sc.exe privs ssh-agent SeAssignPrimaryTokenPrivilege/SeTcbPrivilege/SeBackupPrivilege/SeRestorePrivilege/SeImpersonatePrivilege
 
 $sshdDesc = "SSH protocol based service to provide secure encrypted communications between two untrusted hosts over an insecure network."
 New-Service -Name sshd -DisplayName "OpenSSH SSH Server" -BinaryPathName `"$sshdpath`" -Description $sshdDesc -StartupType Manual | Out-Null

contrib/win32/win32compat/inc/pwd.h

@@ -41,6 +41,7 @@ struct passwd *w32_getpwuid(uid_t uid);
 struct passwd *w32_getpwnam(const char *username);
 struct passwd *getpwent(void);
 void endpwent(void);
+char *get_username(const PSID sid);
 
 #define getpwuid w32_getpwuid
 #define getpwnam w32_getpwnam

contrib/win32/win32compat/pwd.c

@@ -330,6 +330,21 @@ cleanup:
 	return ret;
 }
 
+char *
+get_username(const PSID sid)
+{
+	if (!sid) {
+		error_f("sid is NULL");
+		return NULL;
+	}
+
+	struct passwd *p = get_passwd(NULL, sid);
+	if (p && p->pw_name)
+		return strdup(p->pw_name);
+	else
+		return NULL;
+}
+
 struct passwd*
 w32_getpwnam(const char *user_utf8)
 {

contrib/win32/win32compat/ssh-agent/agent-main.c

@@ -121,6 +121,9 @@ wmain(int argc, wchar_t **argv)
 	fix_cwd();
 	if (!StartServiceCtrlDispatcherW(dispatch_table)) {
 		if (GetLastError() == ERROR_FAILED_SERVICE_CONTROLLER_CONNECT) {
+			/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+			sanitise_stdfd();
+
 			/* 
 			 * agent is not spawned by SCM 
 			 * Its either started in debug mode or a worker child 

contrib/win32/win32compat/ssh-agent/agent.c

@@ -32,8 +32,12 @@
 #include <sddl.h>
 #include <UserEnv.h>
 #include "..\misc_internal.h"
+#include <pwd.h>
+
 #define BUFSIZE 5 * 1024
 
+char* sshagent_con_username;
+
 static HANDLE ioc_port = NULL;
 static BOOL debug_mode = FALSE;
 
@@ -182,13 +186,18 @@ agent_cleanup_connection(struct agent_connection* con)
 {
 	debug("connection %p clean up", con);
 	CloseHandle(con->pipe_handle);
-        if (con->client_impersonation_token)
-                CloseHandle(con->client_impersonation_token);
+	if (con->client_impersonation_token)
+			CloseHandle(con->client_impersonation_token);
 	if (con->client_process_handle)
 		CloseHandle(con->client_process_handle);
 	free(con);
 	CloseHandle(ioc_port);
 	ioc_port = NULL;
+
+	if(sshagent_con_username) {
+		free(sshagent_con_username);
+		sshagent_con_username = NULL;
+	}
 }
 
 void 
@@ -289,6 +298,13 @@ get_con_client_info(struct agent_connection* con)
 		goto done;
 	}
 
+	// Get username
+	sshagent_con_username= get_username(info->User.Sid);
+	if (sshagent_con_username)
+		debug_f("sshagent_con_username: %s", sshagent_con_username);
+	else
+		error_f("Failed to get the userName");
+
 	/* check if its admin */
 	{
 		sid_size = SECURITY_MAX_SID_SIZE;

contrib/win32/win32compat/win32_usertoken_utils.c

@@ -118,9 +118,13 @@ generate_s4u_user_token(wchar_t* user_cpn, int impersonation) {
 
 		/* trusted mode - used for impersonation */
 		LSA_OPERATIONAL_MODE mode;
-		InitLsaString(&logon_process_name, "sshd");
-		if ((ret = LsaRegisterLogonProcess(&logon_process_name, &lsa_handle, &mode)) != STATUS_SUCCESS)
+		InitLsaString(&logon_process_name, __progname);
+		if ((ret = LsaRegisterLogonProcess(&logon_process_name, &lsa_handle, &mode)) != STATUS_SUCCESS) {
+			ULONG winError = LsaNtStatusToWinError(ret);
+			error_f("LsaRegisterLogonProcess failed with error:%d", winError);
+
 			goto done;
+		}
 	}
 	else {
 		/* untrusted mode - used for information lookup */

regress/pesterTests/Setup.Tests.ps1

@@ -424,10 +424,16 @@ Describe "Setup Tests" -Tags "Setup" {
         }
         
         It "$tC.$tI - Validate RequiredPrivileges of ssh-agent" {
+            $expected = @("SeAssignPrimaryTokenPrivilege", "SeTcbPrivilege", "SeBackupPrivilege", "SeRestorePrivilege", "SeImpersonatePrivilege")
             $a = sc.exe qprivs ssh-agent 256
             $p = @($a | % { if($_ -match "Se[\w]+Privilege" ) {$start = $_.IndexOf("Se");$_.Substring($start, $_.length-$start)}})
-            $p.count | Should Be 1
-            $p[0] | Should Be "SeImpersonatePrivilege"
+            $expected | % {
+                $p -contains $_ | Should be $true
+            }
+
+            $p | % {
+                $expected -contains $_ | Should be $true
+            }
         }
 
         It "$tC.$tI - Validate RequiredPrivileges of sshd" {

ssh-sk-client.c

@@ -44,6 +44,7 @@
 /* #define DEBUG_SK 1 */
 
 #ifdef WINDOWS
+extern char *sshagent_con_username = NULL;
 static char module_path[PATH_MAX + 1];
 
 static char *
@@ -167,9 +168,18 @@ start_helper(int *fdp, pid_t *pidp, void (**osigchldp)(int))
 	av[0] = helper;
 	av[1] = verbosity;
 	av[2] = NULL;
-	if (posix_spawnp((pid_t *)&pid, av[0], &actions, NULL, av, NULL) != 0) {
-		error_f("posix_spawnp failed");
-		goto out;
+
+	if (sshagent_con_username) {
+		debug_f("sshagent_con_username:%s", sshagent_con_username);
+		if (__posix_spawn_asuser((pid_t *)&pid, av[0], &actions, NULL, av, NULL, sshagent_con_username) != 0) {
+			error_f("__posix_spawn_asuser failed for username:%s", sshagent_con_username);
+			goto out;
+		}
+	} else {
+		if (posix_spawnp((pid_t *)&pid, av[0], &actions, NULL, av, NULL) != 0) {
+			error_f("posix_spawnp failed");
+			goto out;
+		}
 	}
 	r = 0;
 #else