tyler.durden/Win32-OpenSSH
1
0
Fork 0
mirror of https://github.com/PowerShell/Win32-OpenSSH.git synced 2025-07-29 17:04:41 +02:00
Code Issues Packages Projects Releases Wiki Activity

Updated Security protection of various files in Win32 OpenSSH (markdown)

Manoj Ampalam 2017-05-14 23:40:59 -07:00
parent a215883b4a
commit 6eb6a0d0c1
1 changed files with 12 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
Security-protection-of-various-files-in-Win32-OpenSSH.md

@ -4,35 +4,35 @@ Starting with the release of [v0.0.13.0][build13], Win32-OpenSSH ensures any con
Specifically, following permission checks are enforced: Specifically, following permission checks are enforced:
- User specific resources on client side - private keys and ssh_config ((%userprofile%\.ssh\config) - User specific resources on client side - private keys and ssh_config ((%userprofile%\.ssh\config)
- Should not be accessible to other (non-admin) users. - Should be owned by the user
- Should not be owned by any other (non-admin) user. - Should not be accessible to other users.
- Ex. ssh would fail to use the following private key for userA, since "someotheruser" also has access. - Ex. ssh would fail to use the following private key for userA, since "someotheruser" also has access.
``` ```
c:\>icacls userkey c:\>icacls userkey
userkey userA(F) userkey userA:(F)
someotheruser(R) someotheruser:(R)
``` ```
- User specific resources on server side - authorized_keys - User specific resources on server side - authorized_keys
- Should not be accessible to other (non-admin) users. - Should be owned by the user.
- Should not be owned by any other (non-admin) user. - Should not be accessible to other users.
- "NT Service/sshd" can only have (R) access. - "NT Service/sshd" can only have (R) access.
- Ex. sshd would not respect the following authorized_keys for userA, since "someotheruser" also has access. - Ex. sshd would not respect the following authorized_keys for userA, since "someotheruser" also has access.
``` ```
c:\>icacls authorized_keys c:\>icacls authorized_keys
authorized_keys NT SERVICE\sshd:(R) authorized_keys NT SERVICE\sshd:(R)
userA(F) userA:(F)
someotheruser(R) someotheruser:(R)
``` ```
- Host specific resources on server side - host private keys - Host specific resources on server side - host private keys
- Should not be accessible to any non-admin user - Should be owned by "SYSTEM" (or Administrators group)
- Should not be owned by a non-admin user - Should not be accessible to other users or groups (other than Administrators group).
- "NT Service/sshd" can only have (R) access. - "NT Service/sshd" can only have (R) access.
- Ex. sshd would not respect the following host key, since "nonadmin" has access. - Ex. sshd would not respect the following host key, since "nonadmin" has access.
``` ```
c:\>icacls hostkey c:\>icacls hostkey
hostkey NT SERVICE\sshd:(R) hostkey NT SERVICE\sshd:(R)
admin(F) BUILTIN\Administrators:(F)
nonadmin(R) nonadmin:(R)
``` ```
## Tips to adjust permissions ## Tips to adjust permissions