From e9a334464697f9fab279f542125aefbf16f31dcf Mon Sep 17 00:00:00 2001 From: Joey Aiello Date: Fri, 12 May 2017 17:06:57 -0700 Subject: [PATCH] Updated Security protection of various files in Win32 OpenSSH (markdown) --- ...ction-of-various-files-in-Win32-OpenSSH.md | 159 ++++++++++++------ 1 file changed, 104 insertions(+), 55 deletions(-) diff --git a/Security-protection-of-various-files-in-Win32-OpenSSH.md b/Security-protection-of-various-files-in-Win32-OpenSSH.md index cb92071..26bf326 100644 --- a/Security-protection-of-various-files-in-Win32-OpenSSH.md +++ b/Security-protection-of-various-files-in-Win32-OpenSSH.md @@ -1,17 +1,38 @@ -##### General Introduction -Starting on build [v0.0.13.0][build13], win32 openssh make sure files are secured before get loaded. SSH-keygen.exe generates protected key files as well. 'Secured' means: -1. The file owner can only be one of these account types: local Administrators group, local system account, users in local administrators group, the current process user. -2. For authorized_keys, host keys, "NT Service\sshd" are required to have and only have read access to the file. -3. No others than the below account types are allowed to access to the file: local administrators group, local system account, users in local administrators group, current process user. +# Secure protection of keys -Utility scripts to adjust file permissions: -1. Script to remove inheritance of the file, assign owner, and grant the owner full control -``` -$user = "" -$objUser = New-Object System.Security.Principal.NTAccount($user) -Set-SecureFileACL -filepath $env:systemdrive\Users\$user\.ssh\authorized_keys -owner $objUser -function Set-SecureFileACL -{ +Starting with the release of [v0.0.13.0][build13], Win32-OpenSSH ensures files are secure before they are loaded. +`ssh-keygen.exe` generates protected key files as well. + +The following files need to be "secure": + +- on the client-side + - user's private keys + - user's `ssh_config` located at `~\.ssh\config` +- on the server-side + - user's `authorized_keys` + - private host keys + +"Secure" means: + +1. The file owner of these files must be one of the following (additionally, no other users or groups may have any access to the files): + - the local Administrators group + - LocalSystem account + - a user in the local Administrators group + - the user associated with a user key or user config +1. `NT Service\sshd` must have (and only have) Read access to `authorized_keys` and all host keys. +(Note: this means that `NT Service\sshd` *cannot* have Write access or Full Control.) + +## Utility scripts to adjust file permissions + +The following scripts are used in instructions below to help with managing the permissions of key files: + +### Set-SecureFileACL + +`Set-SecureFileACL` removes inherited ACLs on a file, assigns the current user as an owner (unless the `-Owner` parameter is specified), and grants the owner Full Control of the file: + +```powershell +function Set-SecureFileACL +{ param( [string]$FilePath, [System.Security.Principal.NTAccount]$Owner = $null @@ -31,16 +52,16 @@ function Set-SecureFileACL { $actualOwner = $Owner } - + $myACL.SetOwner($actualOwner) - - if($myACL.Access) - { - $myACL.Access | % { + + if($myACL.Access) + { + $myACL.Access | % { if(-not ($myACL.RemoveAccessRule($_))) { throw "failed to remove access of $($_.IdentityReference.Value) rule in setup " - } + } } } @@ -50,73 +71,101 @@ function Set-SecureFileACL Set-Acl -Path $FilePath -AclObject $myACL } ``` -2. Grant "NT Service\sshd" Read permission to a file + +#### Example: Setting the owner of `authorized_keys` + +```powershell +$user = "" +$objUser = New-Object System.Security.Principal.NTAccount($user) +Set-SecureFileACL -filepath $env:systemdrive\Users\$user\.ssh\authorized_keys -owner $objUser ``` -Add-PermissionToFileACL -FilePath "$hostKeyFilePath.pub" -User "NT Service\sshd" -Perm "Read" -function Add-PermissionToFileACL -{ + +### Add-PermissionToFileACL + +`Add-PermissionToFileACL` grants `NT Service\sshd` read permission to a file. + +```powershell +function Add-PermissionToFileACL +{ param( [string]$FilePath, [System.Security.Principal.NTAccount] $User, - [System.Security.AccessControl.FileSystemRights]$Perm) + [System.Security.AccessControl.FileSystemRights]$Perm) - $myACL = Get-ACL $filePath + $myACL = Get-ACL $filePath $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ` - ($User, $perm, "None", "None", "Allow") + ($User, $perm, "None", "None", "Allow") $myACL.AddAccessRule($objACE) Set-Acl -Path $filePath -AclObject $myACL } -``` -*** -##### Settings for Win32 OpenSSH work End to End - -**For users who want to use host and user keys generated by SSH-keygen.exe after build [v0.0.13.0][build13]** - -The new generated keys have current login use as owner and only grant the owner full control access. -1. Grant "NT Service\sshd" Read access to both public and private host key files for the keys to function. ``` + +#### Example: Setting owner of public host key to `NT Service\sshd` + +```powershell +Add-PermissionToFileACL -FilePath "$hostKeyFilePath.pub" -User "NT Service\sshd" -Perm "Read" +``` + +## Managing keys end-to-end for Win32-OpenSSH + +### Generating new keys using `v0.0.13.0` + +If you've generated your host or user keys with `ssh-keygen.exe` after build [v0.0.13.0][build13], the user you've used to generated them will be the owner and have Full Control access. +However, some files will still require some ACL modification. + +1. If the generated keys (both private and public) are going to be used as host keys, you must grant `NT Service\sshd` Read access: +```powershell Add-PermissionToFileACL -FilePath $hostPrivateKeyFilePath -User "NT Service\sshd" -Perm "Read" Add-PermissionToFileACL -FilePath "$hostPrivateKeyFilePath.pub" -User "NT Service\sshd" -Perm "Read" ``` -2. On server machine, grant "NT Service\sshd" Read access to authorized_keys in a user's home directory -``` + +2. On the server running `sshd`, grant `NT Service\sshd` Read access to `authorized_keys` in `~\.ssh\`: +```powershell $user = '' $userProfilePath = "$env:systemdrive\Users\$user" Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read" ``` -3. On client machine, if user ssh_config is specified at $home\.ssh\config, make sure it is secured. -``` -Set-SecureFileACL "$home\.ssh\config" + +3. On the client machine, if a user has a `ssh_config` at `~\.ssh\config`, make sure that the user is the owner and has Full Control: +```powershell +Set-SecureFileACL '~\.ssh\config' ``` -**For users to use existing host and user keys generated before build [v0.0.13.0][build13].** +### Transitioning existing keys to `v0.0.13.0` -The keys generated by ssh-keygen.exe before [v0.0.13.0][build13] inherits permissions from the parent folder. Other accounts than allowed account types may also have access to the file. +If you have host or user keys that were generated before build [v0.0.13.0][build13], you'll need to secure those key files before using them `v0.0.13.0` or later. -1. On server machine, adjust file permission of private host key: Set current user as owner and grant current user full control and "NT Service\sshd" Read access. -``` +The keys generated by `ssh-keygen.exe` before [v0.0.13.0][build13] inherit permissions from the parent folder. +That means that some disallowed accounts may also have access to the file. + +1. On the server running `sshd`, change the file permission of the private host key to set the current user as owner and grant current user Full Control and `NT Service\sshd` Read access. +```powershell Set-SecureFileACL -FilePath $hostPrivateKeyFilePath Add-PermissionToFileACL -FilePath $hostPrivateKeyFilePath -User "NT Service\sshd" -Perm "Read" ``` -2. On server machine, adjust file permission of public host key: Grant "NT Service\sshd" Read access. -``` -Add-PermissionToFileACL -FilePath $hostPublicKeyFilePath -User "NT Service\sshd" -Perm "Read" -``` -3. Adjust file permission of user key file before supply it to ssh-add, scp, ssh, sftp: Set current user as owner and grant current user full control -``` -Set-SecureFileACL -FilePath $userPrivateKeyFilePath -``` -4. On server machine, adjust file permission of authorized_keys file in a user's home directory: Set server login user as owner and grant server login user full control and "NT Service\sshd" Read access. +2. On the server running `sshd`, grant `NT Service\sshd` Read access to the public host key: +```powershell +Add-PermissionToFileACL -FilePath $hostPublicKeyFilePath -User "NT Service\sshd" -Perm "Read" ``` + +3. Before using a user key file with `ssh-add`, `scp`, `ssh`, or `sftp`, make sure that the file is owned by the user, and that the user has Full Control. +```powershell +Set-SecureFileACL -FilePath $userPrivateKeyFilePath +``` + +4. On the server running `sshd`, change the file permission of `authorized_keys` in a user's home directory to set the current user as owner and grant the current user Full Control and `NT Server\sshd` Read access. +```powershell $user = '' $userProfilePath = "$env:systemdrive\Users\" $objUser = New-Object System.Security.Principal.NTAccount($user) Set-SecureFileACL "$userProfilePath\.ssh\authorized_keys" -owner $objUser Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read" ``` -5. On client machine, if user ssh_config is specified at $home\.ssh\config, make sure it is secured. -``` -Set-SecureFileACL "$home\.ssh\config" + +5. On the client, if a user has their own `ssh_config` located at `~\.ssh\config`, it must be owned by that user (or a group to which that user belongs): +```powershell +Set-SecureFileACL "~\.ssh\config" ``` + [build13]: https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v0.0.13.0