Updated Security protection of various files in Win32 OpenSSH (markdown)

2025-07-27 07:54:50 +02:00 · 2017-05-12 17:06:57 -07:00 · 2017-05-12 17:06:57 -07:00 · e9a3344646
commit e9a3344646
parent c46314da5b
1 changed files with 104 additions and 55 deletions
--- a/Security-protection-of-various-files-in-Win32-OpenSSH.md
+++ b/Security-protection-of-various-files-in-Win32-OpenSSH.md
@ -1,17 +1,38 @@
-##### General Introduction
-Starting on build [v0.0.13.0][build13], win32 openssh make sure files are secured before get loaded. SSH-keygen.exe generates protected key files as well. 'Secured' means:
-1. The file owner can only be one of these account types: local Administrators group, local system account, users in local administrators group, the current process user.
-2. For authorized_keys, host keys, "NT Service\sshd" are required to have and only have read access to the file.
-3. No others than the below account types are allowed to access to the file: local administrators group, local system account, users in local administrators group, current process user.
+# Secure protection of keys

-Utility scripts to adjust file permissions:
-1. Script to remove inheritance of the file, assign owner, and grant the owner full control 
-```
-$user = "<myusername>"
-$objUser = New-Object System.Security.Principal.NTAccount($user)
-Set-SecureFileACL -filepath $env:systemdrive\Users\$user\.ssh\authorized_keys -owner $objUser
-function Set-SecureFileACL 
-{            
+Starting with the release of [v0.0.13.0][build13], Win32-OpenSSH ensures files are secure before they are loaded.
+`ssh-keygen.exe` generates protected key files as well.
+
+The following files need to be "secure":
+
+- on the client-side
+  - user's private keys
+  - user's `ssh_config` located at `~\.ssh\config`
+- on the server-side
+  - user's `authorized_keys`
+  - private host keys
+
+"Secure" means:
+
+1. The file owner of these files must be one of the following (additionally, no other users or groups may have any access to the files):
+    - the local Administrators group
+    - LocalSystem account
+    - a user in the local Administrators group
+    - the user associated with a user key or user config
+1. `NT Service\sshd` must have (and only have) Read access to `authorized_keys` and all host keys.
+(Note: this means that `NT Service\sshd` *cannot* have Write access or Full Control.)
+
+## Utility scripts to adjust file permissions
+
+The following scripts are used in instructions below to help with managing the permissions of key files:
+
+### Set-SecureFileACL
+
+`Set-SecureFileACL` removes inherited ACLs on a file, assigns the current user as an owner (unless the `-Owner` parameter is specified), and grants the owner Full Control of the file:
+
+```powershell
+function Set-SecureFileACL
+{
    param(
        [string]$FilePath,
        [System.Security.Principal.NTAccount]$Owner = $null
@ -31,16 +52,16 @@ function Set-SecureFileACL
    {
        $actualOwner = $Owner
    }
-            
+
    $myACL.SetOwner($actualOwner)
-    
-    if($myACL.Access) 
-    {        
-        $myACL.Access | % {                    
+
+    if($myACL.Access)
+    {
+        $myACL.Access | % {
            if(-not ($myACL.RemoveAccessRule($_)))
            {
                throw "failed to remove access of $($_.IdentityReference.Value) rule in setup "
-            }                    
+            }
        }
    }

@ -50,73 +71,101 @@ function Set-SecureFileACL
    Set-Acl -Path $FilePath -AclObject $myACL
 }
 ```
-2. Grant "NT Service\sshd" Read permission to a file
+
+#### Example: Setting the owner of `authorized_keys`
+
+```powershell
+$user = "<myusername>"
+$objUser = New-Object System.Security.Principal.NTAccount($user)
+Set-SecureFileACL -filepath $env:systemdrive\Users\$user\.ssh\authorized_keys -owner $objUser
 ```
-Add-PermissionToFileACL -FilePath "$hostKeyFilePath.pub" -User "NT Service\sshd" -Perm "Read"
-function Add-PermissionToFileACL 
-{    
+
+### Add-PermissionToFileACL
+
+`Add-PermissionToFileACL` grants `NT Service\sshd` read permission to a file.
+
+```powershell
+function Add-PermissionToFileACL
+{
    param(
        [string]$FilePath,
        [System.Security.Principal.NTAccount] $User,
-        [System.Security.AccessControl.FileSystemRights]$Perm)    
+        [System.Security.AccessControl.FileSystemRights]$Perm)

-    $myACL = Get-ACL $filePath        
+    $myACL = Get-ACL $filePath
    $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
-        ($User, $perm, "None", "None", "Allow") 
+        ($User, $perm, "None", "None", "Allow")
    $myACL.AddAccessRule($objACE)
    Set-Acl -Path $filePath -AclObject $myACL
 }
-``` 
-***
-##### Settings for Win32 OpenSSH work End to End
-
-**For users who want to use host and user keys generated by SSH-keygen.exe after build [v0.0.13.0][build13]**
-
-The new generated keys have current login use as owner and only grant the owner full control access. 
-1. Grant "NT Service\sshd" Read access to both public and private host key files for the keys to function.
 ```
+
+#### Example: Setting owner of public host key to `NT Service\sshd`
+
+```powershell
+Add-PermissionToFileACL -FilePath "$hostKeyFilePath.pub" -User "NT Service\sshd" -Perm "Read"
+```
+
+## Managing keys end-to-end for Win32-OpenSSH
+
+### Generating new keys using `v0.0.13.0`
+
+If you've generated your host or user keys with `ssh-keygen.exe` after build [v0.0.13.0][build13], the user you've used to generated them will be the owner and have Full Control access.
+However, some files will still require some ACL modification.
+
+1. If the generated keys (both private and public) are going to be used as host keys, you must grant `NT Service\sshd` Read access: 
+```powershell
 Add-PermissionToFileACL -FilePath $hostPrivateKeyFilePath -User "NT Service\sshd" -Perm "Read"
 Add-PermissionToFileACL -FilePath "$hostPrivateKeyFilePath.pub" -User "NT Service\sshd" -Perm "Read"
 ```
-2. On server machine, grant "NT Service\sshd" Read access to authorized_keys in a user's home directory
-```
+
+2. On the server running `sshd`, grant `NT Service\sshd` Read access to `authorized_keys` in `~\.ssh\`:
+```powershell
 $user = '<myusername>'
 $userProfilePath = "$env:systemdrive\Users\$user"
 Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read"
 ```
-3. On client machine, if user ssh_config is specified at $home\.ssh\config, make sure it is secured.
-```
-Set-SecureFileACL "$home\.ssh\config"
+
+3. On the client machine, if a user has a `ssh_config` at `~\.ssh\config`, make sure that the user is the owner and has Full Control:
+```powershell
+Set-SecureFileACL '~\.ssh\config'
 ```

-**For users to use existing host and user keys generated before build [v0.0.13.0][build13].**
+### Transitioning existing keys to `v0.0.13.0`

-The keys generated by ssh-keygen.exe before [v0.0.13.0][build13] inherits permissions from the parent folder. Other accounts than allowed account types may also have access to the file.
+If you have host or user keys that were generated before build [v0.0.13.0][build13], you'll need to secure those key files before using them `v0.0.13.0` or later.

-1. On server machine, adjust file permission of private host key: Set current user as owner and grant current user full control and "NT Service\sshd" Read access.
-```
+The keys generated by `ssh-keygen.exe` before [v0.0.13.0][build13] inherit permissions from the parent folder.
+That means that some disallowed accounts may also have access to the file.
+
+1. On the server running `sshd`, change the file permission of the private host key to set the current user as owner and grant current user Full Control and `NT Service\sshd` Read access. 
+```powershell
 Set-SecureFileACL -FilePath $hostPrivateKeyFilePath
 Add-PermissionToFileACL -FilePath $hostPrivateKeyFilePath -User "NT Service\sshd" -Perm "Read"
 ```
-2. On server machine, adjust file permission of public host key: Grant "NT Service\sshd" Read access.
-```
-Add-PermissionToFileACL -FilePath $hostPublicKeyFilePath -User "NT Service\sshd" -Perm "Read"
-``` 
-3. Adjust file permission of user key file before supply it to ssh-add, scp, ssh, sftp: Set current user as owner and grant current user full control
-```
-Set-SecureFileACL -FilePath $userPrivateKeyFilePath
-``` 

-4. On server machine, adjust file permission of authorized_keys file in a user's home directory: Set server login user as owner and grant server login user full control and "NT Service\sshd" Read access.
+2. On the server running `sshd`, grant `NT Service\sshd` Read access to the public host key:
+```powershell
+Add-PermissionToFileACL -FilePath $hostPublicKeyFilePath -User "NT Service\sshd" -Perm "Read"
 ```
+
+3. Before using a user key file with `ssh-add`, `scp`, `ssh`, or `sftp`, make sure that the file is owned by the user, and that the user has Full Control.
+```powershell
+Set-SecureFileACL -FilePath $userPrivateKeyFilePath
+```
+
+4. On the server running `sshd`, change the file permission of `authorized_keys` in a user's home directory to set the current user as owner and grant the current user Full Control and `NT Server\sshd` Read access.
+```powershell
 $user = '<myusername>'
 $userProfilePath = "$env:systemdrive\Users\<user>"
 $objUser = New-Object System.Security.Principal.NTAccount($user)
 Set-SecureFileACL "$userProfilePath\.ssh\authorized_keys" -owner $objUser
 Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read"
 ```
-5. On client machine, if user ssh_config is specified at $home\.ssh\config, make sure it is secured.
-```
-Set-SecureFileACL "$home\.ssh\config"
+
+5. On the client, if a user has their own `ssh_config` located at `~\.ssh\config`, it must be owned by that user (or a group to which that user belongs):
+```powershell
+Set-SecureFileACL "~\.ssh\config"
 ```
+
 [build13]: https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v0.0.13.0