StrictAclTools is a small PowerShell module for inspecting filesystem ACLs and enforcing strict single-user ownership and access on files or directory trees.
This is especially handy when working with OpenSSH, where private keys and config fragments must not inherit permissions from a parent folder or be exposed to other accounts.
Windows' ACL inheritance frequently causes OpenSSH to reject private keys and configuration files due to Windows' bad habit of overly permissive access. This module provides a simple, deterministic way to normalize permissions so they meet OpenSSH's expectations.
Get-CustomAclForFileSet-StrictFileAclSet-StrictAclTree
To install directly from PSGallery
Install-Module StrictAclTools -Repository PSGallery -Scope CurrentUser- Copy the
StrictAclToolsfolder into one of your PowerShell module paths, for example:
$HOME\Documents\PowerShell\Modules\StrictAclTools- Then import it:
# Import as module automatically
Import-Module StrictAclTools
# OR
# Import directly from the extracted folder
Import-Module .\StrictAclTools\StrictAclTools.psd1Inspect ACLs:
Get-ChildItem "$HOME\.ssh" -Force -Recurse | Get-CustomAclForFile
Dry run a strict ACL reset:
Set-StrictAclTree -RootPath "$HOME\.ssh" -Username "$env:USERDOMAIN\$env:USERNAME" -WhatIf
Apply it for real:
Set-StrictAclTree -RootPath "$HOME\.ssh" -Username "$env:USERDOMAIN\$env:USERNAME"
Apply strict ACLs to files via pipeline:
Get-ChildItem "$HOME\.ssh" -File | Set-StrictFileAcl -Username "$env:USERDOMAIN\$env:USERNAME"
These commands are intentionally aggressive. Set-StrictFileAcl and Set-StrictAclTree remove existing access rules and replace them with a single FullControl allow rule for the specified account.
The user is cautioned to fully understand the significance and potential consequences of such actions, and this project's author takes no responsibility for any adverse outcomes resulting from its usage.
MIT License. See the LICENSE file for details.