search

jborean93 / ansible-role-win_openssh

Ansible Role to install Win32-OpenSSH on Windows - https://github.com/PowerShell/Win32-OpenSSH
MIT License
28 stars 17 forks source link

Authorized keys file for administrators has moved #3

Closed crowding closed 4 years ago

crowding commented 5 years ago

I had trouble getting public key authentication to work with this role and a clean install of Win10. I found that a recent change to Win32OpenSSH has changed the location of the authorized_keys file for users in group Administrators. Users in Administrators group now look for keys in __PROGRAMDATA__\ssh\administrators_authorized_keys instead of in their home directory.

Refs: https://github.com/PowerShell/Win32-OpenSSH/issues/1324 https://github.com/PowerShell/Win32-OpenSSH/wiki/sshd_config#authorizedkeysfile

For now, I've worked around the issue in my playbook by doing the following, so maybe these steps could be folded back into the role:

- hosts: windows
  - name: Is this an admin account?
    win_user:
      name: "{{ ansible_user_id }}"
      state: query
    register: userData
  - name: Authorize admin targets to SSH to Windows admin-account targets
    win_lineinfile:
      path: "{{ ansible_env.ProgramData }}\\ssh\\administrators_authorized_keys"
      line: "{{ hostvars[item]['ssh_results']['ssh_public_key'] }}"
      create: yes
    with_items: "{{ groups['admin'] }}"
    when: "'Administrators' in (userData.groups | map(attribute='name') | list)"
  - name: disable ACL inheritence on ssh admin authkeys
    win_acl_inheritance:
      path: "{{ ansible_env.ProgramData }}\\ssh\\administrators_authorized_keys"
      reorganize: False
      state: absent
  - name: set correct permissions on admin ssh authkeys
    win_acl:
      path: "{{ ansible_env.ProgramData }}\\ssh\\administrators_authorized_keys"
      user: '{{ item }}'
      rights: FullControl
      type: allow
      state: present
      inherit: ContainerInherit, ObjectInherit
      propagation: None
    with_items:
    - System
    - Administrators
jborean93 commented 4 years ago

Sorry it took so long for me to get to it, I've added the ability to control this option with https://github.com/jborean93/ansible-role-win_openssh/pull/7. It also keys this working with non-English locales if you are running that and want a shared location.

teridon commented 3 years ago

I think when setting "opt_openssh_shared_admin_key: True", the "opt_openssh_pubkeys" should be installed in the shared location.