Description
"OpenSSH for Windows" version
0.0.17.0
Server OperatingSystem
Windows Server 2012 R2 Standard
Client OperatingSystem
Windows Server 2012 R2 Standard
What is failing
Unable to authenticate when using eiter "AllowUsers" or "AllowGroups" directive in the sshd_config
for domain users
Expected output
Successful login
Actual output
User --username--@--domainname-- from ::1 not allowed because not listed in AllowUsers
User --username--@--domainname-- from ::1 not allowed because none of user's groups are listed in AllowGroups
I can't figure out the correct syntax for the AllowUsers/AllowGroups directives for domain users/groups, or if it's even working. Without setting either of them, I can successfully login with a domain account through any version of the specified login command listed in the examples. Setting one of them and I get a "not allowed because not listed in AllowUsers" or "not allowed because none of user's groups are listed in AllowGroups". I tried the following variants (user: john, group: hunters, domain: forest):
AllowGroups hunters
AllowGroups forest/hunters
etc. "forest\hunters", "forest\hunters", "FOREST/hunters", "hunters@forest", "hunters@FOREST"
Same scenario for AllowUsers with the user john:
AllowUsers john
AllowUsers forest/john
etc. "forest\john", "forest\john", "FOREST/john", "john@forest", "john@FOREST"
Workaround
Create a local group and put your domain group into it. Let's say the local group is called localhunters, which contains no user nor group other than domain group forest\hunters. Setting "AllowGroups localhunters" now let's you authenticate with your domain user john who's only a member of the forest\hunters group.