sabato 20 agosto 2022

Installazione e configurazione di OpenSSH su Windows

=========================================================================


=====Installazione - metodo 1=====

# Impostazione local GPO

Computer Configuration\Administrative Templates\System

Specify settings for optional component installation and component repair: Enabled

ed abilitare il flag sull'opzione

Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS)

# Aggiornamento policy

gpupdate /force

# Verifica dello stato dell'installazione

Get-WindowsCapability -Online | ? name -like "openssh*"

# Installazione OpenSSH server

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0


=====Installazione - metodo 2=====

# Download OpenSSH server 

## Set network connection protocol to TLS 1.2

## Define the OpenSSH latest release url

 $url = 'https://github.com/PowerShell/Win32-OpenSSH/releases/latest/'

## Create a web request to retrieve the latest release download link

 $request = [System.Net.WebRequest]::Create($url)

 $request.AllowAutoRedirect=$false

 $response=$request.GetResponse()

 $source = $([String]$response.GetResponseHeader("Location")).Replace('tag','download') + '/OpenSSH-Win64.zip'

## Download the latest OpenSSH for Windows package to the current working directory

 $webClient = [System.Net.WebClient]::new()

 $webClient.DownloadFile($source, (Get-Location).Path + '\OpenSSH-Win64.zip')

# Verifica la presenza del file ZIP 

Get-ChildItem *.zip

Estraggo 

# Extract the ZIP to a temporary location

 Expand-Archive -Path .\OpenSSH-Win64.zip -DestinationPath ($env:temp) -Force

# Move the extracted ZIP contents from the temporary location to C:\Program Files\OpenSSH\

 Move-Item "$($env:temp)\OpenSSH-Win64" -Destination "C:\Program Files\OpenSSH\" -Force

# Unblock the files in C:\Program Files\OpenSSH\

 Get-ChildItem -Path "C:\Program Files\OpenSSH\" | Unblock-File

Installo OpenSSH 

& 'C:\Program Files\OpenSSH\install-sshd.ps1'

=========================================================================


Imposto il servizio 

## changes the sshd service's startup type from manual to automatic.

 Set-Service sshd -StartupType Automatic

## starts the sshd service.

 Start-Service sshd


#Aggiungo le regole di firewall

New-NetFirewallRule -Name sshd -DisplayName 'Allow SSH' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

oppure

# Confirm the Firewall rule is configured. It should be created automatically by setup. Run the following to verify

if (!(Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue | Select-Object Name, Enabled)) {

    Write-Output "Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it..."

    New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

} else {

    Write-Output "Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists."

}


# Imposto Powershell come console predefinita per i collegamenti in SSH

New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force


# Verifico la connessione con password (client)

ssh administrator@1.2.3.4

ssh scpuser@1.2.3.4


# Creo la coppia di chiavi per l'autenticazione (sul client)

ssh-keygen -t ed25519


# Creo la cartella dentro cui copiare la chiave pubblica *.pub (sul server)

New-Item -Type Directory -Path "C:\key_to_add\"


# Accedo al server ssh con un utente NON amministratore di macchina


# Creo directory e file dove salvare le chiavi pubbliche per accedere senza password - user

New-Item -Type Directory -Path $env:USERPROFILE\.ssh\

New-Item -Type File -Path $env:USERPROFILE\.ssh\authorized_keys


# Creo il file dove salvare le chiavi pubbliche per accedere senza password - admin

New-Item -Type File -Path C:\ProgramData\ssh\administrators_authorized_keys


# copio il file .pub sul server e la importo nel file delle chiavi (powershell come admin)

$authorizedKey = Get-Content -Path "C:\key_to_add\id_ed25519.pub"

Add-Content -Force -Path $env:USERPROFILE\.ssh\authorized_keys -Value "$authorizedKey"

Add-Content -Force -Path C:\ProgramData\ssh\administrators_authorized_keys -Value "$authorizedKey"


# Imposto i permessi del file copiandoli da un altro

get-acl C:\ProgramData\ssh\ssh_host_dsa_key | set-acl C:\ProgramData\ssh\administrators_authorized_keys


oppure


icacls.exe "C:\ProgramData\ssh\administrators_authorized_keys" /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F"


# Verifico la connessione senza password (client)

ssh administrator@1.2.3.4

ssh scpuser@1.2.3.4


# verifico la copia dei file da remoto

scp administrator@1.2.3.4:'c:\sshtest\*.txt' .

scp administrator@1.2.3.4:'c:\sshtest\*.txt' C:\testw10\


N.B. attenzione, se sto eseguendo la powershell come admin potrebbe non funzionare.


# modifica sshdconfig aggiungendo quanto segue.

queste istruzioni limitano gli host da cui e possible accedere e consentono solo l'autenticazione tramite chiavi

=========================================================================#PasswordAuthentication yes

PasswordAuthentication no

ChrootDirectory C:\SSHTest

PermitTunnel no

#AllowAgentForwarding yes

AllowAgentForwarding no

#AllowTcpForwarding yes

AllowTcpForwarding no

GatewayPorts no


#AllowUsers scpuser@1.2.3.6 administrator@1.2.3.6

AllowUsers scpuser@1.2.3.6

#AllowUsers scpuser@1.2.3.6 administrator@1.2.3.6 scpuser@1.2.3.6 administrator@1.2.3.6

#AllowUsers scpuser gippi\scpuser@1.2.3.6 dmz\scpuser@1.2.3.6 scpuser@dmz.local@1.2.3.6 scpuser@dom.local@1.2.*

#AllowUsers dmz\scpuser@1.2.3.6 scpuser@dmz.local@1.2.3.6

AllowUsers dmz\scpuser@1.2.3.6

DenyGroups Administrators

DenyGroups Administrators


Match user scpuser

ChrootDirectory C:\SSHTest

# ForceCommand internal-sftp

PermitTunnel no

AllowAgentForwarding no

AllowTcpForwarding no

GatewayPorts no


#Match Group administrators

# AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

# ChrootDirectory C:\SSHTest

# PermitTunnel no

# AllowAgentForwarding no

# AllowTcpForwarding no

# GatewayPorts no


# Match Group SSHUsers

# AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

# ChrootDirectory C:\SSHTest

# # ForceCommand internal-sftp

# PermitTunnel no

# AllowAgentForwarding no

# AllowTcpForwarding no

# GatewayPorts no

=========================================================================


N.B.

i permessi processati nel seguente ordine:

DenyUsers

AllowUsers

DenyGroups

AllowGroups


# restart servizio

get-service -name sshd | restart-service


# verifica dell'accesso e della copia dei file (sul client)

scp scpuser@1.2.3.4:'*.txt' C:\sshtest\


# impostazione del servizio ssh-agent (sul client)

set-service ssh-agent StartupType 'Automatic'

Start-Service ssh-agent

ssh-add "C:\Users\user\.ssh\id_ed25519" (eseguire con l'utente che deve effettuare la copia)


# Creazione archivio protetto da password della cartella C:\Users\user\.ssh\

prima di procedere alla rimozione procedere alla creazione di un archivio protetto che contiene priv key, pub key e known_hosts. salvare il file in un posto sicuro


# Cancellazione chiave privata (solo dopo aver impostato l'agent)

remove-item "C:\Users\user\.ssh\id_ed25519"


REFERENCE

https://docs.microsoft.com/it-it/windows-server/administration/openssh/openssh_overview

https://github.com/powershell/win32-openssh/wiki

https://adamtheautomator.com/openssh-windows/

https://techietown.info/2017/05/restrict-ssh-access-for-users-from-specific-ip-address/

http://woshub.com/using-ssh-key-based-authentication-on-windows/

https://www.concurrency.com/blog/may-2019/key-based-authentication-for-openssh-on-windows

https://social.technet.microsoft.com/Forums/en-US/251804c1-883e-4ec8-a378-352dabbe87dd/openssh-server-install-failed-contact-your-administrator-to-get-this-feature?forum=ws2019

https://thesysadminchannel.com/solved-add-windowscapability-failed-error-code-0x800f0954-rsat-fix/

https://bobcares.com/blog/install-and-configure-openssh-on-windows/

https://winscp.net/eng/docs/guide_windows_openssh_server

https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_server_configuration

https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui


on
Etichette: , ,

Nessun commento:

Posta un commento

Iscriviti a: Commenti sul post (Atom)