-
Notifications
You must be signed in to change notification settings - Fork 772
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Questions and Thoughts About New ACLs for Private Keys #721
Comments
@DarwinJS, @bingbing8 is working updating the permissions related wiki. Here's the current design behind the permissions for "Win32 OpenSSH" ssh keys general (applicable to both user and host).
"NT Service/SSHD" would never need, and should never have ownership or (W) privileges on host keys. |
I will work these changes and the new wiki page into the re-acling utility script I am building (Reset-SSHKeyPermissions.ps1). Let me know if you would like me to maintain the re-acling script as part of the project. Note that it has many uses beyond the first migration from an old version. For instance, when you install server on a machine that previously only had the client. |
@DarwinJS please give us a couple of days to think through the end user implications. I'll get back with what we conclude and take your feedback before proceeding with putting this feature (permission checks) in. |
@manojampalam - ok sounds good. Personally I feel the solution should NOT be designed with the idea that the primary method to set permissions will be to run something within each user context who needs to set permissions on keys. If it is designed to be able to work correctly when run from a central, admin type account - then it should work for regular users easily. However, then it will also allow migration as well as correction of user key permissions by maintenance scripts (via scheduler or a management agent) that would naturally run under an admin profile. |
@DarwinJS please check https://github.com/PowerShell/Win32-OpenSSH/wiki/Security-protection-of-various-files-in-Win32-OpenSSH (its not complete yet but wanted to take your feedback) |
@manojampalam - thanks for the feedback invite. Also thanks for putting effort into documents to help us get this right! The discussion on elevated versus non-elevated does not conclude with information on which scenario does NOT work. FYI - THE built-in Administrator user account does not have UAC enabled - not sure if you need to mention that as some management frameworks use THE "administrator" rather than system account (e.g. AWS cloud formation) - also packer can be configured to use it. Present One Best Practice Model First and Alternatives As FootnotesIt seems to me that if "SYSTEM" owns the file and rules the service things stay simple and it seems the default your team has been working against so far. I would present that as the primary approach throughout and then at the END have a section on alternative configurations where SystemAdministrator can own the files and then they must be registered with ssh-agent. In any case I would establish the desired default behavior and outline it first. Although this keeps the documentation simpler, frankly most development teams test ONLY ONE integration / installation model when doing their main tests. Most of the users of openssh will want to stick closely to that model as others just don't get as much testing as the code moves forward. (even if the design of the software theoretically supports alternative configurations) If the team feels that there really, really isn't a preferred installation model - then they should do automated QA testing against ALL supported installation models as that would really prove out the desire to not have a preferred one. I believe this All Configuration Helpers in PowerShellI know that PowerShell is much more verbose in terms of setting permissions, but I would certainly like to see it used as the only code in this guide. This will help by:
I am working on a "Reset-SSHKeyPermissions" which drives across the ProfileList registry key to find ssh keys (then you know those have had a valid windows logon) - but it is all PowerShell. If it seems like there would be too much code - that is probably an indicator that you need to be distributing a "Open-SSH Configuration Helpers" admin module with OpenSSH - providing this has been a huge strength of many of Microsoft's traditional products over the last decade. Complete, Working Code for Making a System CompliantAs per my most recent blog post (https://cloudywindows.com/post/back-to-basics-testable-reference-pattern-manifesto-with-testable-sample-code/) I am a big advocate of working reference patterns - not a bunch of "off the top of the head" pseudo-coded samples. Installation Code TestingIMO the working code examples for installing/configuring should be tested on Windows 7 (PSH 2 syntax, .NET 2) and Nano (.NET Core) as - in my experience with the Chocolatey package - those represent the edge cases that cause the most code adaptation to be necessary. For These Very limited permissioned keys Create a "How To Delete / Replace / Recover From Misconfiguration" sectionWe will all need to know how we can remove, updated or re-ACL these keys if only one user owns them. If that info is already in this document, it should have a dedicated section. This should have accompanying working code. |
@DarwinJS thanks for the quick and detailed review.
|
@manojampalam - glad it is helpful. My feedback was meant to indicate that if there is flexibility in the way permissions are set, that you would put the one that will be tested front and center. In fact, I would not even mention other models unless there is known utility value to a given end user. For instance, the fact that key files could be owned by Administrator should either not be included or be a foot note if in fact your team does not configure it that way on their machines. This would be a consistent "permissions specification" regardless of what or how many packaging and distribution models you end up supporting. The name of "OpenSSH-Health-Check" implies it has a disposition to not changing anything. Maybe something more general like "OpenSSH-Utilities" Also, I would advise you just drop the psm1 in the Openssh folder and not to put it in PSModulesPath - the reason is that the version of the module will then ALWAYS match the installed version of OpenSSH. Personally, I feel single-point-of-registration code (like PS Modules) takes us backward 20 years to shared DLL hell (COM Registrations) - while every other piece of code on Windows is / has moved to using explicitly private copies of such code. If I am going to muck with checking Open SSH health or permissions I don't mind explicitly loading the PSM1 at it's full path. |
@DarwinJS yes, the plan is to put the psm1 in OpenSSH folder. Thanks for enlightening me about the module registration conflicts. I think we can keep things simple by just providing individual ps1 utility scripts. I personally am not a huge fan of hiding configuration complexity behind user friendly automation scripts/utilities. Rather, I believe in making the configuration natively simple and easy to understand in the first place. |
@manojampalam - I totally agree that simplicity in design should be priority #1. After that has been pushed as far as possible, then my "Adoption Catalyst" headset kicks in - whatever lights adoption on fire - do it! 99% of individuals and computers that eventually leverage openssh couldn't care less about any of the details - so at that point it should be one-button, mobile app type simplicity if it is at all possible. I worked at one point creating software deployment automation that ran on 14,000 machines - 1% failures on an "upgrade over a previous version" was 140 machines spread across the planet - that would take over two weeks to look into. So the more something "just worked" out of the box - all the better! P.S. I also think the "Adoption Catalyst" headset is a sliver of entrepreneurial thinking that is truly relevant to almost any context. |
@DarwinJS Please see this wiki Run OpenSSH Test. Currently we run tests on win2k12 R2 and win10. The scripts currently don't not compatible with PSH 2.0 yet. We plan to update it to run on win7. |
@DarwinJS with the commit PowerShell/openssh-portable@eb0ab1b, test should be run on win7. I will close this issue. please reopen if there is any other concerns. thanks! |
@bingbing8 - sounds good - thanks for all your work on making it support all the platforms that openssh supports. |
The universal installer has been giving the SeAssignPrimaryTokenPrivilege to "NT Service\SSHD" for a long time now. Possible since September of last year? |
yes, but the script does not do the right on win7 |
Not sure what you mean - I have my own code. Are you saying the chocolatey package is not doing the grant of the token privilege correctly? |
I some questions and thoughts about the permissions outlined in: https://github.com/PowerShell/Win32-OpenSSH/wiki/Security-protection-of-various-files-in-win32-openssh (can't find the doc right now).
I could be misperceiving the net effect of the permissions changes - let me know if I am.
The security outlined for the Host Private Keys seems likely to create problems for the ongoing maintenance of OpenSSH installs. These possible challenges all relate to the fact that only "NT Service\sshd" could manipulate private key files and their permissions once all or part of the required permissions are applied during first time setup.
Possible Problems:
From a setup / maintenance perspective getting the key permissions correct becomes a "one try to get it right" and then from then on all maintenance activities are locked out.
Thoughts On Solutions
Given the above, would it make sense that sshd.exe ITSELF be responsible for both initial permission configuration as well as resetting permissions for operations such as uninstall and/or key replacement?
Maybe the service could receive signals about the file permissions - but only if they come from an elevated admin? (example signals "Secure Keys", "Validate Key Permissions", "Delete Keys", "Reset Keys")
Maybe sshd could receive these signals, but only from ssh-keygen running elevated?
Maybe the owner should not be sshd, but a well known local account that can still be accessed by setup routines? (FYI - I don't think TrustedInstaller would work as I don't believe anyone outside of Microsoft can access it?).
Publish An Advised Approach As Soon As Possible?
If these problems can be gotten around by taking ownership of the files by another profile - it would be very helpful if the development team would test such procedures and publish working demonstration scripts for all supported OSes for version 0.0.13.0.
This would extremely helpful now because:
The text was updated successfully, but these errors were encountered: