support registering host-keys without using psexec.exe

PowerShell / Win32-OpenSSH

Win32 port of OpenSSH

7.37k stars 759 forks source link

support registering host-keys without using psexec.exe #444

Closed manojampalam closed 4 years ago

manojampalam commented 7 years ago

Currently, to register host keys, psexec.exe is needed to run ssh-add.exe in the context of local system (since host keys need to be registered as System).

You may use these steps from @DarwinJS if psexec.exe is not an optino

    $fullpathkeylist = "'$TargetFolder\ssh_host_dsa_key'", "'$TargetFolder\ssh_host_rsa_key'", "'$TargetFolder\ssh_host_ecdsa_key'", "'$TargetFolder\ssh_host_ed25519_key'"
    schtasks.exe /create /RU "NT AUTHORITY\SYSTEM" /RL HIGHEST /SC ONSTART /TN "ssh-add" /TR "'$TargetFolder\ssh-add.exe'  $fullpathkeylist" /F
    schtasks.exe /Run /I /TN "ssh-add"
    schtasks.exe /Delete /TN "ssh-add" /F

rmenessec commented 7 years ago

I'm unable to run PSEXEC due to security constraints that require LanManServer to be disabled. Is it possible to store the sshd host keys in Credential Manager / Windows Vault somehow, possibly via PowerShell?

Thanks!

DarwinJS commented 7 years ago

FYI - the recently checked in code ssh-add-key.ps1 has syntax errors - but more concerningly it uses the schedule task CMDLets which were added in PSH 4 and are therefore not available on PSH 2 (win7/server2008R2).

These lines show a very simple implementation which seems to work on Win7 through Nano:

    $fullpathkeylist = "'$TargetFolder\ssh_host_dsa_key'", "'$TargetFolder\ssh_host_rsa_key'", "'$TargetFolder\ssh_host_ecdsa_key'", "'$TargetFolder\ssh_host_ed25519_key'"
    schtasks.exe /create /RU "NT AUTHORITY\SYSTEM" /RL HIGHEST /SC ONSTART /TN "ssh-add" /TR "'$TargetFolder\ssh-add.exe'  $fullpathkeylist" /F
    schtasks.exe /Run /I /TN "ssh-add"
    schtasks.exe /Delete /TN "ssh-add" /F

From: https://github.com/DarwinJS/ChocoPackages/blob/master/openssh/tools/chocolateyinstall.ps1#L708-L712

manojampalam commented 7 years ago

Thanks @DarwinJS. I'll update the script.

grv87 commented 6 years ago

schtasks under Windows 2008 SP2 don't have /Run /I argument. So I have ERROR: Invalid argument/option - '/I' during install.

manojampalam commented 6 years ago

Note that since v1.0.0.0, to keep host keys secure - it is no longer required to register host keys with agent (this requires psexec).

With the privilege separation in place, the host keys can simply be ACLed SYSTEM and Administrators only.

grv87 commented 6 years ago

Maybe. But the call is still there in Chocolatey installation script. I run it with:

choco install openssh --version=7.6.0.1 --params='"/SSHServerFeature /PathSpecsToProbeForShellEXEString:$Env:ProgramFiles\PowerShell*\Powershell.exe;$Env:SystemRoot\system32\windowspowershell\v1.0\powershell.exe /SSHDefaultShellCommandOption:/c"' --yes --stop-on-first-failure

DarwinJS commented 6 years ago

I am updating the Chocolatey package for the latest release and have just removed this code. Thanks for mentioning it.