diff --git a/client/ssh/server/command_execution.go b/client/ssh/server/command_execution.go index 57589f718..7199ad036 100644 --- a/client/ssh/server/command_execution.go +++ b/client/ssh/server/command_execution.go @@ -13,7 +13,7 @@ import ( ) // handleCommand executes an SSH command with privilege validation -func (s *Server) handleCommand(logger *log.Entry, session ssh.Session, privilegeResult PrivilegeCheckResult, ptyReq ssh.Pty, winCh <-chan ssh.Window) { +func (s *Server) handleCommand(logger *log.Entry, session ssh.Session, privilegeResult PrivilegeCheckResult, winCh <-chan ssh.Window) { localUser := privilegeResult.User hasPty := winCh != nil diff --git a/client/ssh/server/executor_windows.go b/client/ssh/server/executor_windows.go index 8a937b821..19c3d5a0b 100644 --- a/client/ssh/server/executor_windows.go +++ b/client/ssh/server/executor_windows.go @@ -80,7 +80,7 @@ func (pd *PrivilegeDropper) CreateWindowsExecutorCommand(ctx context.Context, co log.Tracef("creating Windows direct shell command: %s %v", shellArgs[0], shellArgs) - cmd, err := pd.CreateWindowsProcessAsUserWithArgs( + cmd, err := pd.CreateWindowsProcessAsUser( ctx, shellArgs[0], shellArgs, config.Username, config.Domain, config.WorkingDir) if err != nil { return nil, fmt.Errorf("create Windows process as user: %w", err) @@ -454,14 +454,13 @@ func (pd *PrivilegeDropper) authenticateDomainUser(username, domain, fullUsernam return token, nil } -// CreateWindowsProcessAsUserWithArgs creates a process as user with safe argument passing (for SFTP and executables) -func (pd *PrivilegeDropper) CreateWindowsProcessAsUserWithArgs(ctx context.Context, executablePath string, args []string, username, domain, workingDir string) (*exec.Cmd, error) { +// CreateWindowsProcessAsUser creates a process as user with safe argument passing (for SFTP and executables) +func (pd *PrivilegeDropper) CreateWindowsProcessAsUser(ctx context.Context, executablePath string, args []string, username, domain, workingDir string) (*exec.Cmd, error) { fullUsername := buildUserCpn(username, domain) token, err := pd.createToken(username, domain) if err != nil { - log.Debugf("S4U authentication failed for user %s: %v", fullUsername, err) - return nil, fmt.Errorf("user authentication failed: %w", err) + return nil, fmt.Errorf("user authentication: %w", err) } log.Debugf("using S4U authentication for user %s", fullUsername) @@ -474,26 +473,6 @@ func (pd *PrivilegeDropper) CreateWindowsProcessAsUserWithArgs(ctx context.Conte return pd.createProcessWithToken(ctx, windows.Token(token), executablePath, args, workingDir) } -// CreateWindowsShellAsUser creates a shell process as user (for SSH commands/sessions) -func (pd *PrivilegeDropper) CreateWindowsShellAsUser(ctx context.Context, shell, command string, username, domain, workingDir string) (*exec.Cmd, error) { - fullUsername := buildUserCpn(username, domain) - - token, err := pd.createToken(username, domain) - if err != nil { - return nil, fmt.Errorf("user authentication failed: %w", err) - } - - log.Debugf("using S4U authentication for user %s", fullUsername) - defer func() { - if err := windows.CloseHandle(token); err != nil { - log.Debugf(closeTokenErrorMsg, err) - } - }() - - shellArgs := buildShellArgs(shell, command) - return pd.createProcessWithToken(ctx, windows.Token(token), shell, shellArgs, workingDir) -} - // createProcessWithToken creates process with the specified token and executable path func (pd *PrivilegeDropper) createProcessWithToken(ctx context.Context, sourceToken windows.Token, executablePath string, args []string, workingDir string) (*exec.Cmd, error) { cmd := exec.CommandContext(ctx, executablePath, args[1:]...) diff --git a/client/ssh/server/session_handlers.go b/client/ssh/server/session_handlers.go index 402ff8bfb..8025aad01 100644 --- a/client/ssh/server/session_handlers.go +++ b/client/ssh/server/session_handlers.go @@ -44,13 +44,13 @@ func (s *Server) sessionHandler(session ssh.Session) { switch { case isPty && hasCommand: // ssh -t - Pty command execution - s.handleCommand(logger, session, privilegeResult, ptyReq, winCh) + s.handleCommand(logger, session, privilegeResult, winCh) case isPty: // ssh - Pty interactive session (login) s.handlePty(logger, session, privilegeResult, ptyReq, winCh) case hasCommand: // ssh - non-Pty command execution - s.handleCommand(logger, session, privilegeResult, ssh.Pty{}, nil) + s.handleCommand(logger, session, privilegeResult, nil) default: s.rejectInvalidSession(logger, session) }