tyler.durden/Win32-OpenSSH
1
0
Fork 0
mirror of https://github.com/PowerShell/Win32-OpenSSH.git synced 2025-07-27 07:54:50 +02:00
Code Issues Packages Projects Releases Wiki Activity

Initial draft

Yanbing 2017-05-11 17:11:13 -07:00
parent dd255fc4f6
commit 22180469e8
1 changed files with 120 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

120
Security-protection-of-various-files-in-win32-openssh.md Normal file

@ -0,0 +1,120 @@
##### General Introduction
Starting on build [v0.0.13.0][build13], win32 openssh make sure file are secured before get loaded. SSH-keygen.exe generates protected key files as well. 'Secured' means:
1. The file owner can only be one of these account types: local Administrators group, local system account, users in local administrators group, the current process user.
2. For authorized_keys, host keys, "NT Service\sshd" are required to have and only have read access to the file.
3. No others than the below account types are allowed to access to the file: local administrators group, local system account, users in local administrators group, current process user.
Utility scripts to adjust file permissions:
1. Script to remove inheritance of the file, assign owner, and grant the owner full control
```
$user = "<user>"
$objUser = New-Object System.Security.Principal.NTAccount($user)
Set-SecureFileACL -filepath $env:systemdrive\Users\$user\.ssh\authorized_keys -owner $objUser
function Set-SecureFileACL
{
param(
[string]$FilePath,
[System.Security.Principal.NTAccount]$Owner = $null
)
$myACL = Get-ACL -Path $FilePath
$myACL.SetAccessRuleProtection($True, $True)
Set-Acl -Path $FilePath -AclObject $myACL
$myACL = Get-ACL $FilePath
$actualOwner = $null
if($owner -eq $null)
{
$actualOwner = New-Object System.Security.Principal.NTAccount($($env:USERDOMAIN), $($env:USERNAME))
}
else
{
$actualOwner = $Owner
}
$myACL.SetOwner($actualOwner)
if($myACL.Access)
{
$myACL.Access | % {
if(-not ($myACL.RemoveAccessRule($_)))
{
throw "failed to remove access of $($_.IdentityReference.Value) rule in setup "
}
}
}
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
($actualOwner, "FullControl", "None", "None", "Allow")
$myACL.AddAccessRule($objACE)
Set-Acl -Path $FilePath -AclObject $myACL
}
```
2. Grant "NT Service\sshd" Read permission to a file
```
Add-PermissionToFileACL -FilePath "$hostKeyFilePath.pub" -User "NT Service\sshd" -Perm "Read"
function Add-PermissionToFileACL
{
param(
[string]$FilePath,
[System.Security.Principal.NTAccount] $User,
[System.Security.AccessControl.FileSystemRights]$Perm
)
$myACL = Get-ACL $filePath
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
($User, $perm, "None", "None", "Allow")
$myACL.AddAccessRule($objACE)
Set-Acl -Path $filePath -AclObject $myACL
}
```
***
##### Settings for Win32 OpenSSH work End to End
**For users who want to use host and user keys generated by SSH-keygen.exe after build [v0.0.13.0][build13]**
The new generated keys have current login use as owner and only grant the owner full control access.
1. Grant "NT Service\sshd" Read access to both public and private host key files for the keys to function.
```
Add-PermissionToFileACL -FilePath $hostKeyFilePath -User "NT Service\sshd" -Perm "Read"
Add-PermissionToFileACL -FilePath "$hostKeyFilePath.pub" -User "NT Service\sshd" -Perm "Read"
```
2. Grant "NT Service\sshd" Read access to authorized_keys
```
$user = '<user>'
$userProfilePath = "$env:systemdrive\Users\$user"
Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read"
```
**For users to use existing host and user keys generated before build [v0.0.13.0][build13].**
The keys generated by ssh-keygen.exe before [v0.0.13.0][build13] inherits permissions from the parent folder. Other accounts than allowed account types may also have access to the file.
1. Adjust file permission of private host key: Set current user as owner and grant current user full control and "NT Service\sshd" Read access.
```
Set-SecureFileACL -FilePath $hostPrivateKeyFilePath
Add-PermissionToFileACL -FilePath $hostPrivateKeyFilePath -User "NT Service\sshd" -Perm "Read"
```
2. Adjust file permission of public host key: Grant "NT Service\sshd" Read access.
```
Add-PermissionToFileACL -FilePath $hostPublicKeyFilePath -User "NT Service\sshd" -Perm "Read"
```
3. Adjust file permission of user key file before supply it to ssh-add, scp, ssh, sftp: Set current user as owner and grant current user full control
```
Set-SecureFileACL -FilePath $userPrivateKeyFilePath
```
4. Adjust file permission of authorized_keys file: Set server login user as owner and grant server login user full control and "NT Service\sshd" Read access.
```
$user = '<user>'
$userProfilePath = "$env:systemdrive\Users\<user>"
$objUser = New-Object System.Security.Principal.NTAccount($user)
Set-SecureFileACL "$userProfilePath\.ssh\authorized_keys" -owner $objUser
Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read"
```
[build13]: https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v0.0.13.0