fix HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH registry permissions (#484)

appveyor.yml

@@ -27,6 +27,6 @@ after_test:
       Publish-OpenSSHTestResults
       
 on_finish:
-  - ps: |      
+  - ps: |
       Import-Module $env:APPVEYOR_BUILD_FOLDER\contrib\win32\openssh\AppveyorHelper.psm1
-      Publish-Artifact
+      Publish-Artifact 

contrib/win32/openssh/AppveyorHelper.psm1

@@ -289,6 +289,8 @@ function Publish-Artifact
         Write-Host "Publishing $artifact as Appveyor artifact"
         Push-AppveyorArtifact $artifact -ErrorAction Continue
     }
+
+    Write-Host -ForegroundColor Yellow "End of publishing project artifacts"
 }
 
 <#

contrib/win32/openssh/OpenSSHTestHelper.psm1

@@ -203,7 +203,7 @@ WARNING: Following changes will be made to OpenSSH configuration
         {
             #only add the local user when it does not exists on the machine        
             net user $user $Script:OpenSSHTestAccountsPassword /ADD 2>&1 >> $Script:TestSetupLogFile
-        }        
+        }
     }
 
     #setup single sign on for ssouser

contrib/win32/openssh/install-sshd.ps1

@@ -47,6 +47,28 @@ finally {
     }
 }
 
+# Fix the registry permissions
+Import-Module $PSScriptRoot\OpenSSHUtils -Force
+Enable-Privilege SeRestorePrivilege | out-null
+
+$sshRootRegPath="HKLM:SOFTWARE/Openssh"
+if (Test-Path $sshRootRegPath)
+{
+    $sshRootAcl=Get-Acl $sshRootRegPath
+    # SDDL - FullAcess to System and Builtin/Admins and read only access to Authenticated users
+    $sshRootAcl.SetSecurityDescriptorSddlForm("O:BAG:SYD:P(A;OICI;KR;;;AU)(A;OICI;KA;;;SY)(A;OICI;KA;;;BA)")
+    Set-Acl $sshRootRegPath $sshRootAcl
+}
+
+$sshAgentRegPath="HKLM:SOFTWARE/Openssh/agent"
+if (Test-Path $sshAgentRegPath)
+{
+    $sshAgentAcl=Get-Acl $sshAgentRegPath
+    # SDDL - FullAcess to System and Builtin/Admins.
+    $sshAgentAcl.SetSecurityDescriptorSddlForm("O:BAG:SYD:P(A;OICI;KA;;;SY)(A;OICI;KA;;;BA)")
+    Set-Acl $sshAgentRegPath  $sshAgentAcl
+}
+
 #register etw provider
 wevtutil im `"$etwman`"
 

contrib/win32/win32compat/misc.c

@@ -2041,4 +2041,4 @@ strrstr(const char *inStr, const char *pattern)
 		last = tmp++;
 
 	return last;
-}
+}

contrib/win32/win32compat/misc_internal.h

@@ -81,4 +81,4 @@ wchar_t* get_final_path_by_handle(HANDLE h);
 int lookup_principal_name(const wchar_t * sam_account_name, wchar_t * user_principal_name);
 BOOL is_bash_test_env();
 int bash_to_win_path(const char *in, char *out, const size_t out_len);
-void debug_assert_internal();
+void debug_assert_internal();

contrib/win32/win32compat/pwd.c

@@ -74,7 +74,7 @@ set_defaultshell()
 	arg_buf[0] = L'\0';
 
 	tmp_len = _countof(path_buf);
-	if ((RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\OpenSSH", 0, mask, &reg_key) == ERROR_SUCCESS) &&
+	if ((RegOpenKeyExW(HKEY_LOCAL_MACHINE, SSH_REGISTRY_ROOT, 0, mask, &reg_key) == ERROR_SUCCESS) &&
 	    (RegQueryValueExW(reg_key, L"DefaultShell", 0, NULL, (LPBYTE)path_buf, &tmp_len) == ERROR_SUCCESS) &&
 	    (path_buf[0] != L'\0')) {
 		/* fetched default shell path from registry */

contrib/win32/win32compat/ssh-agent/agent.c

@@ -86,6 +86,20 @@ agent_listen_loop()
 	wait_events[0] = event_stop_agent;
 	wait_events[1] = ol.hEvent;
 
+	wchar_t* sddl_str;
+	memset(&sa, 0, sizeof(SECURITY_ATTRIBUTES));
+	sa.nLength = sizeof(sa);
+	/*
+	 * SDDL - GA to System and Builtin/Admins and restricted access to Authenticated users
+	 * 0x12019b - FILE_GENERIC_READ/WRITE minus FILE_CREATE_PIPE_INSTANCE
+	 */
+	sddl_str = L"D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;0x12019b;;;AU)";
+	if (!ConvertStringSecurityDescriptorToSecurityDescriptorW(sddl_str, SDDL_REVISION_1,
+		&sa.lpSecurityDescriptor, &sa.nLength))
+		fatal("cannot convert sddl ERROR:%d", GetLastError());
+
+	sa.bInheritHandle = FALSE;
+
 	while (1) {
 		pipe = CreateNamedPipeW(
 			AGENT_PIPE_ID,		  // pipe name 
@@ -196,11 +210,9 @@ agent_start(BOOL dbg_mode)
 
 	memset(&sa, 0, sizeof(SECURITY_ATTRIBUTES));
 	sa.nLength = sizeof(sa);
-	/* 
-	 * SDDL - GA to System and Builtin/Admins and restricted access to Authenticated users
-	 * 0x12019b - FILE_GENERIC_READ/WRITE minus FILE_CREATE_PIPE_INSTANCE
-	 */
-	sddl_str = L"D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;0x12019b;;;AU)";
+
+	// SDDL - FullAcess to System and Builtin/Admins
+	sddl_str = L"D:PAI(A;OICI;KA;;;SY)(A;OICI;KA;;;BA)";
 	if (!ConvertStringSecurityDescriptorToSecurityDescriptorW(sddl_str, SDDL_REVISION_1,
 	    &sa.lpSecurityDescriptor, &sa.nLength))
 		fatal("cannot convert sddl ERROR:%d", GetLastError());

contrib/win32/win32compat/win32_usertoken_utils.c

@@ -688,7 +688,7 @@ get_custom_lsa_package()
 	if (s_processed)
 		return s_lsa_auth_pkg;
 
-	if ((RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\OpenSSH", 0, mask, &reg_key) == ERROR_SUCCESS) &&
+	if ((RegOpenKeyExW(HKEY_LOCAL_MACHINE, SSH_REGISTRY_ROOT, 0, mask, &reg_key) == ERROR_SUCCESS) &&
 	    (RegQueryValueExW(reg_key, L"LSAAuthenticationPackage", 0, NULL, NULL, &lsa_auth_pkg_len) == ERROR_SUCCESS)) {
 		lsa_auth_pkg_w = (wchar_t *)malloc(lsa_auth_pkg_len); // lsa_auth_pkg_len includes the null terminating character.
 		if (!lsa_auth_pkg_w)

contrib/win32/win32compat/wmain_sshd.c

@@ -174,11 +174,8 @@ create_openssh_registry_key()
 	memset(&sa, 0, sizeof(SECURITY_ATTRIBUTES));
 	sa.nLength = sizeof(sa);
 
-	/*
-	* SDDL - FullAcess to System and Builtin/Admins and restricted access to Authenticated users
-	* 0x12019b - FILE_GENERIC_READ/WRITE minus FILE_CREATE_PIPE_INSTANCE
-	*/
-	sddl_str = L"D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;0x12019b;;;AU)";
+	// SDDL - FullAcess to System and Builtin/Admins and read only access to Authenticated users
+	sddl_str = L"D:PAI(A;OICI;KA;;;SY)(A;OICI;KA;;;BA)(A;OICI;KR;;;AU)";
 	if (!ConvertStringSecurityDescriptorToSecurityDescriptorW(sddl_str, SDDL_REVISION_1, &sa.lpSecurityDescriptor, &sa.nLength)) {
 		printf("cannot convert sddl ERROR:%d", GetLastError());
 		return;

regress/pesterTests/Setup.Tests.ps1

@@ -275,7 +275,22 @@ Describe "Setup Tests" -Tags "Setup" {
                 @{
                     Identity=$authenticatedUserSid
                     IsInherited = $false
-                    RegistryRights = $RegReadKeyPerm -bor ([System.UInt32] [System.Security.AccessControl.RegistryRights]::SetValue.value__)
+                    RegistryRights = $RegReadKeyPerm
+                    PropagationFlags = "None"
+                }
+            )
+
+            $opensshAgentACLs = @(
+                @{
+                    Identity=$systemSid
+                    IsInherited = $false
+                    RegistryRights = $RegFullControlPerm
+                    PropagationFlags = "None"
+                },
+                @{
+                    Identity=$adminsSid
+                    IsInherited = $false
+                    RegistryRights = $RegFullControlPerm
                     PropagationFlags = "None"
                 }
             )
@@ -362,12 +377,12 @@ Describe "Setup Tests" -Tags "Setup" {
             $agentPath = Join-Path $opensshRegPath "Agent"
             if(Test-Path $agentPath -PathType Container)
             {
-                ValidateRegistryACL -RegPath $agentPath -IdAcls $opensshACLs
+                ValidateRegistryACL -RegPath $agentPath -IdAcls $opensshAgentACLs
             }
             elseif((-not $windowsInBox) -or ((Get-Service ssh-agent).StartType -ne ([System.ServiceProcess.ServiceStartMode]::Disabled)))
             {
                 Start-Service ssh-agent
-                ValidateRegistryACL -RegPath $agentPath -IdAcls $opensshACLs
+                ValidateRegistryACL -RegPath $agentPath -IdAcls $opensshAgentACLs
             }                            
         }
     }

regress/pesterTests/Uninstall.Tests.ps1

@@ -142,7 +142,7 @@ Describe "Uninstall Tests" -Tags "Uninstall" {
                 @{
                     Identity=$authenticatedUserSid
                     IsInherited = $false
-                    RegistryRights = $RegReadKeyPerm -bor ([System.UInt32] [System.Security.AccessControl.RegistryRights]::SetValue.value__)
+                    RegistryRights = $RegReadKeyPerm
                     PropagationFlags = "None"
                 }
             )