Updated Security protection of various files in Win32 OpenSSH (markdown)

2025-07-22 13:34:43 +02:00 · 2019-01-14 11:12:56 -08:00 · 2019-01-14 11:12:56 -08:00 · 1da94eeac1
commit 1da94eeac1
parent e870f11bed
1 changed files with 19 additions and 12 deletions
--- a/Security-protection-of-various-files-in-Win32-OpenSSH.md
+++ b/Security-protection-of-various-files-in-Win32-OpenSSH.md
@ -1,6 +1,6 @@
 Various OpenSSH resource files are integral to secure working of both server and client stacks. Here we discuss how to protect these resources, how OpenSSH for Windows enforces permission checks and individual case studies on how to fix any permission related issues. 

-Improper file permissions will likely result in a broken configuration (OpenSSH fails to work). Powershell based [Utility scripts](https://github.com/PowerShell/Win32-OpenSSH/wiki/OpenSSH-utility-scripts-to-fix-file-permissions) included in release payload can help with fixing any permissions related issues. Here, you'll find icacls based commands to fix such issues.
+Improper file permissions will likely result in a broken configuration (OpenSSH fails to work). Here, you'll find icacls based commands to fix such issues.

 2 fundamental reasons leading to the differences between how these permission checks work on Unix vs Windows:
 - SuperUser on Unix maps to either [System (SY)](https://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx) or AdministratorsGroup (AG) on Windows. 
@ -19,8 +19,7 @@ Permissions for 'ssh_host_dsa_key' are too open.

 ## Server side resources
 ### Host private key files
-Host keys represent host's identity. To prevent unauthorized access to these files, host keys need to be owned by SY or AG. No other user should have access to host key files. Its recommended that host private keys be registered with ssh-agent. Otherwise, sshd service would require read access to these files. 
-Following is a misconfigured host private key because 'otheruser' owns it and has access to the key. 
+Host keys represent host's identity. To prevent unauthorized access to these files, host keys need to be owned by SY or AG. No other user should have access to host key files. Following is a misconfigured host private key because 'otheruser' owns it and has access to the key. 
 ```Powershell
 PS C:\>(get-acl .\ssh_host_dsa_key).owner
 otheruser
@ -39,29 +38,37 @@ At this point, you could do the following to replicate these permissions onto ot
 PS C:\>get-acl .\ssh_host_dsa_key | Set-Acl ssh_host*key
 ```
 ### authorized_keys
-authorized_keys is an user associated file that represents a list of authorized public keys that could be used for (key-based) user authentication. Unauthorized access to this file compromises the associated user's account. This file should not be owned by, nor provide access to any other user. Note that sshd service needs **read** access to authorized_keys for public key validation. 
+authorized_keys is an user associated file that represents a list of authorized public keys that could be used for (key-based) user authentication. Unauthorized access to this file compromises the associated user's account. This file should not be owned by, nor provide access to any other user. 
 Following is a misconfigured authorized key because 
 - 'otheruser1' has access to the file (through inheritance) 
 - 'otheruser2' has access to this file (explicit permission). 
- sshd service has full access (it only needs read access)
 ```Powershell
 PS C:\>(get-acl .\users\thisuser\.ssh\authorized_keys).owner
 thisuser
 PS C:\>icacls .\users\thisuser\.ssh\authorized_keys
-ssh_host_dsa_key   NT SERVICE\sshd:(F)
-                   BUILTIN\Administrators:(F)
+ssh_host_dsa_key   BUILTIN\Administrators:(F)
                   thisuser:(F) 
                   otheruser1:(IR)
                   otheruser2:(R)
 ```
-Steps to fix these permissions - disable inheritance, remove access to otheruser*, and fix access to sshd
+Steps to fix these permissions - remove inheritance and inherited permissions
 ```Powershell
-PS C:\>icacls .\users\thisuser\.ssh\authorized_keys /inheritance:d
-PS C:\>icacls .\users\thisuser\.ssh\authorized_keys /remove otheruser1
+PS C:\>icacls .\users\thisuser\.ssh\authorized_keys /inheritance:r
 PS C:\>icacls .\users\thisuser\.ssh\authorized_keys /remove otheruser2
-PS C:\>icacls .\users\thisuser\.ssh\authorized_keys /remove `"NT SERVICE\sshd`"
-PS C:\>icacls .\users\thisuser\.ssh\authorized_keys /grant `"NT SERVICE\sshd`":`(R`)
 ```
+### administrators_authorized_keys
+Default location for authorized keys file for users in administrators group is 
+`%programdata%\ssh\administrators_authorized_keys`
+This file should only be accessible by SYSTEM and Administrators group.
+
+Steps to fix permissions on this file:
+```Powershell
+PS C:\>icacls administrators_authorized_keys /inheritance:r
+PS C:\>icacls administrators_authorized_keys /grant SYSTEM:`(F`)
+PS C:\>icacls administrators_authorized_keys /grant BUILTIN\Administrators:`(F`)
+```
+
+
 ## Client side resources
 ### User private key files
 User's private keys are user's credentials. To prevent unauthorized access to these files, private keys need to be owned by the user and no other user should have access to user's key files.