Releases: PowerShell/Win32-OpenSSH
v0.0.0.9
5_30_2016
5_15_2016
_This is a pre-release (non-production ready)_
The release adds the following security enhancements:
- sshd now runs in the context of a restricted service account. This account (visible in task manager as "sshd") only has SeAssignPrimaryTokenPrivilege required to spawn off session processes under client context).
- ssh-agent in implemented for Windows as a service running as "SYSTEM". This will execute key related privileged operations on sshd's behalf. It differs from UNIX version of ssh-agent as follows - it provides persistent storage of ssh private keys (both user and host). The keys are locked using user's password (using Data protection APIs). The storage is ACLed system only. As long as system is root-trusted, this ensures that the private keys are protected from malware. This also provides a single-sign on experience for Windows. Additional details
- ssh-agent service can be started by any user but can only be stopped by admin
- keys can be added to ssh-agent using ssh-add. Following flags are supported - lLdD
- see wiki for details on how to register and secure host-keys.
- ssh-agent also implements key-based authentication for Windows - this includes verification of signature, authorizing the public key and generating client token. support for domain accounts is now added.
- ssh-lsa from previous versions needs to be uninstalled and replaced with latest version. See wiki for details on how to do ths.
Known REGRESSIONS in this release:
- Secure loading of user profile is currently being worked on. Logging in using ssh and sftp will take you to %Windir%. If you are blocked on this, work around is to run sshd as Local System instead. This is being tracked as this issue
4_5_2016
_This is a pre-release (non-production ready)_
This release has the following in addition to 3_19_2016
- SIGALRM support added. This enables the following
- SFTP progress bar
- ConnectTimeout for ssh client
- Login grace timeout in sshd
- SIGCHLD support added. This helped in converging Unix and Windows code around child process management
- Misc code refactoring to remove redundant code
- Fixing the artifact around misbehaving "ENTER" on most clients - work around added in server to minimize impact.
Note: "sshd -install" is no longer supported. Service can be installed using the provided PS script. See updated wiki for instructions
3_19_2016
_This is a pre-release (non-production ready)_
_Note: Thanks to folks testing this release - we have identified an issue on 2012 R2 (and possibly Win8) with read() routine of underlying transport. This manifests as a failure while starting sshd. Try using 1.1 versions if you see this issue_
What's in this release:
- Completely rewritten underlying transport that adapts POSIX calls to Win32 overlapped APIs.
- Transport is now truly single threaded with no synchronization overhead. Stream throughput over loopback has improved ~15%.
- Transport has been stress tested with 10 tunnelled TCP (port forwarded) full duplex full throughput streams multiplexed over a single connection/session (ssh and sshd running with AppVerifier enabled). It held well, compared to the previous transport that froze after 5 streams. Hopefully, connection reliability issues reported so far will be resolved with this update.
- PW auth will now result in network logon so admins will end up with sessions capable of performing admin tasks.
- SCP is taken offline as it needs significant changes to get it on board the new transpor and I'm still working on it.
- ssh-add and ssh-agent are taken offline as we are working on the right security model and user experience for Windows.
- there are not changes to ssh-lsa.dll (for key based auth). So you may continue to use the previous version if its already installed.
I haven't yet fixed ssh-lsa installation script issue on Windows 7. Please continue to use the work around for now
reg add HKLM\System\CurrentControlSet\Control\Lsa /v "Authentication Packages" /t REG_MULTI_SZ /d msv1_0\0ssh-lsa.dll -f
There will be some regressions in terminal experience as I refactored related code that was coupled with protocol code. That said, its understood that current terminal experience is very primitive. Focus over the next couple of months will be on enriching this experience along with security enhancements.
2_25_2016
_This is a pre-release (non-production ready)_
64-bit and 32-bit payload from Master on 2/25/2016. Slight modification in how ssh-lsa.dll is installed. See deployment instructions in wiki
NOTE: It has been reported that ssh-lsa installation script is not working on Windows 7. Please use this work around for now
reg add HKLM\System\CurrentControlSet\Control\Lsa /v "Authentication Packages" /t REG_MULTI_SZ /d msv1_0\0ssh-lsa.dll -f
12_22_2015
This release contains 64 bit build of OpenSSH binaries. See Deployment instructions in Wiki for more details. Build is from 12_22_2015 sources
11_09_2015
The release contains several fixes to improve ssh.exe terminal experience. Also includes changes to support launching sshd as service. See Deployment instructions in Wiki for more details.
10_13_2015
Zipped Binary payload from Master 10-13-2015