0

We've got an established process where users connecting to an Ubuntu server via SSH have their public keys retrieved from our LDAP infrastructure and then PAM sets up their home directory, etc.

I need to set up a standalone Windows server but the users still want to use SSH to connect to it. I'm therefore looking into how to try and replicate the Ubuntu experience onto Windows.

As far as I can tell, though, Windows requires the users to pre-exist and their authorized keys to be saved in the user's .ssh directory, like Linux does under normal circumstances. If you want admin rights, it is more challenging because there is a single file storing all of the public keys for the admins and you have to set the ACL appropriately on the file. So, again, the users need to pre-exist.

Is there a solution to this? Free or paid - just trying to find out if a solution even exists.

Thanks.

Philip Colmer
  • 121
  • 5
  • Since the Windows SSH server is a fork of OpenSSHD it could have supported the opensshd [`AuthorizedKeysCommand`](https://man.openbsd.org/sshd_config.5#AuthorizedKeysCommand) option for sshd. When enabled the `AuthorizedKeysCommand` allows you to specify a command/script/executable that will run during login to retrieve a users public key(s) from a remote source (such as your LDAP server) and perform validation just as if there was `authorized_keys` file in the users home directory with those public keys. That is a really nice solution for centrally managing public keys – Bob Feb 08 '22 at 16:42
  • Unfortunately that is not yet supported in the Windows fork. See the list of unsupported options here: https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_server_configuration and I don't of any way to do something like in the native windows ssh server – Bob Feb 08 '22 at 16:48

0 Answers0