-
Notifications
You must be signed in to change notification settings - Fork 772
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature request] SSH with AAD credentials #1787
Comments
Update: workaround is only for password-based auth, key-based needs are totally out-of-luck, still :( |
@glima - it's expected behavior till windows OS fixes the problem. |
Is there an update to this issue, we have moved entirely to AAD for user and administrator login to workstations. The workaround linked to use |
@scyto - No. It's deprioritized because of no strong business justification. |
How about vscode or powershell remoting to a Windows Server? Seems like a strong business case to me :) |
I also believe this is important. Imagine a case where you are trying to remote Visual Studio Code or IntelliJ IDEA into your AAD joined machine. Without this change your only option is to create a separate local user so you can connect to your machine via SSH for remoting with your favorite IDE. Some companies/organizations will allow that, others, you may be left with no options. |
Powershell remoting doesn't support AAD as well I think. My workaround is to create a local user for ssh/ps remote only. |
PowerShell remoting does support custom transports now, so someone could theoretically write one. |
Any updates on this? It is the end of 2022 and still no support for Azure AD Users on OpenSSH. The workaround described here does not work for me. (What's the |
Can we get an update on this issue? I've also been unable to get the referenced workaround to work. |
The workaround described here worked for me. My company uses email address to sign in to Azure AD. And I needed to use my email address in the For example, if my company's email address was
|
I've just setup a Windows 11 workstation and this worked for me too. It does take about 40 seconds to login like this though, so I had to increase the VSCode SSH timeout settings to be able to connect. Looking forward to this being resolved by key authentication. |
@mcx808 @daisukekobayashi U sing workaround, were you able to authenticate with key pair authentication or with password based auth? I cannot get it working with key pair auth even with workaround. Workaround only seems to work with password auth |
No, password authentication only. Until this ticket gets a resolution key based auth won't work with Windows AAD. |
I have a strong use case for remote development. My org uses domain joined and I would like to use key-based authentication for C# dev kit against windows machine. However, running I believe this is still causing some issues with remote debugging with C# dev kit 🤦♂️ TBH, the whole windows development experience is kinda appalling.
Any resolution for key-based auth of windows domain joined / AD would be highly appreciated. 🙏 cc @maertendMSFT @vthiebaut10 @tgauth @anmenaga Here is the attached ssh logs from server
Client ssh log
|
Thanks for the solution. Bit mine is different case. I can login Linux Machine with Azure AD by command
But there is a use case to ask for setting a ssh tunnel first. So I set it
After that, I'd like to login with ssh command with azure ad , but I can't
get this error
|
I think I got this to work with public key auth. I did the following in sshd_config:
Last line is key After adding my public key to the keyfile I was able to log in with my azure ad user when I previously could not with the "get_user_token - unable to generate token" error. |
Was something changed that it started working, or it was simply dependent on that configuration? I'll give it a try. What version of openssh are you using? |
@watsonlu Can you give some details about your system? I've tried again after applying all the available Windows 11 updates and it's still not working for me. |
My use case needs to be able to SSH using a key pair into an Entra user. This issue is almost 3 years old now, is there a chance it will get resolved? |
Same for Me. |
Issue
How to check if the user is an AAD user or not?
- Execute "whoami /user" on cmd.exe. If the SID starts with "S-1-12-1" then it's an AAD user.
Root cause
1. Key-based authentication.
After authenticating user with ssh keys, ssh server generates an S4U token to create the child processes (like interactive shell / sshd.exe / sftp-server.exe) in user context.
2. To retrieve user group information.
If sshd_config has a "Match group" block then the SSH server retries the user group information by first generating the S4U token
Impacted scenarios
Workaround
Work involved
Proposed timeline -
As of today, there is no commitment from the windows team.
We had few meetings with the windows team. The work is spawned across three different teams in windows. Windows couldn't prioritize our feature request (create S4U token for AAD user) as we don't have a partner request (or) strong business justification that shows the $ revenue impact. If any partner team is blocked then request you to follow up with the windows team directly.
The text was updated successfully, but these errors were encountered: