From 9491729542bfb193d10fe7cfd5f04b028b543833 Mon Sep 17 00:00:00 2001 From: Manoj Ampalam Date: Tue, 9 May 2017 21:46:46 -0700 Subject: [PATCH] Revert recent change and run sshd back in service account (#134) https://github.com/PowerShell/Win32-OpenSSH/issues/681 --- contrib/win32/openssh/install-sshd.ps1 | 70 +++++++++++++++++++++++++- 1 file changed, 68 insertions(+), 2 deletions(-) diff --git a/contrib/win32/openssh/install-sshd.ps1 b/contrib/win32/openssh/install-sshd.ps1 index 39078d1ab..fbdc56574 100644 --- a/contrib/win32/openssh/install-sshd.ps1 +++ b/contrib/win32/openssh/install-sshd.ps1 @@ -11,6 +11,70 @@ $logsdir = Join-Path $scriptdir "logs" $sshdAccount = "NT SERVICE\SSHD" +#Idea borrowed from http://sqldbamusings.blogspot.com/2012/03/powershell-adding-accounts-to-local.html +function Add-Privilege +{ + param( + [string] $Account, + + [ValidateSet("SeAssignPrimaryTokenPrivilege", "SeServiceLogonRight")] + [string] $Privilege + ) + + #Get $Account SID + $account_sid = $null + try + { + $ntprincipal = new-object System.Security.Principal.NTAccount "$Account" + $sid = $ntprincipal.Translate([System.Security.Principal.SecurityIdentifier]) + $account_sid = $sid.Value.ToString() + } + catch + { + Throw 'Unable to resolve '+ $Account + } + + #Prepare policy settings file to be applied + $settings_to_export = [System.IO.Path]::GetTempFileName() + "[Unicode]" | Set-Content $settings_to_export -Encoding Unicode + "Unicode=yes" | Add-Content $settings_to_export -Force -WhatIf:$false + "[Version]" | Add-Content $settings_to_export -Force -WhatIf:$false + "signature=`"`$CHICAGO`$`"" | Add-Content $settings_to_export -Force -WhatIf:$false + "Revision=1" | Add-Content $settings_to_export -Force -WhatIf:$false + "[Privilege Rights]" | Add-Content $settings_to_export -Force -WhatIf:$false + + #Get Current policy settings + $imported_settings = [System.IO.Path]::GetTempFileName() + secedit.exe /export /areas USER_RIGHTS /cfg "$($imported_settings)" > $null + + if (-not(Test-Path $imported_settings)) { + Throw "Unable to import current security policy settings" + } + + #find current assigned accounts to $Privilege and add it to $settings_to_export + $current_settings = Get-Content $imported_settings -Encoding Unicode + $existing_setting = $null + foreach ($setting in $current_settings) { + if ($setting -like "$Privilege`*") { + $existing_setting = $setting + } + } + + #Add $account_sid to list + if ($existing_setting -eq $null) { + $Privilege + " = *" + $account_sid | Add-Content $settings_to_export -Force -WhatIf:$false + } + else + { + $existing_setting + ",*" + $account_sid | Add-Content $settings_to_export -Force -WhatIf:$false + } + + #export + secedit.exe /configure /db "secedit.sdb" /cfg "$($settings_to_export)" /areas USER_RIGHTS > $null + +} + + if (-not (Test-Path $sshdpath)) { throw "sshd.exe is not present in script path" } @@ -31,8 +95,10 @@ New-Service -Name ssh-agent -BinaryPathName $sshagentpath -Description "SSH Agen cmd.exe /c 'sc.exe sdset ssh-agent D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RP;;;AU)' New-Service -Name sshd -BinaryPathName $sshdpath -Description "SSH Daemon" -StartupType Manual -DependsOn ssh-agent | Out-Null -sc.exe config sshd obj= "NT AUTHORITY\NetworkService" -sc.exe sidtype sshd unrestricted +sc.exe config sshd obj= $sshdAccount + +Add-Privilege -Account $sshdAccount -Privilege SeAssignPrimaryTokenPrivilege +Add-Privilege -Account $sshdAccount -Privilege SeServiceLogonRight if(-not (test-path $logsdir -PathType Container)) {