Start as unpriviliged user by default with sudo for Windows enabled systems

[matteodev8]

Summary of the new feature / enhancement

Currently, when the user is assigned to Administrators, the ssh session will also be an Administrator session. This breaks some software like scoop.

Due to the development of sudo for Windows (https://github.com/microsoft/sudo), it would be a good idea to always start the session unprivileged. If the user needs Admin rights, they should use sudo instead.

Proposed technical implementation details (optional)

No response

[jborean93]

One problem with starting as non-admin is you have no way of elevating to admin when you need it to. While there is now the sudo tool from Windows it still relies on the interactive UAC prompt to elevate the process which won't work on the non-interactive SSH logon session as there is no Windows GUI to display the prompt on. Unless Windows provides a way to get UAC working in a TTY like prompt then you are reliant on 3rd party tools to do the elevation.

[framillien]

Yes, Microsoft sudo-like should allow TTY elevation and so be usable trough SSH.

Our use case: On our CI infra we allow connexion for a dedicated CI user with SSH and RDP. For some use cases this CI user need elevated privileges (mainly for Debugging sessions with Visual Studio). But we want to keep all actions done through SSH without elevated privileges (like RDP). Currently with SSH, we are corrupting caches, workspaces, tmp folders, ... with files owned by 'Administrator' (unlike RDP). Also, we do not create disctincts user for SSH access, to limit complexity/errors, all CI operations are made by only one user.

As describe in above use case, this will also match the well know workflow already implemented in RDP and all Windows session (by default no rights, elevation only on demand)

We are disabling SSH access for now, since RDP work as expected. We keep SSH access only for Linux and Macos, working as expected with sudo and TTY.