Automate SSH identity and hardening for SYSTEM account#136
Open
innovara wants to merge 2 commits into
Open
Conversation
This script ensures that the NT AUTHORITY\SYSTEM account has a valid Ed25519 key pair located in the systemprofile directory. It is designed to be run either standalone or as part of an orchestration script. Key features: - Administrative requirement: must be run from an elevated session to manage the scheduled tasks and system directories. - Use of temporary scheduled tasks to execute logic as SYSTEM, ensuring correct file ownership and permission application. - Strict ACL application: removes all inherited permissions, granting full control only to SYSTEM and Administrators. - Standalone capability: can be run directly to output the public key. - Resilience: automatically reconstructs the public key from the private key if it is missing. Signed-off-by: Manuel Fombuena <mfombuena@innovara.tech>
Updates the installation script to automatically configure the SSH environment when an SFTP repository is detected. Key features: - Automated configuration: leverages InitializeSSH.ps1 to prepare the SYSTEM account's identity and permissions. - Host trust: uses ssh-keyscan to automatically populate known_hosts for the target repository, ensuring non-interactive backups can proceed. - Permission persistence: triggers re-hardening of the .ssh directory after modifying known_hosts. - Interactive setup: pauses installation to display the SYSTEM public key, allowing the user to authorize it on the remote server. Signed-off-by: Manuel Fombuena <mfombuena@innovara.tech>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary: Adds a workflow to manage SSH identities for the
NT AUTHORITY\SYSTEMaccount to simplify the set-up of SFTP-based backups.Changes:
SYSTEMandAdministrators. Uses a temporary scheduled task to handle file creation within theSYSTEMprofile.install.ps1to detect SFTP repositories, runssh-keyscanfor host fingerprints, and display the public key for user authorization..sshfolder afterknown_hostsupdates.