Active Directory permissions for password-less logon

If you would like to use Windows domain accounts with public key authentication, or as backing accounts for virtual accounts; and if you do not wish to configure passwords for these domain accounts in the SSH Server's password cache; then you will need to ensure that the SSH Server has read permissions to user data in the Active Directory.

A default Active Directory installation may grant the necessary read permissions by default – for example, through the Active Directory group Pre-Windows 2000 Compatible Access. If default settings have been changed, a permissions issue might arise when trying to use domain accounts with password-less logon.

If the SSH Server's log files indicate permission-related issues when trying to use domain accounts with password-less logon, grant the necessary read permissions as follows:

1. On the Domain Controller, open Active Directory Users and Computers under Administrative Tools.

2. In the View menu, enable Advanced Features.

3. Right click on the Users container in the tree view. Click Properties.

4. In the Security tab of the new dialog, click Advanced.

5. In the Permissions tab of the Advanced Security Settings dialog, add the computer running Bitvise SSH Server:

   1. Set Applies to to This object and all descendant objects.

   2. Enable the permissions List contents and Read all properties.

   Example screenshot.

These are recommended settings which are intended to be future-proof and easy to configure. However, it is possible to configure a more restricted alternative.

Alternative most restricted permissions

The most restricted Active Directory permissions that can be applied for the SSH Server to still function are as follows:

1. Right click on the Users container in the tree view. Click Properties.

2. In the Security tab of the new dialog, click Advanced.

3. In the Permissions tab of the Advanced Security Settings dialog, add the computer running Bitvise SSH Server:

   1. Set Applies to to This object only.

   2. Enable the permission List contents.

4. Continuing in the Permissions tab, add another entry for the computer running Bitvise SSH Server:

   1. Set Applies to to Descendant User objects.

   2. Enable the permissions:

      • Read account restrictions
      • Read general information
      • Read logon information
      • Read public information
      • Read remote access information

   Example screenshot.

Restricting permissions in this manner is not recommended because:

• Future SSH Server versions might require additional permissions for password-less logon.

• An SSH Server instance may be configured to automatically update to such a version in the administrator's absence.

• If the SSH Server is not updated, it may instead be exposed to a vulnerability that has been discovered and fixed.

SSH Server Guide

Installing

Upgrading

Starting and monitoring

Connecting the first time

Configuring for SFTP, SCP, FTPS

Compatibility with FTPS clients

Securing the SSH Server

Host keys

Opening to the internet

Configuration backup

Groups and accounts

Security architecture

Windows domains

Active Directory permissions

Accessing network shares

Network/interactive logon

Public key authentication

Tunneling restrictions

Master/follower synchronization and clusters

Environment variables

Tasks, triggers, conditions

Scriptable configuration

Advanced config and use

Log files and MS Log Parser

Resources and utilities

About SSH

What is SSH?

Screenshots

Security

Resources

Getting Started

SSH Server Users' Guide

SSH Server Usage FAQ

Configuring SFTP and SCP

Securing the SSH server

Public keys in SSH

Port forwarding guide

Web browsing over SSH

X11 forwarding

Tunnel Remote Desktop

Tunnel WinVNC

How the internet works