Skip to content

Commit

Permalink
update the script so it compile on psh 2.0 on win7
Browse files Browse the repository at this point in the history
  • Loading branch information
bingbing8 committed Jun 7, 2017
1 parent aa992ff commit d3a5916
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 22 deletions.
12 changes: 9 additions & 3 deletions contrib/win32/openssh/FixHostFilePermissions.ps1
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
param ([switch]$Quiet)
If (!(Test-Path variable:PSScriptRoot)) {$PSScriptRoot = Split-Path -Parent $MyInvocation.MyCommand.Definition}
Import-Module $PSScriptRoot\OpenSSHUtils.psm1 -Force -DisableNameChecking

#check sshd config file
Expand Down Expand Up @@ -33,14 +34,19 @@ If you choose not to register the keys with ssh-agent, please grant sshd read ac
Write-Host " "
}#>

Get-ChildItem $PSScriptRoot\ssh_host_*_key -ErrorAction Ignore | % {
Get-ChildItem $PSScriptRoot\ssh_host_*_key -ErrorAction SilentlyContinue | % {
Fix-HostKeyPermissions -FilePath $_.FullName @psBoundParameters
}


#check authorized_keys
Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" -ErrorAction Ignore | % {
$userProfilePath = Get-ItemPropertyValue $_.pspath -Name ProfileImagePath -ErrorAction Ignore
Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" -ErrorAction SilentlyContinue | % {
$properties = Get-ItemProperty $_.pspath -ErrorAction SilentlyContinue
$userProfilePath = ""
if($properties)
{
$userProfilePath = $properties.ProfileImagePath
}
$filePath = Join-Path $userProfilePath .ssh\authorized_keys
if(Test-Path $filePath -PathType Leaf)
{
Expand Down
4 changes: 3 additions & 1 deletion contrib/win32/openssh/FixUserFilePermissions.ps1
Original file line number Diff line number Diff line change
@@ -1,12 +1,14 @@
param ([switch]$Quiet)
If (!(Test-Path variable:PSScriptRoot)) {$PSScriptRoot = Split-Path -Parent $MyInvocation.MyCommand.Definition}

Import-Module $PSScriptRoot\OpenSSHUtils.psm1 -Force -DisableNameChecking

if(Test-Path ~\.ssh\config -PathType Leaf)
{
Fix-UserSSHConfigPermissions -FilePath ~\.ssh\config @psBoundParameters
}

Get-ChildItem ~\.ssh\* -Include "id_rsa","id_dsa" -ErrorAction Ignore | % {
Get-ChildItem ~\.ssh\* -Include "id_rsa","id_dsa" -ErrorAction SilentlyContinue | % {
Fix-UserKeyPermissions -FilePath $_.FullName @psBoundParameters
}

Expand Down
66 changes: 48 additions & 18 deletions contrib/win32/openssh/OpenSSHUtils.psm1
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,14 @@ function Fix-HostSSHDConfigPermissions
[string]$FilePath,
[switch] $Quiet)

Fix-FilePermissions -Owners $systemAccount,$adminsAccount -ReadAccessNeeded $sshdAccount @psBoundParameters
if ($PSVersionTable.CLRVersion.Major -gt 2)
{
Fix-FilePermissions -Owners $systemAccount,$adminsAccount -ReadAccessNeeded $sshdAccount @psBoundParameters
}
else
{
Fix-FilePermissions -Owners $adminsAccount, $systemAccount -ReadAccessNeeded $sshdAccount @psBoundParameters
}
}

<#
Expand All @@ -38,10 +45,25 @@ function Fix-HostKeyPermissions
{
$parameters["FilePath"] = $parameters["FilePath"].Replace(".pub", "")
}
Fix-FilePermissions -Owners $systemAccount,$adminsAccount -ReadAccessNeeded $sshdAccount @psBoundParameters
if ($PSVersionTable.CLRVersion.Major -gt 2)
{
Fix-FilePermissions -Owners $systemAccount,$adminsAccount -ReadAccessNeeded $sshdAccount @psBoundParameters
}
else
{
# issue in ps 2.0: system account is not allowed to set to a owner of the file
Fix-FilePermissions -Owners $adminsAccount, $systemAccount -ReadAccessNeeded $sshdAccount @psBoundParameters
}

$parameters["FilePath"] += ".pub"
Fix-FilePermissions -Owners $systemAccount,$adminsAccount -ReadAccessOK $everyone -ReadAccessNeeded $sshdAccount @parameters
if ($PSVersionTable.CLRVersion.Major -gt 2)
{
Fix-FilePermissions -Owners $systemAccount,$adminsAccount -ReadAccessOK $everyone -ReadAccessNeeded $sshdAccount @parameters
}
else
{
Fix-FilePermissions -Owners $adminsAccount,$systemAccount -ReadAccessOK $everyone -ReadAccessNeeded $sshdAccount @parameters
}
}

<#
Expand All @@ -64,8 +86,14 @@ function Fix-AuthorizedKeyPermissions
}
$fullPath = (Resolve-Path $FilePath).Path
$profileListPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
$profileItem = Get-ChildItem $profileListPath -ErrorAction Ignore | ? {
$fullPath.ToLower().Contains((Get-ItemPropertyValue $_.PSPath -Name ProfileImagePath -ErrorAction Ignore).Tolower())
$profileItem = Get-ChildItem $profileListPath -ErrorAction SilentlyContinue | ? {
$properties = Get-ItemProperty $_.pspath -ErrorAction SilentlyContinue
$userProfilePath = $null
if($properties)
{
$userProfilePath = $properties.ProfileImagePath
}
$fullPath -ieq "$userProfilePath\.ssh\authorized_keys"
}
if($profileItem)
{
Expand All @@ -77,7 +105,7 @@ function Fix-AuthorizedKeyPermissions
}
else
{
Write-Warning "Can't translate $userSid to an account. skip $fullPath..." -ForegroundColor Yellow
Write-host "Can't translate $userSid to an account. skip checking $fullPath..." -ForegroundColor Yellow
}
}
else
Expand Down Expand Up @@ -186,7 +214,9 @@ function Fix-FilePermissionInternal {
$result = 'Y'
}

if(-not $Owners.Contains([System.Security.Principal.NTAccount]$($acl.Owner)))
$validOwner = $owners | ? { $_.equals([System.Security.Principal.NTAccount]$acl.owner)}

if($validOwner -eq $null)
{
if (-not $Quiet) {
$warning = "Current owner: '$($acl.Owner)'. '$($Owners[0])' should own $FilePath."
Expand Down Expand Up @@ -231,23 +261,23 @@ function Fix-FilePermissionInternal {
$specialIdRefs = "ALL APPLICATION PACKAGES","ALL RESTRICTED APPLICATION PACKAGES"

foreach($a in $acl.Access)
{
if(($realAnyAccessOKList -ne $null) -and $realAnyAccessOKList.Contains($a.IdentityReference))
{
if($realAnyAccessOKList -and (($realAnyAccessOKList | ? { $_.equals($a.IdentityReference)}) -ne $null))
{
#ignore those accounts listed in the AnyAccessOK list.
}
#If everyone is in the ReadAccessOK list, any user can have read access;
# below block make sure they are granted Read access only
elseif($realReadAcessOKList -and (($realReadAcessOKList.Contains($everyone)) -or `
($realReadAcessOKList.Contains($a.IdentityReference))))
elseif($realReadAcessOKList -and (($realReadAcessOKList | ? { $_.Equals($everyone)}) -ne $null) -or `
(($realReadAcessOKList | ? { $_.equals($a.IdentityReference)}) -ne $null))
{
if($realReadAccessNeeded -and ($a.IdentityReference.Equals($everyone)))
{
$realReadAccessNeeded.Clear()
$realReadAccessNeeded=@()
}
elseif($realReadAccessNeeded -and $realReadAccessNeeded.Contains($a.IdentityReference))
elseif($realReadAccessNeeded)
{
$realReadAccessNeeded = $realReadAccessNeeded | ? { -not $_.Equals($a.IdentityReference) }
$realReadAccessNeeded = $realReadAccessNeeded | ? { -not $_.Equals($a.IdentityReference) }
}

if (-not ($a.AccessControlType.Equals([System.Security.AccessControl.AccessControlType]::Allow)) -or `
Expand All @@ -261,7 +291,7 @@ function Fix-FilePermissionInternal {
{
if($needChange)
{
Set-Acl -Path $FilePath -AclObject $acl
Set-Acl -Path $FilePath -AclObject $acl
}

$message = @"
Expand Down Expand Up @@ -289,7 +319,7 @@ Need to remove inheritance to fix it.
{
$needChange = $true
$idRefShortValue = ($a.IdentityReference.Value).split('\')[-1]
if ($idRefShortValue -in $specialIdRefs )
if ($specialIdRefs -icontains $idRefShortValue )
{
$ruleIdentity = Get-UserSID -User (New-Object Security.Principal.NTAccount $idRefShortValue)
if($ruleIdentity)
Expand Down Expand Up @@ -351,7 +381,7 @@ Need to remove inheritance to fix it.
$needChange = $true
$ace = $a
$idRefShortValue = ($a.IdentityReference.Value).split('\')[-1]
if ($idRefShortValue -in $specialIdRefs )
if ($specialIdRefs -icontains $idRefShortValue)
{
$ruleIdentity = Get-UserSID -User (New-Object Security.Principal.NTAccount $idRefShortValue)
if($ruleIdentity)
Expand Down Expand Up @@ -509,7 +539,7 @@ function Get-UserSID
param ([System.Security.Principal.NTAccount]$User)
try
{
$User.Translate([System.Security.Principal.SecurityIdentifier])
$User.Translate([System.Security.Principal.SecurityIdentifier])
}
catch {
}
Expand Down

0 comments on commit d3a5916

Please sign in to comment.