Skip to content

OWNER RIGHTS not allowed on identity file ACL, even if owner is in Administrators #2317

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
3 tasks done
hssyoo opened this issue Dec 17, 2024 · 4 comments
Open
3 tasks done

OWNER RIGHTS not allowed on identity file ACL, even if owner is in Administrators #2317

hssyoo opened this issue Dec 17, 2024 · 4 comments
Assignees
@tgauth
Labels
Investigate

Comments

@hssyoo
Copy link

hssyoo commented Dec 17, 2024
edited
Loading

Prerequisites

  • Write a descriptive title.
  • Make sure you are able to repro it on the latest version
  • Search the existing issues.

Steps to reproduce

When a private key identity file has the OWNER RIGHTS group permission attached and the file is owned by an administrator, the OpenSSH client fails with a warning that the file's permissions are too open:

> ssh -p port -i C:\Path\To\TempDir\Keyfile destination

Bad permissions. Try removing permissions for user: \\OWNER RIGHTS (S-1-3-4) on file C:\Path\To\TempDir\Keyfile.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'C:\Path\To\TempDir\Keyfile' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "C:\Path\To\TempDir\Keyfile": bad permissions
destination: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

My understanding is that only administrators and System can have access to the key file. It looks like the client explicitly checks for the admin and system SIDs, but does not follow an owner rights SID and checks that the file is owned by an admin. I was curious if maintainers would be open to allowing OWNER RIGHTS provided that the owner is an admin.

Related:

Expected behavior

# Identity file with `OWNER RIGHTS` permissions attached
> ssh -p port -i C:\Path\To\TempDir\Keyfile destination

# SSH succeeds
Last login: Tue Dec 17 20:44:37 2024 from foo

Actual behavior

# Identity file with `OWNER RIGHTS` permissions attached
> ssh -p port -i C:\Path\To\TempDir\Keyfile destination

# SSH fails
Bad permissions. Try removing permissions for user: \\OWNER RIGHTS (S-1-3-4) on file C:\Path\To\TempDir\Keyfile.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'C:\Path\To\TempDir\Keyfile' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "C:\Path\To\TempDir\Keyfile": bad permissions
destination: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Error details

No response

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.20348.2760
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.20348.2760
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version

9.5

Visuals

image
@hssyoo hssyoo mentioned this issue Dec 17, 2024
Open
@zooba
Copy link

zooba commented Dec 17, 2024

To add the nuance that has led us to this point, it turns out that if you create an ACL as CURRENT USER with an elevated token, the owner is the Administrators group but the non-elevated user has been granted access. When you create the ACL as OWNER RIGHTS with an elevated token, the Administrators group gets the access, and so the current user has to be running with their elevated token.

@CharlesReinhardt CharlesReinhardt mentioned this issue Jan 9, 2025
Open
1 task
@hssyoo
Copy link
Author

hssyoo commented Feb 3, 2025

Hey @tgauth, are there any updates you can share regarding this ask?

I was curious if maintainers would be open to allowing OWNER RIGHTS provided that the owner is an admin.

@CharlesReinhardt
Copy link

Hey @tgauth , any updates on the Win32-OpenSSH side regarding the same ask from above?

I was curious if maintainers would be open to allowing OWNER RIGHTS provided that the owner is an admin.

@StevenBucher98
Copy link
Collaborator

StevenBucher98 commented Mar 17, 2025
edited
Loading

Here is a script that can be used as a potential work around https://github.com/PowerShell/openssh-portable/blob/latestw_all/contrib/win32/openssh/FixUserFilePermissions.ps1

It is also included in the release zip payload which includes the modules necessary to run it if you don't want to clone the whole repo. https://github.com/PowerShell/Win32-OpenSSH/releases/download/v9.8.1.0p1-Preview/OpenSSH-Win64.zip

We are going to have to evalutate the security implications with this kind of change before we can formally commit to adding this. It would be helpful if you can provide additional scenarios where this addition would be helpful. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tgauth tgauth

Labels
Investigate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@zooba @tgauth @StevenBucher98 @CharlesReinhardt @hssyoo