New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Correct way to do privilege elevation like sudo? #1308
Comments
I could be wrong with this but I don't believe it is possible to have a sudo like setup of Windows when the connecting user is does not already have admin credentials. AFAIK there are 3 public APIs you can use to create a new process under a different account;
So because
There are cases where an admin account would only have the full token which "should" work for you but this isn't universal. These scenarios would be;
If UAC is enabled, you aren't running as the builtin admin account, or it is the builtin admin account and admin approval mode is enabled for that account, then the created process will run under the limited token. This is because when you call This means that unless an existing service (with higher privileges) acts as a broker, you aren't able to logon as limited user and "sudo" to an admin account with all it's privileges intact. I'll be happy if someone could prove me wrong with this as I've been looking for a way to achieve this outside of SSH. |
@RaymiiOrg your best bet is to do a nested ssh from within the remote session ssh -t adminuser@localhost |
PowerShell has a feature called Just Enough Administration that sounds like the closest thing I've seen so far on Windows to What is still required to make JEA work over SSH? |
@mgkuhn JEA is something that's implemented directly in PowerShell and WinRM/SSH is just the underlying transport for the PSRP fragments sent over the wire. This means it's probably a question for the PowerShell team to talk about how to implement JEA support over SSH as this project stays focused on the SSH aspects. I'm in no way affiliated with either teams so I'm not sure what communication goes on between the 2 or whether there are already plans to do this currently. Currently JEA works over WinRM by having a JEA configuration tied to a specific resource URI registered against the WinRM listener. When a user goes to connect to a particular configuration endpoing, using SSH is a bit different as it uses a subsystem that is set to call It looks like the |
I'm looking for a way to do sudo-like privilege elevation. Administrators are not allowed to login, so as a regular user I need a way to become Administrator to do privileged actions, in the same ssh session. I've written down a way with Powershell here:
https://raymii.org/s/tutorials/SSH_on_Windows_Server_2019.html#sudo
Example output:
But that is not as easy as just "sudo". What is the correct way to do privilege elevation?
The text was updated successfully, but these errors were encountered: