mirror of
https://github.com/PowerShell/Win32-OpenSSH.git
synced 2025-07-25 15:04:54 +02:00
Updated Security protection of various files in win32 openssh (markdown)
Yanbing
parent
e0e8dbb026
commit
d958783251
@ -1,5 +1,5 @@
|
||||
##### General Introduction
|
||||
Starting on build [v0.0.13.0][build13], win32 openssh make sure file are secured before get loaded. SSH-keygen.exe generates protected key files as well. 'Secured' means:
|
||||
Starting on build [v0.0.13.0][build13], win32 openssh make sure files are secured before get loaded. SSH-keygen.exe generates protected key files as well. 'Secured' means:
|
||||
1. The file owner can only be one of these account types: local Administrators group, local system account, users in local administrators group, the current process user.
|
||||
2. For authorized_keys, host keys, "NT Service\sshd" are required to have and only have read access to the file.
|
||||
3. No others than the below account types are allowed to access to the file: local administrators group, local system account, users in local administrators group, current process user.
|
||||
@ -47,10 +47,8 @@ function Set-SecureFileACL
|
||||
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
|
||||
($actualOwner, "FullControl", "None", "None", "Allow")
|
||||
$myACL.AddAccessRule($objACE)
|
||||
|
||||
Set-Acl -Path $FilePath -AclObject $myACL
|
||||
}
|
||||
|
||||
}
|
||||
```
|
||||
2. Grant "NT Service\sshd" Read permission to a file
|
||||
```
|
||||
@ -63,12 +61,10 @@ function Add-PermissionToFileACL
|
||||
[System.Security.AccessControl.FileSystemRights]$Perm
|
||||
)
|
||||
|
||||
$myACL = Get-ACL $filePath
|
||||
|
||||
$myACL = Get-ACL $filePath
|
||||
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
|
||||
($User, $perm, "None", "None", "Allow")
|
||||
$myACL.AddAccessRule($objACE)
|
||||
|
||||
$myACL.AddAccessRule($objACE)
|
||||
Set-Acl -Path $filePath -AclObject $myACL
|
||||
}
|
||||
```
|
||||
@ -83,23 +79,27 @@ The new generated keys have current login use as owner and only grant the owner
|
||||
Add-PermissionToFileACL -FilePath $hostKeyFilePath -User "NT Service\sshd" -Perm "Read"
|
||||
Add-PermissionToFileACL -FilePath "$hostKeyFilePath.pub" -User "NT Service\sshd" -Perm "Read"
|
||||
```
|
||||
2. On Setup Server machine, grant "NT Service\sshd" Read access to authorized_keys
|
||||
2. On server machine, grant "NT Service\sshd" Read access to authorized_keys
|
||||
```
|
||||
$user = '<user>'
|
||||
$userProfilePath = "$env:systemdrive\Users\$user"
|
||||
Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read"
|
||||
```
|
||||
3. On client machine, if user ssh_config is specified at $env:USERPROFILE\.ssh\config, make sure it is secured.
|
||||
```
|
||||
Set-SecureFileACL "$env:USERPROFILE\.ssh\config"
|
||||
```
|
||||
|
||||
**For users to use existing host and user keys generated before build [v0.0.13.0][build13].**
|
||||
|
||||
The keys generated by ssh-keygen.exe before [v0.0.13.0][build13] inherits permissions from the parent folder. Other accounts than allowed account types may also have access to the file.
|
||||
|
||||
1. On Setup Server machine, adjust file permission of private host key: Set current user as owner and grant current user full control and "NT Service\sshd" Read access.
|
||||
1. On server machine, adjust file permission of private host key: Set current user as owner and grant current user full control and "NT Service\sshd" Read access.
|
||||
```
|
||||
Set-SecureFileACL -FilePath $hostPrivateKeyFilePath
|
||||
Add-PermissionToFileACL -FilePath $hostPrivateKeyFilePath -User "NT Service\sshd" -Perm "Read"
|
||||
```
|
||||
2. On Setup Server machine, adjust file permission of public host key: Grant "NT Service\sshd" Read access.
|
||||
2. On server machine, adjust file permission of public host key: Grant "NT Service\sshd" Read access.
|
||||
```
|
||||
Add-PermissionToFileACL -FilePath $hostPublicKeyFilePath -User "NT Service\sshd" -Perm "Read"
|
||||
```
|
||||
@ -108,7 +108,7 @@ Add-PermissionToFileACL -FilePath $hostPublicKeyFilePath -User "NT Service\sshd"
|
||||
Set-SecureFileACL -FilePath $userPrivateKeyFilePath
|
||||
```
|
||||
|
||||
4. On Setup Server machine, adjust file permission of authorized_keys file: Set server login user as owner and grant server login user full control and "NT Service\sshd" Read access.
|
||||
4. On server machine, adjust file permission of authorized_keys file: Set server login user as owner and grant server login user full control and "NT Service\sshd" Read access.
|
||||
```
|
||||
$user = '<user>'
|
||||
$userProfilePath = "$env:systemdrive\Users\<user>"
|
||||
@ -116,5 +116,8 @@ $objUser = New-Object System.Security.Principal.NTAccount($user)
|
||||
Set-SecureFileACL "$userProfilePath\.ssh\authorized_keys" -owner $objUser
|
||||
Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read"
|
||||
```
|
||||
|
||||
5. On client machine, if user ssh_config is specified at $env:USERPROFILE\.ssh\config, make sure it is secured.
|
||||
```
|
||||
Set-SecureFileACL "$env:USERPROFILE\.ssh\config"
|
||||
```
|
||||
[build13]: https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v0.0.13.0
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user