Closed manojampalam closed 4 years ago
I'm unable to run PSEXEC due to security constraints that require LanManServer to be disabled. Is it possible to store the sshd host keys in Credential Manager / Windows Vault somehow, possibly via PowerShell?
Thanks!
FYI - the recently checked in code ssh-add-key.ps1 has syntax errors - but more concerningly it uses the schedule task CMDLets which were added in PSH 4 and are therefore not available on PSH 2 (win7/server2008R2).
These lines show a very simple implementation which seems to work on Win7 through Nano:
$fullpathkeylist = "'$TargetFolder\ssh_host_dsa_key'", "'$TargetFolder\ssh_host_rsa_key'", "'$TargetFolder\ssh_host_ecdsa_key'", "'$TargetFolder\ssh_host_ed25519_key'"
schtasks.exe /create /RU "NT AUTHORITY\SYSTEM" /RL HIGHEST /SC ONSTART /TN "ssh-add" /TR "'$TargetFolder\ssh-add.exe' $fullpathkeylist" /F
schtasks.exe /Run /I /TN "ssh-add"
schtasks.exe /Delete /TN "ssh-add" /F
From: https://github.com/DarwinJS/ChocoPackages/blob/master/openssh/tools/chocolateyinstall.ps1#L708-L712
Thanks @DarwinJS. I'll update the script.
schtasks under Windows 2008 SP2 don't have /Run /I
argument. So I have ERROR: Invalid argument/option - '/I'
during install.
Note that since v1.0.0.0, to keep host keys secure - it is no longer required to register host keys with agent (this requires psexec).
With the privilege separation in place, the host keys can simply be ACLed SYSTEM and Administrators only.
Maybe. But the call is still there in Chocolatey installation script. I run it with:
choco install openssh --version=7.6.0.1 --params='"/SSHServerFeature /PathSpecsToProbeForShellEXEString:$Env:ProgramFiles\PowerShell*\Powershell.exe;$Env:SystemRoot\system32\windowspowershell\v1.0\powershell.exe /SSHDefaultShellCommandOption:/c"' --yes --stop-on-first-failure
I am updating the Chocolatey package for the latest release and have just removed this code. Thanks for mentioning it.
Currently, to register host keys, psexec.exe is needed to run ssh-add.exe in the context of local system (since host keys need to be registered as System).
You may use these steps from @DarwinJS if psexec.exe is not an optino