From a8d463d79a203d1d34ebe56bc49e2cb1d20c0488 Mon Sep 17 00:00:00 2001 From: Manoj Ampalam Date: Fri, 2 Jun 2017 22:21:48 -0700 Subject: [PATCH] Updated OpenSSH utility scripts to fix file permissions (markdown) --- ...utility-scripts-to-fix-file-permissions.md | 64 ++++++++++--------- 1 file changed, 33 insertions(+), 31 deletions(-) diff --git a/OpenSSH-utility-scripts-to-fix-file-permissions.md b/OpenSSH-utility-scripts-to-fix-file-permissions.md index d1e34f4..b033a30 100644 --- a/OpenSSH-utility-scripts-to-fix-file-permissions.md +++ b/OpenSSH-utility-scripts-to-fix-file-permissions.md @@ -1,46 +1,48 @@ -Powershell utility scripts are included starting release [v0.0.15.0](https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v0.0.15.0) to automatically fix the permissions on various keys and configuration files for host and user. [Secure protection of various files](https://github.com/PowerShell/Win32-OpenSSH/wiki/Security-protection-of-various-files-in-Win32-OpenSSH) explains why secure enforcement is needed. +Powershell utility scripts included in [v0.0.15.0](https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v0.0.15.0) onwards, aid in fixing permissions on various OpenSSH key and configuration files. See [here] (https://github.com/PowerShell/Win32-OpenSSH/wiki/Security-protection-of-various-files-in-Win32-OpenSSH) for more details on how file permissions are enforced on Windows. -**`FixHostFilePermissions.ps1`** +Improper file permissions will likely result in a broken configuration (OpenSSH fails to work). You may use the following scripts (provided in release payload) to help evaluate and fix any permission related issues. -It checks and fixes the below permissions on default host files: - - user's authorized_keys located at `$env:systemdrive\Users\...\.ssh\authorized_keys` - - host keys generated by `ssh-keygen.exe -A` in the same folder of the script - - sshd_config in the same folder of the script +### FixHostFilePermissions.ps1 +Use it to fix file permissions on host side. Checks and fixes file permissions on: + - sshd_config + - host keys generated by `ssh-keygen.exe -A` + - any authorized_keys located in user profiles (%userprofile%\user\.ssh\authorized_keys) ```PowerShell -# script prompt to confirm you want to update each permission if Quiet is not specified +# Usage +# Evaluate each file and prompt before making changes .\FixHostFilePermissions.ps1 +# Evaluate and make changes without prompting +.\FixHostFilePermissions.ps1 -Quiet ``` -**`FixUserFilePermissions.ps1`** - -It checks and fixes the below file permissions on user's default files: - - user's ssh_config located at `~\.ssh\config` - - user's keys located at `~\.ssh\id_rsa`, `~\.ssh\id_rsa.pub` - - user's keys located at `~\.ssh\id_dsa`, `~\.ssh\id_dsa.pub` +### FixUserFilePermissions.ps1 +Use it to fix permissions of client side files - keys and config files of current user. Checks and fixes permissions on: + - `~\.ssh\config` + - `~\.ssh\id_rsa`, `~\.ssh\id_rsa.pub` + - `~\.ssh\id_dsa`, `~\.ssh\id_dsa.pub` ```PowerShell -# -Quiet suppresses prompting to confirm you want to update each permission -.\FixUserFilePermissions.ps1 -Quiet +# Usage +# Evaluate each file and prompt before making changes +.\FixUserFilePermissions.ps1 +# Evaluate and make changes without prompting +.\FixUserFilePermissions.ps1 -Quiet ``` -**`OpenSSHUtils.psm1` module** - -It checks and fixes permissions on customer specified files. - - Function `Fix-HostSSHDConfigPermissions` fixes permission on sshd_config file specified by user - - Function `Fix-HostKeyPermissions` fixes permission for host keys specified by user; **Note that to keep the host private keys secure, it is recommended to register them with ssh-agent following -steps in [link](https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH)**, but this function suggests to grant 'NT Service\sshd' Read permission to the host keys. Choose no if they are registered already. - - Function `Fix-UserKeyPermissions` fixes the permissions on user's key files specified by user - - Function `Fix-AuthorizedKeyPermissions` fixes permissions on the authorized_keys file specified by user - - Function `Fix-UserSSHConfigPermissions` fixes permissions on user's ssh config specified by user - +### OpenSSHUtils.psm1 +Above 2 scripts use core functionality implemented in this base module. If you are dealing with a custom OpenSSH configuration, you may find the following functions useful. ```PowerShell Import-Module .\OpenSSHUtils.psm1 -Force -# prompt to confirm you want to confirm you want to update each permission on the file -Fix-HostSSHDConfigPermissions c:\test\sshd_config -# -Quiet suppresses prompting to confirm you want to update each permission on the file -Fix-AuthorizedKeyPermissions -FilePath C:\Users\sshtest_ssouser\.ssh\authorized_keys -Quiet -Fix-HostKeyPermissions -FilePath c:\test\sshtest_hostkey_ecdsa -Quiet +# All routines following -Quiet semantics +# fix permissions on a specified sshd_config +Fix-HostSSHDConfigPermissions -FilePath c:\test\sshd_config +# fix permissions on a specified host key +Fix-HostKeyPermissions -FilePath c:\test\sshtest_hostkey_ecdsa +# fix permissions on a specified authorized_key +Fix-AuthorizedKeyPermissions -FilePath C:\Users\sshtest_ssouser\.ssh\authorized_keys +# fix permissions a specific ssh_config +Fix-UserSSHConfigPermissions -FilePath '~\.ssh\config' +# fix permissions on an user key Fix-HostUserPermissions -FilePath c:\test\sshtest_userssokey_ed25519 -Quiet -Fix-UserSSHConfigPermissions -FilePath '~\.ssh\config' -Quiet ``` \ No newline at end of file