1

I set-up a VPN and I can SSH into my WSL2 on Windows via any other computer, by running:

ssh microsoft_account_email@ipaddress

from another computer's terminal. I created other users on my WSL by running

sudo adduser -name

and I tried running:

ssh username@ipaddress

however that won't work. I realised I can only ssh if I put my microsoft email as the username rather than the actual WSL username.

How can I ssh into chosen users rather than into root? The idea is to have several people being able to ssh into their own accounts on WSL.

MilTom
  • 113
  • 6

2 Answers2

1

The process of exposing WSL1/2 SSH to the public you will find detailed in the article
Configuring SSH access into WSL 1 and WSL 2.

I expose here only the parts which I think are missing from what you did, found in the section "WSL 2-specific steps". The article assumes 2022 as the incoming port for SSH.

Creating the firewall rule to allow incoming traffic on port 2022 with PowerShell:

New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd) for WSL' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 2022

To route incoming traffic on the physical interface to the WSL interface, is complicated because the IP given to the WSL instance changes over time. To figure that dynamically, one needs to update the batch script %USERPROFILE%\sshd.bat as follows:

@echo off
setlocal

C:\Windows\System32\bash.exe -c "sudo /usr/sbin/service ssh start"

C:\Windows\System32\netsh.exe interface portproxy delete v4tov4 listenport=2022 listenaddress=0.0.0.0 protocol=tcp

for /f %%i in ('wsl hostname -I') do set IP=%%i

C:\Windows\System32\netsh.exe interface portproxy add v4tov4 listenport=2022 listenaddress=0.0.0.0 connectport=2022 connectaddress=%IP%

endlocal

Once this is done, you should be able to SSH using the user-name, rather than the Microsoft account.

For more details, see the linked article.

harrymc
  • 455,459
  • 31
  • 526
  • 924
  • I see. I followed all the steps, however seems I still can't SSH into users, and I think it is due to the last bit in your link when they edit the ~/.ssh/config file. What I did at the end is edit that file on my root WSL machine (to which the users will remote into), and added each user in the format: Host user_1 Hostname ip_address_of_remote Port 2022 User user_1 Is this the right format? From my understanding the Host can be any name I choose, and the Hostname should be the ip address of the computer, the same one from 'ssh user@ipaddress'? – MilTom Apr 09 '22 at 12:56
  • If I then do 'ssh user_1@ipaddress' it asks for password but says password is incorrect each time, and if I instead do 'ssh user_1@ipaddress -p 2022' then it says 'Permission denied (publickey)' – MilTom Apr 09 '22 at 13:03
  • I suggest going through the article from the start, looking for more missing pieces. – harrymc Apr 09 '22 at 13:46
1

The idea is to have several people being able to ssh into their own accounts on WSL.

First, make sure you fully understand the security implications of this process. Each user in WSL will be running with the same permissions as your Windows user. By default, they will have the ability to run Windows applications (like PowerShell or CMD) with your permissions. They will have the ability to access and modify files (even some encrypted) as your Windows user.

If you are okay with this -- Great. Proceed.

If not, you will have to lock down WSL to restrict access to Windows -- If that's even possible. See this answer for some details, but realize that even that might not be enough.

As for your particular problem, there are likely a few things going on here:

  • First, if you are having to enter a Microsoft account to access SSH, that means you are running the Windows OpenSSH server on port 22. That server is not going to know about WSL usernames.

  • From the comments on @harrymc's answer, you mention that you are seeing Permission denied (publickey). after configuring the WSL instance for SSH on port 2022.

    That's likely because the default /etc/ssh/sshd_config for the distribution that you are using has password authentication disabled. You can change this by sudo -e /etc/ssh/sshd_config and commenting out #PasswordAuthentication no.

NotTheDr01ds
  • 17,574
  • 4
  • 44
  • 81
  • I wasn't aware of that, I expected each non-sudo user wouldn't be able to access anything outside of its account. When I SSH into WSL, am I going through Windows OpenSSH server or the WSL OpenSSH server? From my understanding there are ssh config files for both services and I updated the WSL one with the usernames, perhaps in that case I should also add the usernames to the Windows OpenSSH config file – MilTom Apr 11 '22 at 16:36
  • @MilTom The way you appear to be configured at the moment (from the comments), when you are `ssh`'ing into 2022, you are hitting the WSL server. The problem with adding the usernames to the Windows OpenSSH side is that this must be done (to my knowledge) through Windows accounts. I was (originally, while typing up the answer) trying to think of a way to set it up so that the users *could* log in through the Windows server to access WSL, but I couldn't come up with one. Not to say it can't work - I might be simply missing something. Unlikely, but it happens from time to time ;-) – NotTheDr01ds Apr 11 '22 at 19:07