Skip to content

Commit 7ee95b4

Browse files
adrianrioboadrianriobo
committed
feat: windows desktop allow ssh to issue full admin token
Signed-off-by: Adrian Riobo <ariobolo@redhat.com>
1 parent 703a5b0 commit 7ee95b4

1 file changed

Lines changed: 19 additions & 0 deletions

File tree

pkg/provider/azure/action/windows/rhqp-ci-setup.ps1

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -91,6 +91,18 @@ $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule([Sys
9191
$acl.SetAccessRule($AccessRule)
9292
Set-Acl C:\Users\$user\.ssh\authorized_keys $acl
9393
Set-Acl -Path "C:\ProgramData\ssh\*key" $acl
94+
# Adminuser
95+
$adminKeysPath = "$env:ProgramData\ssh\administrators_authorized_keys"
96+
New-Item -ItemType Directory -Path (Split-Path $adminKeysPath) -Force | Out-Null
97+
if (-not (Test-Path $adminKeysPath)) {
98+
New-Item -ItemType File -Path $adminKeysPath -Force | Out-Null
99+
}
100+
Add-Content -Path $adminKeysPath -Value $authorizedKey
101+
$acl = Get-Acl $adminKeysPath
102+
$acl.SetOwner([System.Security.Principal.NTAccount] "$user")
103+
$acl.SetAccessRuleProtection($True, $False)
104+
Set-Acl -Path $adminKeysPath -AclObject $acl
105+
94106
# Create bat script to start sshd as a user process on startup
95107
# New-Item -Path "C:\Users\$Env:USERNAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" -Name start-openssh.bat -ItemType "file" -Value 'powershell -command "sshd -f C:\ProgramData\ssh\sshd_config"'
96108
New-Item -Path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp" -Name start-openssh.bat -ItemType "file" -Value 'powershell -command "sshd -f C:\ProgramData\ssh\sshd_config"'
@@ -112,6 +124,13 @@ curl.exe -LO https://github.com/PowerShell/PowerShell/releases/download/v7.4.2/P
112124
Start-Process C:\Windows\System32\msiexec.exe -ArgumentList '/qb /i PowerShell-7.4.2-win-x64.msi ADD_EXPLORER_CONTEXT_MENU_OPENPOWERSHELL=1 ENABLE_PSREMOTING=1 REGISTER_MANIFEST=1 USE_MU=1 ENABLE_MU=1 ADD_PATH=1' -wait
113125
# Set powershell as default shell on openssh
114126
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Program Files\PowerShell\7\pwsh.exe" -PropertyType String -Force
127+
# Allow SSH to issue a full admin token
128+
New-ItemProperty `
129+
-Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
130+
-Name "LocalAccountTokenFilterPolicy" `
131+
-Value 1 `
132+
-PropertyType DWord `
133+
-Force
115134

116135
# Remove curl alias
117136
$profilePath="C:\Users\$user\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1"

0 commit comments

Comments
 (0)