From d9587832513ac6700b5ae4308fdb24ffde67f4e7 Mon Sep 17 00:00:00 2001
From: Yanbing <yawang@microsoft.com>
Date: Thu, 11 May 2017 17:32:47 -0700
Subject: [PATCH] Updated Security protection of various files in win32 openssh
 (markdown)

---
 ...ction-of-various-files-in-win32-openssh.md | 29 ++++++++++---------
 1 file changed, 16 insertions(+), 13 deletions(-)

diff --git a/Security-protection-of-various-files-in-win32-openssh.md b/Security-protection-of-various-files-in-win32-openssh.md
index 02a1c9d..8c23ae6 100644
--- a/Security-protection-of-various-files-in-win32-openssh.md
+++ b/Security-protection-of-various-files-in-win32-openssh.md
@@ -1,5 +1,5 @@
 ##### General Introduction
-Starting on build [v0.0.13.0][build13], win32 openssh make sure file are secured before get loaded. SSH-keygen.exe generates protected key files as well. 'Secured' means:
+Starting on build [v0.0.13.0][build13], win32 openssh make sure files are secured before get loaded. SSH-keygen.exe generates protected key files as well. 'Secured' means:
 1. The file owner can only be one of these account types: local Administrators group, local system account, users in local administrators group, the current process user.
 2. For authorized_keys, host keys, "NT Service\sshd" are required to have and only have read access to the file.
 3. No others than the below account types are allowed to access to the file: local administrators group, local system account, users in local administrators group, current process user.
@@ -47,10 +47,8 @@ function Set-SecureFileACL
     $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
         ($actualOwner, "FullControl", "None", "None", "Allow")
     $myACL.AddAccessRule($objACE)
-
     Set-Acl -Path $FilePath -AclObject $myACL
-}       
-
+}
 ```
 2. Grant "NT Service\sshd" Read permission to a file
 ```
@@ -63,12 +61,10 @@ function Add-PermissionToFileACL
         [System.Security.AccessControl.FileSystemRights]$Perm
     )    
 
-    $myACL = Get-ACL $filePath
-        
+    $myACL = Get-ACL $filePath        
     $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
         ($User, $perm, "None", "None", "Allow") 
-    $myACL.AddAccessRule($objACE)    
-
+    $myACL.AddAccessRule($objACE)
     Set-Acl -Path $filePath -AclObject $myACL
 }
 ``` 
@@ -83,23 +79,27 @@ The new generated keys have current login use as owner and only grant the owner
 Add-PermissionToFileACL -FilePath $hostKeyFilePath -User "NT Service\sshd" -Perm "Read"
 Add-PermissionToFileACL -FilePath "$hostKeyFilePath.pub" -User "NT Service\sshd" -Perm "Read"
 ```
-2. On Setup Server machine, grant "NT Service\sshd" Read access to authorized_keys
+2. On server machine, grant "NT Service\sshd" Read access to authorized_keys
 ```
 $user = '<user>'
 $userProfilePath = "$env:systemdrive\Users\$user"
 Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read"
 ```
+3. On client machine, if user ssh_config is specified at $env:USERPROFILE\.ssh\config, make sure it is secured.
+```
+Set-SecureFileACL "$env:USERPROFILE\.ssh\config"
+```
 
 **For users to use existing host and user keys generated before build [v0.0.13.0][build13].**
 
 The keys generated by ssh-keygen.exe before [v0.0.13.0][build13] inherits permissions from the parent folder. Other accounts than allowed account types may also have access to the file.
 
-1. On Setup Server machine, adjust file permission of private host key: Set current user as owner and grant current user full control and "NT Service\sshd" Read access.
+1. On server machine, adjust file permission of private host key: Set current user as owner and grant current user full control and "NT Service\sshd" Read access.
 ```
 Set-SecureFileACL -FilePath $hostPrivateKeyFilePath
 Add-PermissionToFileACL -FilePath $hostPrivateKeyFilePath -User "NT Service\sshd" -Perm "Read"
 ```
-2. On Setup Server machine, adjust file permission of public host key: Grant "NT Service\sshd" Read access.
+2. On server machine, adjust file permission of public host key: Grant "NT Service\sshd" Read access.
 ```
 Add-PermissionToFileACL -FilePath $hostPublicKeyFilePath -User "NT Service\sshd" -Perm "Read"
 ``` 
@@ -108,7 +108,7 @@ Add-PermissionToFileACL -FilePath $hostPublicKeyFilePath -User "NT Service\sshd"
 Set-SecureFileACL -FilePath $userPrivateKeyFilePath
 ``` 
 
-4. On Setup Server machine, adjust file permission of authorized_keys file: Set server login user as owner and grant server login user full control and "NT Service\sshd" Read access.
+4. On server machine, adjust file permission of authorized_keys file: Set server login user as owner and grant server login user full control and "NT Service\sshd" Read access.
 ```
 $user = '<user>'
 $userProfilePath = "$env:systemdrive\Users\<user>"
@@ -116,5 +116,8 @@ $objUser = New-Object System.Security.Principal.NTAccount($user)
 Set-SecureFileACL "$userProfilePath\.ssh\authorized_keys" -owner $objUser
 Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read"
 ```
-
+5. On client machine, if user ssh_config is specified at $env:USERPROFILE\.ssh\config, make sure it is secured.
+```
+Set-SecureFileACL "$env:USERPROFILE\.ssh\config"
+```
 [build13]: https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v0.0.13.0