diff --git a/Security-protection-of-various-files-in-win32-openssh.md b/Security-protection-of-various-files-in-win32-openssh.md new file mode 100644 index 0000000..948827d --- /dev/null +++ b/Security-protection-of-various-files-in-win32-openssh.md @@ -0,0 +1,120 @@ +##### General Introduction +Starting on build [v0.0.13.0][build13], win32 openssh make sure file are secured before get loaded. SSH-keygen.exe generates protected key files as well. 'Secured' means: +1. The file owner can only be one of these account types: local Administrators group, local system account, users in local administrators group, the current process user. +2. For authorized_keys, host keys, "NT Service\sshd" are required to have and only have read access to the file. +3. No others than the below account types are allowed to access to the file: local administrators group, local system account, users in local administrators group, current process user. + +Utility scripts to adjust file permissions: +1. Script to remove inheritance of the file, assign owner, and grant the owner full control +``` +$user = "" +$objUser = New-Object System.Security.Principal.NTAccount($user) +Set-SecureFileACL -filepath $env:systemdrive\Users\$user\.ssh\authorized_keys -owner $objUser +function Set-SecureFileACL +{ + param( + [string]$FilePath, + [System.Security.Principal.NTAccount]$Owner = $null + ) + + $myACL = Get-ACL -Path $FilePath + $myACL.SetAccessRuleProtection($True, $True) + Set-Acl -Path $FilePath -AclObject $myACL + + $myACL = Get-ACL $FilePath + $actualOwner = $null + if($owner -eq $null) + { + $actualOwner = New-Object System.Security.Principal.NTAccount($($env:USERDOMAIN), $($env:USERNAME)) + } + else + { + $actualOwner = $Owner + } + + $myACL.SetOwner($actualOwner) + + if($myACL.Access) + { + $myACL.Access | % { + if(-not ($myACL.RemoveAccessRule($_))) + { + throw "failed to remove access of $($_.IdentityReference.Value) rule in setup " + } + } + } + + $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ` + ($actualOwner, "FullControl", "None", "None", "Allow") + $myACL.AddAccessRule($objACE) + + Set-Acl -Path $FilePath -AclObject $myACL +} + +``` +2. Grant "NT Service\sshd" Read permission to a file +``` +Add-PermissionToFileACL -FilePath "$hostKeyFilePath.pub" -User "NT Service\sshd" -Perm "Read" +function Add-PermissionToFileACL +{ + param( + [string]$FilePath, + [System.Security.Principal.NTAccount] $User, + [System.Security.AccessControl.FileSystemRights]$Perm + ) + + $myACL = Get-ACL $filePath + + $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ` + ($User, $perm, "None", "None", "Allow") + $myACL.AddAccessRule($objACE) + + Set-Acl -Path $filePath -AclObject $myACL +} +``` +*** +##### Settings for Win32 OpenSSH work End to End + +**For users who want to use host and user keys generated by SSH-keygen.exe after build [v0.0.13.0][build13]** + +The new generated keys have current login use as owner and only grant the owner full control access. +1. Grant "NT Service\sshd" Read access to both public and private host key files for the keys to function. +``` +Add-PermissionToFileACL -FilePath $hostKeyFilePath -User "NT Service\sshd" -Perm "Read" +Add-PermissionToFileACL -FilePath "$hostKeyFilePath.pub" -User "NT Service\sshd" -Perm "Read" +``` +2. Grant "NT Service\sshd" Read access to authorized_keys +``` +$user = '' +$userProfilePath = "$env:systemdrive\Users\$user" +Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read" +``` + +**For users to use existing host and user keys generated before build [v0.0.13.0][build13].** + +The keys generated by ssh-keygen.exe before [v0.0.13.0][build13] inherits permissions from the parent folder. Other accounts than allowed account types may also have access to the file. + +1. Adjust file permission of private host key: Set current user as owner and grant current user full control and "NT Service\sshd" Read access. +``` +Set-SecureFileACL -FilePath $hostPrivateKeyFilePath +Add-PermissionToFileACL -FilePath $hostPrivateKeyFilePath -User "NT Service\sshd" -Perm "Read" +``` +2. Adjust file permission of public host key: Grant "NT Service\sshd" Read access. +``` +Add-PermissionToFileACL -FilePath $hostPublicKeyFilePath -User "NT Service\sshd" -Perm "Read" +``` +3. Adjust file permission of user key file before supply it to ssh-add, scp, ssh, sftp: Set current user as owner and grant current user full control +``` +Set-SecureFileACL -FilePath $userPrivateKeyFilePath +``` + +4. Adjust file permission of authorized_keys file: Set server login user as owner and grant server login user full control and "NT Service\sshd" Read access. +``` +$user = '' +$userProfilePath = "$env:systemdrive\Users\" +$objUser = New-Object System.Security.Principal.NTAccount($user) +Set-SecureFileACL "$userProfilePath\.ssh\authorized_keys" -owner $objUser +Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read" +``` + +[build13]: https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v0.0.13.0