tyler.durden/Win32-OpenSSH
1
0
Fork 0
mirror of https://github.com/PowerShell/Win32-OpenSSH.git synced 2025-07-29 08:54:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Updated Security protection of various files in win32 openssh (markdown)

Yanbing 2017-05-11 18:34:44 -07:00
parent 74f6f009a7
commit b2a0a76f5a
1 changed files with 11 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
Security-protection-of-various-files-in-win32-openssh.md

@ -58,8 +58,7 @@ function Add-PermissionToFileACL
param(
[string]$FilePath,
[System.Security.Principal.NTAccount] $User,
[System.Security.AccessControl.FileSystemRights]$Perm
)
[System.Security.AccessControl.FileSystemRights]$Perm)
$myACL = Get-ACL $filePath
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
@ -76,18 +75,18 @@ function Add-PermissionToFileACL
The new generated keys have current login use as owner and only grant the owner full control access.
1. Grant "NT Service\sshd" Read access to both public and private host key files for the keys to function.
```
Add-PermissionToFileACL -FilePath $hostKeyFilePath -User "NT Service\sshd" -Perm "Read"
Add-PermissionToFileACL -FilePath "$hostKeyFilePath.pub" -User "NT Service\sshd" -Perm "Read"
Add-PermissionToFileACL -FilePath $hostPrivateKeyFilePath -User "NT Service\sshd" -Perm "Read"
Add-PermissionToFileACL -FilePath "$hostPrivateKeyFilePath.pub" -User "NT Service\sshd" -Perm "Read"
```
2. On server machine, grant "NT Service\sshd" Read access to authorized_keys
2. On server machine, grant "NT Service\sshd" Read access to authorized_keys in a user's home directory
```
$user = '<user>'
$user = '<myusername>'
$userProfilePath = "$env:systemdrive\Users\$user"
Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read"
```
3. On client machine, if user ssh_config is specified at $env:USERPROFILE\.ssh\config, make sure it is secured.
3. On client machine, if user ssh_config is specified at $home\.ssh\config, make sure it is secured.
```
Set-SecureFileACL "$env:USERPROFILE\.ssh\config"
Set-SecureFileACL "$home\.ssh\config"
```
**For users to use existing host and user keys generated before build [v0.0.13.0][build13].**
@ -108,16 +107,16 @@ Add-PermissionToFileACL -FilePath $hostPublicKeyFilePath -User "NT Service\sshd"
Set-SecureFileACL -FilePath $userPrivateKeyFilePath
```
4. On server machine, adjust file permission of authorized_keys file: Set server login user as owner and grant server login user full control and "NT Service\sshd" Read access.
4. On server machine, adjust file permission of authorized_keys file in a user's home directory: Set server login user as owner and grant server login user full control and "NT Service\sshd" Read access.
```
$user = '<user>'
$user = '<myusername>'
$userProfilePath = "$env:systemdrive\Users\<user>"
$objUser = New-Object System.Security.Principal.NTAccount($user)
Set-SecureFileACL "$userProfilePath\.ssh\authorized_keys" -owner $objUser
Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read"
```
5. On client machine, if user ssh_config is specified at $env:USERPROFILE\.ssh\config, make sure it is secured.
5. On client machine, if user ssh_config is specified at $home\.ssh\config, make sure it is secured.
```
Set-SecureFileACL "$env:USERPROFILE\.ssh\config"
Set-SecureFileACL "$home\.ssh\config"
```
[build13]: https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v0.0.13.0