tyler.durden/Win32-OpenSSH
1
0
Fork 0
mirror of https://github.com/PowerShell/Win32-OpenSSH.git synced 2025-07-29 17:04:41 +02:00
Code Issues Packages Projects Releases Wiki Activity

Updated Security protection of various files in Win32 OpenSSH (markdown)

Joey Aiello 2017-05-12 17:06:57 -07:00
parent c46314da5b
commit e9a3344646
1 changed files with 104 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

121
Security-protection-of-various-files-in-Win32-OpenSSH.md

@ -1,15 +1,36 @@
##### General Introduction # Secure protection of keys
Starting on build [v0.0.13.0][build13], win32 openssh make sure files are secured before get loaded. SSH-keygen.exe generates protected key files as well. 'Secured' means:
1. The file owner can only be one of these account types: local Administrators group, local system account, users in local administrators group, the current process user.
2. For authorized_keys, host keys, "NT Service\sshd" are required to have and only have read access to the file.
3. No others than the below account types are allowed to access to the file: local administrators group, local system account, users in local administrators group, current process user.
Utility scripts to adjust file permissions: Starting with the release of [v0.0.13.0][build13], Win32-OpenSSH ensures files are secure before they are loaded.
1. Script to remove inheritance of the file, assign owner, and grant the owner full control `ssh-keygen.exe` generates protected key files as well.
```
$user = "<myusername>" The following files need to be "secure":
$objUser = New-Object System.Security.Principal.NTAccount($user)
Set-SecureFileACL -filepath $env:systemdrive\Users\$user\.ssh\authorized_keys -owner $objUser - on the client-side
- user's private keys
- user's `ssh_config` located at `~\.ssh\config`
- on the server-side
- user's `authorized_keys`
- private host keys
"Secure" means:
1. The file owner of these files must be one of the following (additionally, no other users or groups may have any access to the files):
- the local Administrators group
- LocalSystem account
- a user in the local Administrators group
- the user associated with a user key or user config
1. `NT Service\sshd` must have (and only have) Read access to `authorized_keys` and all host keys.
(Note: this means that `NT Service\sshd` *cannot* have Write access or Full Control.)
## Utility scripts to adjust file permissions
The following scripts are used in instructions below to help with managing the permissions of key files:
### Set-SecureFileACL
`Set-SecureFileACL` removes inherited ACLs on a file, assigns the current user as an owner (unless the `-Owner` parameter is specified), and grants the owner Full Control of the file:
```powershell
function Set-SecureFileACL function Set-SecureFileACL
{ {
param( param(
@ -50,9 +71,20 @@ function Set-SecureFileACL
Set-Acl -Path $FilePath -AclObject $myACL Set-Acl -Path $FilePath -AclObject $myACL
} }
``` ```
2. Grant "NT Service\sshd" Read permission to a file
#### Example: Setting the owner of `authorized_keys`
```powershell
$user = "<myusername>"
$objUser = New-Object System.Security.Principal.NTAccount($user)
Set-SecureFileACL -filepath $env:systemdrive\Users\$user\.ssh\authorized_keys -owner $objUser
``` ```
Add-PermissionToFileACL -FilePath "$hostKeyFilePath.pub" -User "NT Service\sshd" -Perm "Read"
### Add-PermissionToFileACL
`Add-PermissionToFileACL` grants `NT Service\sshd` read permission to a file.
```powershell
function Add-PermissionToFileACL function Add-PermissionToFileACL
{ {
param( param(
@ -67,56 +99,73 @@ function Add-PermissionToFileACL
Set-Acl -Path $filePath -AclObject $myACL Set-Acl -Path $filePath -AclObject $myACL
} }
``` ```
***
##### Settings for Win32 OpenSSH work End to End
**For users who want to use host and user keys generated by SSH-keygen.exe after build [v0.0.13.0][build13]** #### Example: Setting owner of public host key to `NT Service\sshd`
The new generated keys have current login use as owner and only grant the owner full control access. ```powershell
1. Grant "NT Service\sshd" Read access to both public and private host key files for the keys to function. Add-PermissionToFileACL -FilePath "$hostKeyFilePath.pub" -User "NT Service\sshd" -Perm "Read"
``` ```
## Managing keys end-to-end for Win32-OpenSSH
### Generating new keys using `v0.0.13.0`
If you've generated your host or user keys with `ssh-keygen.exe` after build [v0.0.13.0][build13], the user you've used to generated them will be the owner and have Full Control access.
However, some files will still require some ACL modification.
1. If the generated keys (both private and public) are going to be used as host keys, you must grant `NT Service\sshd` Read access:
```powershell
Add-PermissionToFileACL -FilePath $hostPrivateKeyFilePath -User "NT Service\sshd" -Perm "Read" Add-PermissionToFileACL -FilePath $hostPrivateKeyFilePath -User "NT Service\sshd" -Perm "Read"
Add-PermissionToFileACL -FilePath "$hostPrivateKeyFilePath.pub" -User "NT Service\sshd" -Perm "Read" Add-PermissionToFileACL -FilePath "$hostPrivateKeyFilePath.pub" -User "NT Service\sshd" -Perm "Read"
``` ```
2. On server machine, grant "NT Service\sshd" Read access to authorized_keys in a user's home directory
``` 2. On the server running `sshd`, grant `NT Service\sshd` Read access to `authorized_keys` in `~\.ssh\`:
```powershell
$user = '<myusername>' $user = '<myusername>'
$userProfilePath = "$env:systemdrive\Users\$user" $userProfilePath = "$env:systemdrive\Users\$user"
Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read" Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read"
``` ```
3. On client machine, if user ssh_config is specified at $home\.ssh\config, make sure it is secured.
``` 3. On the client machine, if a user has a `ssh_config` at `~\.ssh\config`, make sure that the user is the owner and has Full Control:
Set-SecureFileACL "$home\.ssh\config" ```powershell
Set-SecureFileACL '~\.ssh\config'
``` ```
**For users to use existing host and user keys generated before build [v0.0.13.0][build13].** ### Transitioning existing keys to `v0.0.13.0`
The keys generated by ssh-keygen.exe before [v0.0.13.0][build13] inherits permissions from the parent folder. Other accounts than allowed account types may also have access to the file. If you have host or user keys that were generated before build [v0.0.13.0][build13], you'll need to secure those key files before using them `v0.0.13.0` or later.
1. On server machine, adjust file permission of private host key: Set current user as owner and grant current user full control and "NT Service\sshd" Read access. The keys generated by `ssh-keygen.exe` before [v0.0.13.0][build13] inherit permissions from the parent folder.
``` That means that some disallowed accounts may also have access to the file.
1. On the server running `sshd`, change the file permission of the private host key to set the current user as owner and grant current user Full Control and `NT Service\sshd` Read access.
```powershell
Set-SecureFileACL -FilePath $hostPrivateKeyFilePath Set-SecureFileACL -FilePath $hostPrivateKeyFilePath
Add-PermissionToFileACL -FilePath $hostPrivateKeyFilePath -User "NT Service\sshd" -Perm "Read" Add-PermissionToFileACL -FilePath $hostPrivateKeyFilePath -User "NT Service\sshd" -Perm "Read"
``` ```
2. On server machine, adjust file permission of public host key: Grant "NT Service\sshd" Read access.
``` 2. On the server running `sshd`, grant `NT Service\sshd` Read access to the public host key:
```powershell
Add-PermissionToFileACL -FilePath $hostPublicKeyFilePath -User "NT Service\sshd" -Perm "Read" Add-PermissionToFileACL -FilePath $hostPublicKeyFilePath -User "NT Service\sshd" -Perm "Read"
``` ```
3. Adjust file permission of user key file before supply it to ssh-add, scp, ssh, sftp: Set current user as owner and grant current user full control
``` 3. Before using a user key file with `ssh-add`, `scp`, `ssh`, or `sftp`, make sure that the file is owned by the user, and that the user has Full Control.
```powershell
Set-SecureFileACL -FilePath $userPrivateKeyFilePath Set-SecureFileACL -FilePath $userPrivateKeyFilePath
``` ```
4. On server machine, adjust file permission of authorized_keys file in a user's home directory: Set server login user as owner and grant server login user full control and "NT Service\sshd" Read access. 4. On the server running `sshd`, change the file permission of `authorized_keys` in a user's home directory to set the current user as owner and grant the current user Full Control and `NT Server\sshd` Read access.
``` ```powershell
$user = '<myusername>' $user = '<myusername>'
$userProfilePath = "$env:systemdrive\Users\<user>" $userProfilePath = "$env:systemdrive\Users\<user>"
$objUser = New-Object System.Security.Principal.NTAccount($user) $objUser = New-Object System.Security.Principal.NTAccount($user)
Set-SecureFileACL "$userProfilePath\.ssh\authorized_keys" -owner $objUser Set-SecureFileACL "$userProfilePath\.ssh\authorized_keys" -owner $objUser
Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read" Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read"
``` ```
5. On client machine, if user ssh_config is specified at $home\.ssh\config, make sure it is secured.
``` 5. On the client, if a user has their own `ssh_config` located at `~\.ssh\config`, it must be owned by that user (or a group to which that user belongs):
Set-SecureFileACL "$home\.ssh\config" ```powershell
Set-SecureFileACL "~\.ssh\config"
``` ```
[build13]: https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v0.0.13.0 [build13]: https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v0.0.13.0