tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update the script so it compile on psh 2.0 on win7 (#160) 

PowerShell/Win32-OpenSSH#758
This commit is contained in:
Yanbing 2017-06-06 21:07:05 -07:00 committed by Manoj Ampalam
parent aa992ff908
commit 19733a0811
3 changed files with 60 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
contrib/win32/openssh/FixHostFilePermissions.ps1
View File

@ -1,4 +1,5 @@
param ([switch]$Quiet) param ([switch]$Quiet)
If (!(Test-Path variable:PSScriptRoot)) {$PSScriptRoot = Split-Path -Parent $MyInvocation.MyCommand.Definition}
Import-Module $PSScriptRoot\OpenSSHUtils.psm1 -Force -DisableNameChecking Import-Module $PSScriptRoot\OpenSSHUtils.psm1 -Force -DisableNameChecking
#check sshd config file #check sshd config file
@ -33,14 +34,19 @@ If you choose not to register the keys with ssh-agent, please grant sshd read ac
Write-Host " " Write-Host " "
}#> }#>
Get-ChildItem $PSScriptRoot\ssh_host_*_key -ErrorAction Ignore | % { Get-ChildItem $PSScriptRoot\ssh_host_*_key -ErrorAction SilentlyContinue | % {
Fix-HostKeyPermissions -FilePath $_.FullName @psBoundParameters Fix-HostKeyPermissions -FilePath $_.FullName @psBoundParameters
} }
#check authorized_keys #check authorized_keys
Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" -ErrorAction Ignore | % { Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" -ErrorAction SilentlyContinue | % {
$userProfilePath = Get-ItemPropertyValue $_.pspath -Name ProfileImagePath -ErrorAction Ignore $properties = Get-ItemProperty $_.pspath -ErrorAction SilentlyContinue
$userProfilePath = ""
if($properties)
{
$userProfilePath = $properties.ProfileImagePath
}
$filePath = Join-Path $userProfilePath .ssh\authorized_keys $filePath = Join-Path $userProfilePath .ssh\authorized_keys
if(Test-Path $filePath -PathType Leaf) if(Test-Path $filePath -PathType Leaf)
{ {

4
contrib/win32/openssh/FixUserFilePermissions.ps1
View File

@ -1,4 +1,6 @@
param ([switch]$Quiet) param ([switch]$Quiet)
If (!(Test-Path variable:PSScriptRoot)) {$PSScriptRoot = Split-Path -Parent $MyInvocation.MyCommand.Definition}
Import-Module $PSScriptRoot\OpenSSHUtils.psm1 -Force -DisableNameChecking Import-Module $PSScriptRoot\OpenSSHUtils.psm1 -Force -DisableNameChecking
if(Test-Path ~\.ssh\config -PathType Leaf) if(Test-Path ~\.ssh\config -PathType Leaf)
@ -6,7 +8,7 @@ if(Test-Path ~\.ssh\config -PathType Leaf)
Fix-UserSSHConfigPermissions -FilePath ~\.ssh\config @psBoundParameters Fix-UserSSHConfigPermissions -FilePath ~\.ssh\config @psBoundParameters
} }
Get-ChildItem ~\.ssh\* -Include "id_rsa","id_dsa" -ErrorAction Ignore | % { Get-ChildItem ~\.ssh\* -Include "id_rsa","id_dsa" -ErrorAction SilentlyContinue | % {
Fix-UserKeyPermissions -FilePath $_.FullName @psBoundParameters Fix-UserKeyPermissions -FilePath $_.FullName @psBoundParameters
} }

66
contrib/win32/openssh/OpenSSHUtils.psm1
View File

@ -17,7 +17,14 @@ function Fix-HostSSHDConfigPermissions
[string]$FilePath, [string]$FilePath,
[switch] $Quiet) [switch] $Quiet)
Fix-FilePermissions -Owners $systemAccount,$adminsAccount -ReadAccessNeeded $sshdAccount @psBoundParameters if ($PSVersionTable.CLRVersion.Major -gt 2)
{
Fix-FilePermissions -Owners $systemAccount,$adminsAccount -ReadAccessNeeded $sshdAccount @psBoundParameters
}
else
{
Fix-FilePermissions -Owners $adminsAccount, $systemAccount -ReadAccessNeeded $sshdAccount @psBoundParameters
}
} }
<# <#
@ -38,10 +45,25 @@ function Fix-HostKeyPermissions
{ {
$parameters["FilePath"] = $parameters["FilePath"].Replace(".pub", "") $parameters["FilePath"] = $parameters["FilePath"].Replace(".pub", "")
} }
Fix-FilePermissions -Owners $systemAccount,$adminsAccount -ReadAccessNeeded $sshdAccount @psBoundParameters if ($PSVersionTable.CLRVersion.Major -gt 2)
{
Fix-FilePermissions -Owners $systemAccount,$adminsAccount -ReadAccessNeeded $sshdAccount @psBoundParameters
}
else
{
# issue in ps 2.0: system account is not allowed to set to a owner of the file
Fix-FilePermissions -Owners $adminsAccount, $systemAccount -ReadAccessNeeded $sshdAccount @psBoundParameters
}
$parameters["FilePath"] += ".pub" $parameters["FilePath"] += ".pub"
Fix-FilePermissions -Owners $systemAccount,$adminsAccount -ReadAccessOK $everyone -ReadAccessNeeded $sshdAccount @parameters if ($PSVersionTable.CLRVersion.Major -gt 2)
{
Fix-FilePermissions -Owners $systemAccount,$adminsAccount -ReadAccessOK $everyone -ReadAccessNeeded $sshdAccount @parameters
}
else
{
Fix-FilePermissions -Owners $adminsAccount,$systemAccount -ReadAccessOK $everyone -ReadAccessNeeded $sshdAccount @parameters
}
} }
<# <#
@ -64,8 +86,14 @@ function Fix-AuthorizedKeyPermissions
} }
$fullPath = (Resolve-Path $FilePath).Path $fullPath = (Resolve-Path $FilePath).Path
$profileListPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" $profileListPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
$profileItem = Get-ChildItem $profileListPath -ErrorAction Ignore | ? { $profileItem = Get-ChildItem $profileListPath -ErrorAction SilentlyContinue | ? {
$fullPath.ToLower().Contains((Get-ItemPropertyValue $_.PSPath -Name ProfileImagePath -ErrorAction Ignore).Tolower()) $properties = Get-ItemProperty $_.pspath -ErrorAction SilentlyContinue
$userProfilePath = $null
if($properties)
{
$userProfilePath = $properties.ProfileImagePath
}
$fullPath -ieq "$userProfilePath\.ssh\authorized_keys"
} }
if($profileItem) if($profileItem)
{ {
@ -77,7 +105,7 @@ function Fix-AuthorizedKeyPermissions
} }
else else
{ {
Write-Warning "Can't translate $userSid to an account. skip $fullPath..." -ForegroundColor Yellow Write-host "Can't translate $userSid to an account. skip checking $fullPath..." -ForegroundColor Yellow
} }
} }
else else
@ -186,7 +214,9 @@ function Fix-FilePermissionInternal {
$result = 'Y' $result = 'Y'
} }
if(-not $Owners.Contains([System.Security.Principal.NTAccount]$($acl.Owner))) $validOwner = $owners | ? { $_.equals([System.Security.Principal.NTAccount]$acl.owner)}
if($validOwner -eq $null)
{ {
if (-not $Quiet) { if (-not $Quiet) {
$warning = "Current owner: '$($acl.Owner)'. '$($Owners[0])' should own $FilePath." $warning = "Current owner: '$($acl.Owner)'. '$($Owners[0])' should own $FilePath."
@ -231,23 +261,23 @@ function Fix-FilePermissionInternal {
$specialIdRefs = "ALL APPLICATION PACKAGES","ALL RESTRICTED APPLICATION PACKAGES" $specialIdRefs = "ALL APPLICATION PACKAGES","ALL RESTRICTED APPLICATION PACKAGES"
foreach($a in $acl.Access) foreach($a in $acl.Access)
{ {
if(($realAnyAccessOKList -ne $null) -and $realAnyAccessOKList.Contains($a.IdentityReference)) if($realAnyAccessOKList -and (($realAnyAccessOKList | ? { $_.equals($a.IdentityReference)}) -ne $null))
{ {
#ignore those accounts listed in the AnyAccessOK list. #ignore those accounts listed in the AnyAccessOK list.
} }
#If everyone is in the ReadAccessOK list, any user can have read access; #If everyone is in the ReadAccessOK list, any user can have read access;
# below block make sure they are granted Read access only # below block make sure they are granted Read access only
elseif($realReadAcessOKList -and (($realReadAcessOKList.Contains($everyone)) -or ` elseif($realReadAcessOKList -and (($realReadAcessOKList | ? { $_.Equals($everyone)}) -ne $null) -or `
($realReadAcessOKList.Contains($a.IdentityReference)))) (($realReadAcessOKList | ? { $_.equals($a.IdentityReference)}) -ne $null))
{ {
if($realReadAccessNeeded -and ($a.IdentityReference.Equals($everyone))) if($realReadAccessNeeded -and ($a.IdentityReference.Equals($everyone)))
{ {
$realReadAccessNeeded.Clear() $realReadAccessNeeded=@()
} }
elseif($realReadAccessNeeded -and $realReadAccessNeeded.Contains($a.IdentityReference)) elseif($realReadAccessNeeded)
{ {
$realReadAccessNeeded = $realReadAccessNeeded | ? { -not $_.Equals($a.IdentityReference) } $realReadAccessNeeded = $realReadAccessNeeded | ? { -not $_.Equals($a.IdentityReference) }
} }
if (-not ($a.AccessControlType.Equals([System.Security.AccessControl.AccessControlType]::Allow)) -or ` if (-not ($a.AccessControlType.Equals([System.Security.AccessControl.AccessControlType]::Allow)) -or `
@ -261,7 +291,7 @@ function Fix-FilePermissionInternal {
{ {
if($needChange) if($needChange)
{ {
Set-Acl -Path $FilePath -AclObject $acl Set-Acl -Path $FilePath -AclObject $acl
} }
$message = @" $message = @"
@ -289,7 +319,7 @@ Need to remove inheritance to fix it.
{ {
$needChange = $true $needChange = $true
$idRefShortValue = ($a.IdentityReference.Value).split('\')[-1] $idRefShortValue = ($a.IdentityReference.Value).split('\')[-1]
if ($idRefShortValue -in $specialIdRefs ) if ($specialIdRefs -icontains $idRefShortValue )
{ {
$ruleIdentity = Get-UserSID -User (New-Object Security.Principal.NTAccount $idRefShortValue) $ruleIdentity = Get-UserSID -User (New-Object Security.Principal.NTAccount $idRefShortValue)
if($ruleIdentity) if($ruleIdentity)
@ -351,7 +381,7 @@ Need to remove inheritance to fix it.
$needChange = $true $needChange = $true
$ace = $a $ace = $a
$idRefShortValue = ($a.IdentityReference.Value).split('\')[-1] $idRefShortValue = ($a.IdentityReference.Value).split('\')[-1]
if ($idRefShortValue -in $specialIdRefs ) if ($specialIdRefs -icontains $idRefShortValue)
{ {
$ruleIdentity = Get-UserSID -User (New-Object Security.Principal.NTAccount $idRefShortValue) $ruleIdentity = Get-UserSID -User (New-Object Security.Principal.NTAccount $idRefShortValue)
if($ruleIdentity) if($ruleIdentity)
@ -509,7 +539,7 @@ function Get-UserSID
param ([System.Security.Principal.NTAccount]$User) param ([System.Security.Principal.NTAccount]$User)
try try
{ {
$User.Translate([System.Security.Principal.SecurityIdentifier]) $User.Translate([System.Security.Principal.SecurityIdentifier])
} }
catch { catch {
} }