Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

administrators_authorized_keys missing from FixHostFilePermissions #1582

Closed
fatso83 opened this issue Apr 7, 2020 · 6 comments
Closed

administrators_authorized_keys missing from FixHostFilePermissions #1582

fatso83 opened this issue Apr 7, 2020 · 6 comments
Milestone
V8.6.0.0

Comments

@fatso83
Copy link

fatso83 commented Apr 7, 2020
edited
Loading

On Google Compute Engine the user accounts are in the Administrators group by default, not the Users group. That means the normal way of adding your key to .ssh/authorized_keys does not work and you need to add it to the (undocumented, see #1581) administrator_authorized_keys file. I did this and thought things were peachy. Adding -d and -dd did not show any issues, but finally -ddd showed the issue: a permissions problem where a user (probably myself) had right to view the file. Since I had already run the FixHostFilePermissions script, this was a bit surprising, and it seems this is basically an omission.

I tried adding Repair-AuthorizedKeyPermission -FilePath 'C:\ProgramData\ssh\administrators_authorized_keys' to the script, but it seems the repair script assumes these files must live under the profile directory, so I stopped digging there.

"OpenSSH for Windows" version
8.1.0.0

Server OperatingSystem
Windows Server 2016 Datacenter

What is failing
The file C:\ProgramData\ssh\administrators_authorized_keys is not checked for file permissions and/or fixed when running the FixHostFilePermissions script.

Expected output
That the file would be looked at/reported if something was wrong.

Actual output
No errors are fixed or reported.
@mwanzenried
Copy link

Hi!

I'm using the /.ssh/authorized_keys file to validate the publickey access.

In order to do that I've commented the sshd_config line that references to the administrators_authorized_keys file.

After that, I repaired the permissions with the instructions from here: https://github.com/PowerShell/Win32-OpenSSH/wiki/OpenSSH-utility-scripts-to-fix-file-permissions

Then I restarted the sshd service.

It works for me in several implementations.

Hope it helps.

@fatso83
Copy link
Author

fatso83 commented Apr 26, 2020

@mwanzenried That is a hack, not an actual fix: you just disabled the feature 😄 This is a feature request for a missing part of the docs. I don't actually have a problem, as should be apparent from the issue. Thanks anyway.

@fbehrens
Copy link

fbehrens commented Jun 8, 2020

@fatso83 Thanks for reporting this issue. It helped me to resolve it. After hours.

This was hard to debug and it would be helpful to improve the docs to help with this.

@maertendMSFT
Copy link
Collaborator

We are removing the FixHostFilePermissions
There is a bug in the code where it does not allow all the users to have read permissions on ADMINISTRATORS_AUTHORIZED_KEYS file, it will be fixed in the next release.

@maertendMSFT maertendMSFT added this to the vNext milestone Aug 20, 2020
@bagajjal bagajjal modified the milestones: vNext, V8.5.0.0 Mar 25, 2021
@bagajjal
Copy link
Collaborator

#1747

@bagajjal
Copy link
Collaborator

PR - PowerShell/openssh-portable#481

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
V8.6.0.0
Development

No branches or pull requests
5 participants
@fbehrens @fatso83 @bagajjal @maertendMSFT @mwanzenried