search

PowerShell / Win32-OpenSSH

Win32 port of OpenSSH
7.27k stars 749 forks source link

`New-SelfSignedCertificate` fails when logged in with publickey, works with password auth #1935

Open phil-blain opened 2 years ago

phil-blain commented 2 years ago

Please answer the following

"OpenSSH for Windows" version ((Get-Item (Get-Command sshd).Source).VersionInfo.FileVersion)

7.7.2.2

PS C:\Users\IEUser> sshd --version                                                                                                                              
unknown option -- -                                                                                                                                             
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5

Server OperatingSystem ((Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows nt\CurrentVersion\" -Name ProductName).ProductName)

Windows 10 Enterprise Evaluation 

PS C:\Users\IEUser> cmd /c ver                                                                                                                                  

Microsoft Windows [Version 10.0.17763.1935]

Client OperatingSystem Ubuntu 20.04.1 LTS

What is failing

I'm trying to self-sign an Appx package. I'm following these steps. New-SelfSignedCertificate does not work when logging in with a SSH key:

me@ubuntu $ ssh -o PubkeyAuthentication=yes  msedge  
ieuser@MSEDGEWIN10 C:\Users\IEUser>powershell 
PS C:\Users\IEUser> New-SelfSignedCertificate -Type Custom -Subject "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" -KeyUsage
 DigitalSignature -FriendlyName "Your friendly name goes here" -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "
2.5.29.19={text}")   
New-SelfSignedCertificate : CertEnroll::CX509Enrollment::_CreateRequest: Access denied. 0x80090010 (-2146893808 NTE_PERM)                                       
At line:1 char:1                                                                                                                                                
+ New-SelfSignedCertificate -Type Custom -Subject "CN=Microsoft Corpora ...                                                                                     
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                                                                         
    + CategoryInfo          : NotSpecified: (:) [New-SelfSignedCertificate], Exception                                                                          
    + FullyQualifiedErrorId : System.Exception,Microsoft.CertificateServices.Commands.NewSelfSignedCertificateCommand

It works if I log in with a password (same steps as above, expect ssh -o PubkeyAuthentication=no msedge).

Expected output None, and certificate created successfully.

Actual output New-SelfSignedCertificate : CertEnroll::CX509Enrollment::_CreateRequest: Access denied. 0x80090010 (-2146893808 NTE_PERM), as shown above.

I'm not sure if this is normal / expected behaviour. I did see https://github.com/PowerShell/Win32-OpenSSH/wiki/SSH-remote-sessions-on-Windows where it says

A remote session opened via key based authentication does not have associated user credentials

but I'm not 100% sure this is the issue. I found a post on Server Fault that might be relevant. I looked at the four pages under "OpenSSH in Windows" in the official docs but could not find any mention of such a limitation.

phil-blain commented 2 years ago

Similarly, trying to actually sign the package with the certificate previously created does not work under key-based auth:

S C:\Users\IEUser> signtool sign /fd sha256 /sha1 BBF121A014A73C5B404C40684641E1287810AE88 .\CascadiaPackage_0.0.1.0_x64_Debug.msix                                                                                              
SignTool Error: No certificates were found that met all the given criteria.

even if the certificate is there:

S C:\Users\IEUser> ls cert:currentuser\my                        

   PSParentPath: Microsoft.PowerShell.Security\Certificate::currentuser\my                                                                                      

Thumbprint                                Subject                                                                                                               
----------                                -------                                                                                                               
BBF121A014A73C5B404C40684641E1287810AE88  CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

When connecting with a password, I can sign suceessfully:

S C:\Users\IEUser> signtool sign /fd sha256 /sha1 BBF121A014A73C5B404C40684641E1287810AE88 .\CascadiaPackage_0.0.1.0_x64_Debug.msix                                                                                              
Done Adding Additional Store                                                                                                                                    
Successfully signed: .\CascadiaPackage_0.0.1.0_x64_Debug.msix
jborean93 commented 2 years ago

Accessing the private key store requires interaction with DPAPI which is not possible under an ssh key auth logon. This is due to what you've read online where the logon session does not know the user's password to unlock and store and decrypt it's contents. Unfortunately there's not much you can do about that natively, you essentially need to create your process with your explicit credentials and run signtool under that. The simplest way to do this is to use something like psexec, or a scheduled task with saved credentials.

phil-blain commented 2 years ago

I think this could be made clearer in the docs then... (and it's not even mentioned in the official docs at docs.microsoft.com...)