Initial draft

Security-protection-of-various-files-in-win32-openssh.md

@@ -0,0 +1,120 @@
+##### General Introduction
+Starting on build [v0.0.13.0][build13], win32 openssh make sure file are secured before get loaded. SSH-keygen.exe generates protected key files as well. 'Secured' means:
+1. The file owner can only be one of these account types: local Administrators group, local system account, users in local administrators group, the current process user.
+2. For authorized_keys, host keys, "NT Service\sshd" are required to have and only have read access to the file.
+3. No others than the below account types are allowed to access to the file: local administrators group, local system account, users in local administrators group, current process user.
+
+Utility scripts to adjust file permissions:
+1. Script to remove inheritance of the file, assign owner, and grant the owner full control 
+```
+$user = "<user>"
+$objUser = New-Object System.Security.Principal.NTAccount($user)
+Set-SecureFileACL -filepath $env:systemdrive\Users\$user\.ssh\authorized_keys -owner $objUser
+function Set-SecureFileACL 
+{            
+    param(
+        [string]$FilePath,
+        [System.Security.Principal.NTAccount]$Owner = $null
+        )
+
+    $myACL = Get-ACL -Path $FilePath
+    $myACL.SetAccessRuleProtection($True, $True)
+    Set-Acl -Path $FilePath -AclObject $myACL
+
+    $myACL = Get-ACL $FilePath
+    $actualOwner = $null
+    if($owner -eq $null)
+    {
+        $actualOwner = New-Object System.Security.Principal.NTAccount($($env:USERDOMAIN), $($env:USERNAME))
+    }
+    else
+    {
+        $actualOwner = $Owner
+    }
+            
+    $myACL.SetOwner($actualOwner)
+    
+    if($myACL.Access) 
+    {        
+        $myACL.Access | % {                    
+            if(-not ($myACL.RemoveAccessRule($_)))
+            {
+                throw "failed to remove access of $($_.IdentityReference.Value) rule in setup "
+            }                    
+        }
+    }
+
+    $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
+        ($actualOwner, "FullControl", "None", "None", "Allow")
+    $myACL.AddAccessRule($objACE)
+
+    Set-Acl -Path $FilePath -AclObject $myACL
+}       
+
+```
+2. Grant "NT Service\sshd" Read permission to a file
+```
+Add-PermissionToFileACL -FilePath "$hostKeyFilePath.pub" -User "NT Service\sshd" -Perm "Read"
+function Add-PermissionToFileACL 
+{    
+    param(
+        [string]$FilePath,
+        [System.Security.Principal.NTAccount] $User,
+        [System.Security.AccessControl.FileSystemRights]$Perm
+    )    
+
+    $myACL = Get-ACL $filePath
+        
+    $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
+        ($User, $perm, "None", "None", "Allow") 
+    $myACL.AddAccessRule($objACE)    
+
+    Set-Acl -Path $filePath -AclObject $myACL
+}
+``` 
+***
+##### Settings for Win32 OpenSSH work End to End
+
+**For users who want to use host and user keys generated by SSH-keygen.exe after build [v0.0.13.0][build13]**
+
+The new generated keys have current login use as owner and only grant the owner full control access. 
+1. Grant "NT Service\sshd" Read access to both public and private host key files for the keys to function.
+```
+Add-PermissionToFileACL -FilePath $hostKeyFilePath -User "NT Service\sshd" -Perm "Read"
+Add-PermissionToFileACL -FilePath "$hostKeyFilePath.pub" -User "NT Service\sshd" -Perm "Read"
+```
+2. Grant "NT Service\sshd" Read access to authorized_keys
+```
+$user = '<user>'
+$userProfilePath = "$env:systemdrive\Users\$user"
+Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read"
+```
+
+**For users to use existing host and user keys generated before build [v0.0.13.0][build13].**
+
+The keys generated by ssh-keygen.exe before [v0.0.13.0][build13] inherits permissions from the parent folder. Other accounts than allowed account types may also have access to the file.
+
+1. Adjust file permission of private host key: Set current user as owner and grant current user full control and "NT Service\sshd" Read access.
+```
+Set-SecureFileACL -FilePath $hostPrivateKeyFilePath
+Add-PermissionToFileACL -FilePath $hostPrivateKeyFilePath -User "NT Service\sshd" -Perm "Read"
+```
+2. Adjust file permission of public host key: Grant "NT Service\sshd" Read access.
+```
+Add-PermissionToFileACL -FilePath $hostPublicKeyFilePath -User "NT Service\sshd" -Perm "Read"
+``` 
+3. Adjust file permission of user key file before supply it to ssh-add, scp, ssh, sftp: Set current user as owner and grant current user full control
+```
+Set-SecureFileACL -FilePath $userPrivateKeyFilePath
+``` 
+
+4. Adjust file permission of authorized_keys file: Set server login user as owner and grant server login user full control and "NT Service\sshd" Read access.
+```
+$user = '<user>'
+$userProfilePath = "$env:systemdrive\Users\<user>"
+$objUser = New-Object System.Security.Principal.NTAccount($user)
+Set-SecureFileACL "$userProfilePath\.ssh\authorized_keys" -owner $objUser
+Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read"
+```
+
+[build13]: https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v0.0.13.0