Home
About us
Products
     sshlib
     The 'log' utility
     WinSSHD and Tunnelier
          WinSSHD
               Users' guide
                    Groups & accts
               Usage FAQ
               Activation FAQ
               History
               Pricing
               License
          Tunnelier
               Portable
               FTP bridge
               History
               Pricing
               License
          Screenshots
          Download
          Notifications
          Security
          Large scale
          Purchase
               Reseller list
               Reseller policy
               Affiliate program
          Customers
How-tos and tutorials
     About SSH
     SSH Features
     How the internet works
     Using WinSSHD for SFTP
     Port forwarding guide
     Tunnel Remote Desktop
     Tunnel Windows shares
     Tunnel WinVNC
     Tunnelier as service
Work at Bitvise
Contact

Configuring groups and accounts in WinSSHD

Immediately after initial installation, when started using the original default settings, WinSSHD will accept password, NTLM or Kerberos-based login to any Windows account that has Windows permissions to establish an interactive logon (or in the case of NTLM and Kerberos, a network logon) on the machine where WinSSHD is running.

When a Windows account user logs in, WinSSHD will impersonate the security context of that Windows account throughout the user's SSH session. With the default, initial-installation settings, WinSSHD will allow any successfully logged on user to take any action (running a program, accessing a file, connecting to another machine) that the user is permitted by Windows operating system and file system permissions.

Most administrators will find it desirable to configure WinSSHD in a way that restricts users from accessing parts of the server which Windows permissions do not normally prevent them accessing. The groups and accounts sections of WinSSHD Settings provide the means for this configurability. The groups and accounts in WinSSHD Settings are an additional layer of security settings which are imposed by WinSSHD on top of the Windows permission system; not replacing it, but providing complementary settings which Windows does not on its own provide.

Additionally, virtual groups and virtual account settings provide the means to differentiate users in WinSSHD without having to create separate Windows groups, or having to create and maintain a Windows account for every user.

Windows groups and accounts

By default, the WinSSHD configuration for Windows groups and accounts is very simple and consists of a single 'Everyone' group. In a default configuration, the WinSSHD settings for the Everyone group apply to all Windows accounts that log in through WinSSHD.

When a user tries to log into WinSSHD with a Windows account, WinSSHD determines the settings for that account in the following manner:

  • Account settings. The entries in 'Windows accounts' are searched to find a match for the account for which login is being attempted. If a match is found, the settings in the account entry are superimposed on the settings found for the account's group (below), and if the 'Specify group' option is enabled, it is used to choose the account's group settings entry, as well.

  • Group settings. If a match was found for an account settings entry; and if the entry specifies a Windows group to be used for this account (the 'Specify group' setting is enabled); and if there is a corresponding WinSSHD group settings entry for that group; and if the Windows account is actually a member of that group; then WinSSHD will use that group settings entry.

    Otherwise, WinSSHD looks up the local and domain groups of which the candidate account is a member:

    • If none of those groups have a corresponding WinSSHD group settings entry, the Everyone group settings entry will be used.
    • If only one of those groups has a corresponding WinSSHD group settings entry, that one group settings entry will be used.
    • If more than one of those groups have a corresponding WinSSHD group settings entry, then, if this is a domain account configured in Active Directory, and if the Active Directory settings for the account specify a primary group which has a WinSSHD group settings entry, that group settings entry will be used. Otherwise, that one of the group settings entries which has the lowest numeric priority value will be used.

This means that:

  • WinSSHD account settings can be configured individually by adding individual account entries in 'Windows accounts'.

  • WinSSHD account settings can be configured en masse, without having to add or maintain individual account entries, by configuring WinSSHD settings for a number of Windows groups. When there is no individual account settings entry, WinSSHD will use appropriate group settings according to the algorithm described above.

    When configuring settings for multiple Windows accounts through groups, automatic expansion of environment variables in string configuration fields may be helpful. WinSSHD will substitute environment variables in string fields such as 'Terminal shell', 'Initial directory' and 'SFTP root directory'. For Windows accounts, at least the following environment variables will be defined: , , (the name of the group settings entry selected, or 'EVERYONE'), and (defined if the value of references a domain group).

Virtual groups and accounts

For administrators who want to avoid setting up a separate Windows account for every SSH user, WinSSHD provides the means to create virtual accounts. Virtual accounts behave exactly as Windows accounts, except for the following differences:

  • Scope.

    Windows accounts.

    A Windows account is created in Windows, and can be used to log into WinSSHD whether or not there is a corresponding WinSSHD Windows account entry. A Windows account exists outside of WinSSHD as a Windows security principal.

    Virtual accounts.

    A virtual account is created by adding an entry to 'Virtual accounts' in WinSSHD Settings. A virtual account exists only inside WinSSHD, but there is no awareness of virtual accounts in applications that an SSH session launches. Instead, those external applications are aware of a Windows account that is configured to back the virtual account, providing an operating system-level impersionation context.

  • Groups.

    Windows groups.

    The mapping between Windows account settings entries and Windows group settings entries in WinSSHD can be complex. It depends on the Windows account's actual Windows group memberships, Active Directory primary group settings, the 'Specify group' setting in the WinSSHD account settings entry, etc.

    Virtual groups.

    The mapping between a virtual account and its corresponding virtual group is straightforward. The virtual account entry always directly specifies a single corresponding virtual group.

  • Password.

    Windows accounts.

    The password of a Windows account is maintained by Windows. It is possible to change it either using the Windows Control Panel or Computer Management, or through WinSSHD during SSH user authentication, or using the included bvPwd command line utility.

    Virtual accounts.

    The password of a virtual account is maintained in WinSSHD Settings. It is configured by the administrator and cannot be changed by the user of the virtual account.

  • Backing Windows account. A virtual account still requires configuring a backing Windows account to provide the operating system-level impersonation context. WinSSHD will impersonate this backing Windows account when the virtual account is logged into. A single backing account can be used for any number of virtual users, and the backing account can be defined either for individual virtual accounts or for whole virtual groups. However, because WinSSHD needs to log into the backing Windows account when accepting a virtual account logon, the password for the backing Windows account needs to be stored in the WinSSHD password cache. It will not be possible to log into a virtual account until a password cache entry for the backing Windows account is configured. The password cache entry can be set either manually using the WinSSHD Control Panel, as well as through wcfg (using 'wcfg pass set'), or programmatically using the WinsshdCfgManip COM object.

In all other respects, a virtual account is just like a Windows account. Virtual account settings are superimposed on the corresponding virtual group settings just like it happens with Windows group and account settings entries. All the WinSSHD settings for virtual accounts that look the same as for Windows accounts behave the same way.

WinSSHD Users' Guide

Installing

Upgrading

Starting and monitoring

Connecting the first time

Groups and accounts

Network/interactive logon

Public key authentication

Tunneling restrictions

Using in a cluster

Scriptable config - wcfg

Advanced modes of use

Resources and utilities

General SSH Information

What is SSH?

SSH Features

Port forwarding guide

How-Tos and Tutorials

How the internet works

Using WinSSHD for SFTP

Port forwarding guide

Tunnel Remote Desktop

Tunnel Windows shares

Tunnel WinVNC


This website is Copyright © 2001-2008 by Bitvise Limited. All rights reserved.
Unauthorized copying or distribution of any part or whole is prohibited.