From 672c7eb2708cbb348e90c63e23e6f705ca82bfbf Mon Sep 17 00:00:00 2001 From: Tess Gauthier Date: Mon, 21 Mar 2022 18:02:15 -0400 Subject: [PATCH] Update install sshd (#585) --- contrib/win32/openssh/OpenSSHUtils.psm1 | 51 +++++++++++++++++-------- contrib/win32/openssh/install-sshd.ps1 | 17 ++++++++- 2 files changed, 52 insertions(+), 16 deletions(-) diff --git a/contrib/win32/openssh/OpenSSHUtils.psm1 b/contrib/win32/openssh/OpenSSHUtils.psm1 index a4fbc77bd..cace31ecb 100644 --- a/contrib/win32/openssh/OpenSSHUtils.psm1 +++ b/contrib/win32/openssh/OpenSSHUtils.psm1 @@ -273,7 +273,7 @@ function Repair-UserSshConfigPermission <# .Synopsis Repair-SSHFolderPermission - Repair the file owner and permission of ssh folder & any files inside it + Repair the folder owner and permission of ProgramData\ssh folder #> function Repair-SSHFolderPermission { @@ -281,20 +281,41 @@ function Repair-SSHFolderPermission param ( [parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] - [string]$sshProgDataPath) + [string]$FilePath) - # SSH Folder - owner: System or Admins; full access: System, Admins; read or readandexecute/synchronize permissible: Authenticated Users - Repair-FilePermission -FilePath $sshProgDataPath -Owners $adminsSid, $systemSid -FullAccessNeeded $adminsSid,$systemSid -ReadAndExecuteAccessOK $authenticatedUserSid - # Files in SSH Folder (excluding private key files) - # owner: System or Admins; full access: System, Admins; read/readandexecute/synchronize permissable: Authenticated Users - $privateKeyFiles = @("ssh_host_dsa_key", "ssh_host_ecdsa_key", "ssh_host_ed25519_key", "ssh_host_rsa_key") - Get-ChildItem -Path (Join-Path $sshProgDataPath '*') -Recurse -Exclude ($privateKeyFiles) -Force | ForEach-Object { - Repair-FilePermission -FilePath $_.FullName -Owners $adminsSid, $systemSid -FullAccessNeeded $adminsSid, $systemSid -ReadAndExecuteAccessOK $authenticatedUserSid - } - # Private key files - owner: System or Admins; full access: System, Admins - Get-ChildItem -Path (Join-Path $sshProgDataPath '*') -Recurse -Include $privateKeyFiles -Force | ForEach-Object { - Repair-FilePermission -FilePath $_.FullName -Owners $adminsSid, $systemSid -FullAccessNeeded $systemSid, $adminsSid - } + Repair-FilePermission -Owners $adminsSid, $systemSid -FullAccessNeeded $adminsSid,$systemSid -ReadAndExecuteAccessOK $authenticatedUserSid @psBoundParameters +} + +<# + .Synopsis + Repair-SSHFolderFilePermission + Repair the file owner and permission of general files inside ProgramData\ssh folder +#> +function Repair-SSHFolderFilePermission +{ + [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact="High")] + param ( + [parameter(Mandatory=$true)] + [ValidateNotNullOrEmpty()] + [string]$FilePath) + + Repair-FilePermission -Owners $adminsSid, $systemSid -FullAccessNeeded $adminsSid, $systemSid -ReadAndExecuteAccessOK $authenticatedUserSid @psBoundParameters +} + +<# + .Synopsis + Repair-SSHFolderPrivateKeyPermission + Repair the file owner and permission of private key files inside ProgramData\ssh folder +#> +function Repair-SSHFolderPrivateKeyPermission +{ + [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact="High")] + param ( + [parameter(Mandatory=$true)] + [ValidateNotNullOrEmpty()] + [string]$FilePath) + + Repair-FilePermission -Owners $adminsSid, $systemSid -FullAccessNeeded $systemSid, $adminsSid @psBoundParameters } <# @@ -808,4 +829,4 @@ function Enable-Privilege { $type[0]::EnablePrivilege($Privilege, $Disable) } -Export-ModuleMember -Function Repair-FilePermission, Repair-SshdConfigPermission, Repair-SshdHostKeyPermission, Repair-AuthorizedKeyPermission, Repair-UserKeyPermission, Repair-UserSshConfigPermission, Enable-Privilege, Get-UserAccount, Get-UserSID, Repair-AdministratorsAuthorizedKeysPermission, Repair-ModuliFilePermission, Repair-SSHFolderPermission +Export-ModuleMember -Function Repair-FilePermission, Repair-SshdConfigPermission, Repair-SshdHostKeyPermission, Repair-AuthorizedKeyPermission, Repair-UserKeyPermission, Repair-UserSshConfigPermission, Enable-Privilege, Get-UserAccount, Get-UserSID, Repair-AdministratorsAuthorizedKeysPermission, Repair-ModuliFilePermission, Repair-SSHFolderPermission, Repair-SSHFolderFilePermission, Repair-SSHFolderPrivateKeyPermission diff --git a/contrib/win32/openssh/install-sshd.ps1 b/contrib/win32/openssh/install-sshd.ps1 index 94a3ba1f8..1e7a041d7 100644 --- a/contrib/win32/openssh/install-sshd.ps1 +++ b/contrib/win32/openssh/install-sshd.ps1 @@ -4,6 +4,10 @@ # @bingbing8 - removed secedit.exe dependency # @tessgauthier - added permissions check for %programData%/ssh +[CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact="High")] +param () +Set-StrictMode -Version 2.0 + $ErrorActionPreference = 'Stop' if (!([bool]([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))) @@ -89,7 +93,18 @@ if (Test-Path $moduliPath -PathType Leaf) $sshProgDataPath = Join-Path $env:ProgramData "ssh" if (Test-Path $sshProgDataPath) { - Repair-SSHFolderPermission -sshProgDataPath $sshProgDataPath + # SSH Folder - owner: System or Admins; full access: System, Admins; read or readandexecute/synchronize permissible: Authenticated Users + Repair-SSHFolderPermission -FilePath $sshProgDataPath @psBoundParameters + # Files in SSH Folder (excluding private key files) + # owner: System or Admins; full access: System, Admins; read/readandexecute/synchronize permissable: Authenticated Users + $privateKeyFiles = @("ssh_host_dsa_key", "ssh_host_ecdsa_key", "ssh_host_ed25519_key", "ssh_host_rsa_key") + Get-ChildItem -Path (Join-Path $sshProgDataPath '*') -Recurse -Exclude ($privateKeyFiles) -Force | ForEach-Object { + Repair-SSHFolderFilePermission -FilePath $_.FullName @psBoundParameters + } + # Private key files - owner: System or Admins; full access: System, Admins + Get-ChildItem -Path (Join-Path $sshProgDataPath '*') -Recurse -Include $privateKeyFiles -Force | ForEach-Object { + Repair-SSHFolderPrivateKeyPermission -FilePath $_.FullName @psBoundParameters + } } #register etw provider