Home
Products
     About SSH
     SSH Features
     Screenshots
     Notifications
     Security
     Customers
     Large scale
Download
     WinSSHD
     Tunnelier
     WRC
Purchase
     Reseller list
     Reseller policy
WinSSHD
     History
     Pricing
     License
     Help
          Users' guide
               Accounts
          Printable docs
          Usage FAQ
          Securing WinSSHD
          WinSSHD for SFTP
          Accessing shares
Tunnelier
     History
     Pricing
     License
     Portable
     The 'log' utility
     Help
          How the net works
          Port forwarding guide
          Web browsing over SSH
          Tunnel Remote Desktop
          FTP bridge
          Tunnel file shares
          Tunnel WinVNC
          Tunnelier as service
FlowSsh library
     Documentation
Specifications
Company
     Work at Bitvise
     About us
     Contact

Configuring groups and accounts in WinSSHD

Immediately after initial installation, when started under original default settings, WinSSHD will accept password, NTLM or Kerberos-based login to any Windows account that has Windows permissions log into the machine where WinSSHD is running.

When a Windows account user logs in, WinSSHD will impersonate the security context of that Windows account throughout the user's SSH session. Under default settings, WinSSHD will allow any successfully logged on user to take any action that the user is permitted by Windows and file system permissions. Such actions include accessing the terminal shell, running a program, uploading and downloading files, or connecting to another machine using SSH port forwarding.

Most administrators will find it desirable to configure WinSSHD in a way that restricts users' access further. The groups and accounts sections of WinSSHD Settings provide the means for this configurability. The groups and accounts in WinSSHD Settings are an additional layer of security settings which are imposed by WinSSHD on top of the Windows permission system. The WinSSHD settings do not replace Windows permissions, but provide complementary settings which Windows does not provide on its own.

Additionally, virtual groups and virtual account settings provide the means to add users in WinSSHD without having to create separate Windows groups, or having to create and maintain a Windows account for every user.

Windows groups and accounts

By default, the WinSSHD configuration for Windows groups and accounts is very straightforward. It consists of a single 'Everyone' group. In a default configuration, the WinSSHD settings for the Everyone group apply to all Windows accounts that log in through WinSSHD.

When a user tries to log into WinSSHD with a Windows account, WinSSHD determines the settings for that account in the following manner:

  • Account settings. WinSSHD searches the entries in 'Windows accounts' to find a match for the account that's logging in. If a match is found, the settings in the account entry are superimposed on the settings found for the account's group. If the 'Specify group' option is enabled, it is used to choose the account's group settings entry.

  • Group settings. If WinSSHD was able to find a match for a Windows account settings entry in WinSSHD Settings, and if this entry uses the 'Specify group' setting, then WinSSHD will use the configured group settings entry, under the following conditions: that the specified Windows group settings entry exists in the first place; and that the Windows account is actually a member of that group.

    If any of these conditions is not met, WinSSHD looks up the local and domain groups of which the account is a member:

    • If none of the user's groups have a WinSSHD group settings entry, the Everyone group settings entry will be used.

    • If only one of the user's groups has a WinSSHD group settings entry, that group settings entry will be used, as long as it appears above the Everyone group.

    • If more than one of the user's groups have a WinSSHD group settings entry, then the user's "primary group" setting in Active Directory will control which group settings entry is used.

    • If more than one of the user's groups have a WinSSHD group settings entry, but the user is not a domain user, or the "primary group" setting does not resolve the group, then WinSSHD will choose the group settings entry that appears first in WinSSHD Settings (even if this is the Everyone group).

This means that:

  • WinSSHD account settings can be configured individually by adding individual account entries in 'Windows accounts'.

  • WinSSHD account settings can be configured en masse, without having to add or maintain individual account entries, by configuring WinSSHD settings for a number of Windows groups. When there is no individual account settings entry, WinSSHD will use appropriate group settings according to the rules described above.

    When configuring settings for multiple Windows accounts through groups, automatic expansion of environment variables in string configuration fields may be helpful. WinSSHD will substitute environment variables in string fields such as 'Terminal shell', 'Initial directory' and 'SFTP root directory'. For Windows accounts, at least the following environment variables will be defined: USERNAME, USERDOMAIN, WINSSHDGROUP (the name of the group settings entry selected, or 'EVERYONE'), and WINSSHDGROUPDOMAIN (defined if the value of WINSSHDGROUP references a domain group).

Virtual groups and accounts

For administrators who want to avoid setting up a separate Windows account for every SSH user, WinSSHD provides the means to create virtual accounts. Virtual accounts behave exactly as Windows accounts, except for the following differences:

  • Scope.

    Windows accounts. A Windows account is created in Windows, and can be used to log into WinSSHD whether or not there is a corresponding WinSSHD Windows account entry. A Windows account exists outside of WinSSHD as a Windows security principal.

    Virtual accounts. A virtual account is created by adding an entry to 'Virtual accounts' in WinSSHD Settings. A virtual account exists only inside WinSSHD, but there is no awareness of virtual accounts in applications that an SSH session launches. Instead, those external applications are aware of a Windows account that is configured to back the virtual account. The backing Windows account provides an impersonation context on the level of the operating system.

  • Groups.

    Windows groups. The mapping between Windows account settings entries and Windows group settings entries in WinSSHD can be complex. It depends on the Windows account's actual Windows group memberships, Active Directory primary group settings, the 'Specify group' setting in the WinSSHD account settings entry, etc.

    Virtual groups.The mapping between a virtual account and its corresponding virtual group is straightforward. The virtual account entry always directly specifies a single corresponding virtual group.

  • Password.

    Windows accounts. The password of a Windows account is maintained by Windows. It is possible to change it either using the Windows Control Panel or Computer Management, or through WinSSHD during SSH user authentication, or using the included bvPwd command line utility.

    Virtual accounts. The password of a virtual account is maintained in WinSSHD Settings. It is configured by the administrator and cannot be changed by the user of the virtual account.

  • Backing Windows account. A virtual account still requires configuring a backing Windows account to provide the operating system-level impersonation context. WinSSHD will impersonate this backing Windows account when the virtual account is logged into. A single backing account can be used for any number of virtual users, and the backing account can be defined either for individual virtual accounts or for whole virtual groups. However, because WinSSHD needs to log into the backing Windows account when accepting a virtual account logon, the password for the backing Windows account needs to be stored in the WinSSHD password cache. It will not be possible to log into a virtual account until a password cache entry for the backing Windows account is configured. The password cache entry can be set either manually using the WinSSHD Control Panel, as well as through wcfg (using 'wcfg pass set'), or programmatically using the WinsshdCfgManip COM object.

    WinSSHD 5.02 and higher allow you to avoid explicitly configuring a backing Windows account for virtual users. When installed on machines that are not domain controllers, WinSSHD creates and manages a local Windows account. This account is used if no 'Windows account name' is configured for a virtual user. The Windows account is named 'WinSSHD_VirtualUsers' on default (unnamed) WinSSHD installations, but can be named differently if you installed WinSSHD as a named site. Run 'net user' from a Command Prompt to discover the name of this account. Domain controllers do not have local accounts, so this feature is not available on domain controllers.

In all other respects, a virtual account is just like a Windows account. Virtual account settings are superimposed on the corresponding virtual group settings just like with Windows group and account settings entries. All the WinSSHD settings for virtual accounts that look the same as for Windows accounts behave the same way.