tyler.durden/Win32-OpenSSH
1
0
Fork 0
mirror of https://github.com/PowerShell/Win32-OpenSSH.git synced 2025-07-26 23:44:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

Updated Security protection of various files in win32 openssh (markdown)

Yanbing 2017-05-11 17:32:47 -07:00
parent e0e8dbb026
commit d958783251
1 changed files with 16 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
Security-protection-of-various-files-in-win32-openssh.md

@ -1,5 +1,5 @@
##### General Introduction ##### General Introduction
Starting on build [v0.0.13.0][build13], win32 openssh make sure file are secured before get loaded. SSH-keygen.exe generates protected key files as well. 'Secured' means: Starting on build [v0.0.13.0][build13], win32 openssh make sure files are secured before get loaded. SSH-keygen.exe generates protected key files as well. 'Secured' means:
1. The file owner can only be one of these account types: local Administrators group, local system account, users in local administrators group, the current process user. 1. The file owner can only be one of these account types: local Administrators group, local system account, users in local administrators group, the current process user.
2. For authorized_keys, host keys, "NT Service\sshd" are required to have and only have read access to the file. 2. For authorized_keys, host keys, "NT Service\sshd" are required to have and only have read access to the file.
3. No others than the below account types are allowed to access to the file: local administrators group, local system account, users in local administrators group, current process user. 3. No others than the below account types are allowed to access to the file: local administrators group, local system account, users in local administrators group, current process user.
@ -47,10 +47,8 @@ function Set-SecureFileACL
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ` $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
($actualOwner, "FullControl", "None", "None", "Allow") ($actualOwner, "FullControl", "None", "None", "Allow")
$myACL.AddAccessRule($objACE) $myACL.AddAccessRule($objACE)
Set-Acl -Path $FilePath -AclObject $myACL Set-Acl -Path $FilePath -AclObject $myACL
} }
``` ```
2. Grant "NT Service\sshd" Read permission to a file 2. Grant "NT Service\sshd" Read permission to a file
``` ```
@ -64,11 +62,9 @@ function Add-PermissionToFileACL
) )
$myACL = Get-ACL $filePath $myACL = Get-ACL $filePath
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ` $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
($User, $perm, "None", "None", "Allow") ($User, $perm, "None", "None", "Allow")
$myACL.AddAccessRule($objACE) $myACL.AddAccessRule($objACE)
Set-Acl -Path $filePath -AclObject $myACL Set-Acl -Path $filePath -AclObject $myACL
} }
``` ```
@ -83,23 +79,27 @@ The new generated keys have current login use as owner and only grant the owner
Add-PermissionToFileACL -FilePath $hostKeyFilePath -User "NT Service\sshd" -Perm "Read" Add-PermissionToFileACL -FilePath $hostKeyFilePath -User "NT Service\sshd" -Perm "Read"
Add-PermissionToFileACL -FilePath "$hostKeyFilePath.pub" -User "NT Service\sshd" -Perm "Read" Add-PermissionToFileACL -FilePath "$hostKeyFilePath.pub" -User "NT Service\sshd" -Perm "Read"
``` ```
2. On Setup Server machine, grant "NT Service\sshd" Read access to authorized_keys 2. On server machine, grant "NT Service\sshd" Read access to authorized_keys
``` ```
$user = '<user>' $user = '<user>'
$userProfilePath = "$env:systemdrive\Users\$user" $userProfilePath = "$env:systemdrive\Users\$user"
Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read" Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read"
``` ```
3. On client machine, if user ssh_config is specified at $env:USERPROFILE\.ssh\config, make sure it is secured.
```
Set-SecureFileACL "$env:USERPROFILE\.ssh\config"
```
**For users to use existing host and user keys generated before build [v0.0.13.0][build13].** **For users to use existing host and user keys generated before build [v0.0.13.0][build13].**
The keys generated by ssh-keygen.exe before [v0.0.13.0][build13] inherits permissions from the parent folder. Other accounts than allowed account types may also have access to the file. The keys generated by ssh-keygen.exe before [v0.0.13.0][build13] inherits permissions from the parent folder. Other accounts than allowed account types may also have access to the file.
1. On Setup Server machine, adjust file permission of private host key: Set current user as owner and grant current user full control and "NT Service\sshd" Read access. 1. On server machine, adjust file permission of private host key: Set current user as owner and grant current user full control and "NT Service\sshd" Read access.
``` ```
Set-SecureFileACL -FilePath $hostPrivateKeyFilePath Set-SecureFileACL -FilePath $hostPrivateKeyFilePath
Add-PermissionToFileACL -FilePath $hostPrivateKeyFilePath -User "NT Service\sshd" -Perm "Read" Add-PermissionToFileACL -FilePath $hostPrivateKeyFilePath -User "NT Service\sshd" -Perm "Read"
``` ```
2. On Setup Server machine, adjust file permission of public host key: Grant "NT Service\sshd" Read access. 2. On server machine, adjust file permission of public host key: Grant "NT Service\sshd" Read access.
``` ```
Add-PermissionToFileACL -FilePath $hostPublicKeyFilePath -User "NT Service\sshd" -Perm "Read" Add-PermissionToFileACL -FilePath $hostPublicKeyFilePath -User "NT Service\sshd" -Perm "Read"
``` ```
@ -108,7 +108,7 @@ Add-PermissionToFileACL -FilePath $hostPublicKeyFilePath -User "NT Service\sshd"
Set-SecureFileACL -FilePath $userPrivateKeyFilePath Set-SecureFileACL -FilePath $userPrivateKeyFilePath
``` ```
4. On Setup Server machine, adjust file permission of authorized_keys file: Set server login user as owner and grant server login user full control and "NT Service\sshd" Read access. 4. On server machine, adjust file permission of authorized_keys file: Set server login user as owner and grant server login user full control and "NT Service\sshd" Read access.
``` ```
$user = '<user>' $user = '<user>'
$userProfilePath = "$env:systemdrive\Users\<user>" $userProfilePath = "$env:systemdrive\Users\<user>"
@ -116,5 +116,8 @@ $objUser = New-Object System.Security.Principal.NTAccount($user)
Set-SecureFileACL "$userProfilePath\.ssh\authorized_keys" -owner $objUser Set-SecureFileACL "$userProfilePath\.ssh\authorized_keys" -owner $objUser
Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read" Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read"
``` ```
5. On client machine, if user ssh_config is specified at $env:USERPROFILE\.ssh\config, make sure it is secured.
```
Set-SecureFileACL "$env:USERPROFILE\.ssh\config"
```
[build13]: https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v0.0.13.0 [build13]: https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v0.0.13.0