Security protection of various files in Win32 OpenSSH

General Introduction

Starting on build v0.0.13.0, win32 openssh make sure files are secured before get loaded. SSH-keygen.exe generates protected key files as well. 'Secured' means:

1. The file owner can only be one of these account types: local Administrators group, local system account, users in local administrators group, the current process user.
2. For authorized_keys, host keys, "NT Service\sshd" are required to have and only have read access to the file.
3. No others than the below account types are allowed to access to the file: local administrators group, local system account, users in local administrators group, current process user.

Utility scripts to adjust file permissions:

1. Script to remove inheritance of the file, assign owner, and grant the owner full control

$user = "<myusername>"
$objUser = New-Object System.Security.Principal.NTAccount($user)
Set-SecureFileACL -filepath $env:systemdrive\Users\$user\.ssh\authorized_keys -owner $objUser
function Set-SecureFileACL 
{            
    param(
        [string]$FilePath,
        [System.Security.Principal.NTAccount]$Owner = $null
        )

    $myACL = Get-ACL -Path $FilePath
    $myACL.SetAccessRuleProtection($True, $True)
    Set-Acl -Path $FilePath -AclObject $myACL

    $myACL = Get-ACL $FilePath
    $actualOwner = $null
    if($owner -eq $null)
    {
        $actualOwner = New-Object System.Security.Principal.NTAccount($($env:USERDOMAIN), $($env:USERNAME))
    }
    else
    {
        $actualOwner = $Owner
    }
            
    $myACL.SetOwner($actualOwner)
    
    if($myACL.Access) 
    {        
        $myACL.Access | % {                    
            if(-not ($myACL.RemoveAccessRule($_)))
            {
                throw "failed to remove access of $($_.IdentityReference.Value) rule in setup "
            }                    
        }
    }

    $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
        ($actualOwner, "FullControl", "None", "None", "Allow")
    $myACL.AddAccessRule($objACE)
    Set-Acl -Path $FilePath -AclObject $myACL
}

2. Grant "NT Service\sshd" Read permission to a file

Add-PermissionToFileACL -FilePath "$hostKeyFilePath.pub" -User "NT Service\sshd" -Perm "Read"
function Add-PermissionToFileACL 
{    
    param(
        [string]$FilePath,
        [System.Security.Principal.NTAccount] $User,
        [System.Security.AccessControl.FileSystemRights]$Perm)    

    $myACL = Get-ACL $filePath        
    $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
        ($User, $perm, "None", "None", "Allow") 
    $myACL.AddAccessRule($objACE)
    Set-Acl -Path $filePath -AclObject $myACL
}

---

Settings for Win32 OpenSSH work End to End

For users who want to use host and user keys generated by SSH-keygen.exe after build v0.0.13.0

The new generated keys have current login use as owner and only grant the owner full control access.

1. Grant "NT Service\sshd" Read access to both public and private host key files for the keys to function.

Add-PermissionToFileACL -FilePath $hostPrivateKeyFilePath -User "NT Service\sshd" -Perm "Read"
Add-PermissionToFileACL -FilePath "$hostPrivateKeyFilePath.pub" -User "NT Service\sshd" -Perm "Read"

2. On server machine, grant "NT Service\sshd" Read access to authorized_keys in a user's home directory

$user = '<myusername>'
$userProfilePath = "$env:systemdrive\Users\$user"
Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read"

3. On client machine, if user ssh_config is specified at $home.ssh\config, make sure it is secured.

Set-SecureFileACL "$home\.ssh\config"

For users to use existing host and user keys generated before build v0.0.13.0.

The keys generated by ssh-keygen.exe before v0.0.13.0 inherits permissions from the parent folder. Other accounts than allowed account types may also have access to the file.

1. On server machine, adjust file permission of private host key: Set current user as owner and grant current user full control and "NT Service\sshd" Read access.

Set-SecureFileACL -FilePath $hostPrivateKeyFilePath
Add-PermissionToFileACL -FilePath $hostPrivateKeyFilePath -User "NT Service\sshd" -Perm "Read"

2. On server machine, adjust file permission of public host key: Grant "NT Service\sshd" Read access.

Add-PermissionToFileACL -FilePath $hostPublicKeyFilePath -User "NT Service\sshd" -Perm "Read"

3. Adjust file permission of user key file before supply it to ssh-add, scp, ssh, sftp: Set current user as owner and grant current user full control

Set-SecureFileACL -FilePath $userPrivateKeyFilePath

4. On server machine, adjust file permission of authorized_keys file in a user's home directory: Set server login user as owner and grant server login user full control and "NT Service\sshd" Read access.

$user = '<myusername>'
$userProfilePath = "$env:systemdrive\Users\<user>"
$objUser = New-Object System.Security.Principal.NTAccount($user)
Set-SecureFileACL "$userProfilePath\.ssh\authorized_keys" -owner $objUser
Add-PermissionToFileACL -FilePath "$userProfilePath\.ssh\authorized_keys" -User "NT Service\sshd" -Perm "Read"

5. On client machine, if user ssh_config is specified at $home.ssh\config, make sure it is secured.

Set-SecureFileACL "$home\.ssh\config"