Private/Get-SshImportIdPermissionGrantee.ps1
|
function Get-SshImportIdPermissionGrantee { <# .SYNOPSIS Decides which identities should be granted NTFS access to an authorized_keys path (or its parent directory). .DESCRIPTION For the ordinary per-user authorized_keys file/directory, the owning account, SYSTEM and Administrators are granted access. For Windows OpenSSH's shared 'administrators_authorized_keys' file, only SYSTEM and Administrators may be granted - the Windows OpenSSH permission check rejects the file if any other account (even the owning admin's own personal account) holds an explicit ACE on it. #> [CmdletBinding()] [OutputType([string[]])] param( [Parameter(Mandatory)] [string] $Path ) $isAdministratorsKeyFile = -not (Test-Path -Path $Path -PathType Container) ` -and (Test-SshImportIdAdministratorsAuthorizedKeysPath -Path $Path) if ($isAdministratorsKeyFile) { return @('SYSTEM', '*S-1-5-32-544') } @("$env:USERDOMAIN\$env:USERNAME", 'SYSTEM', '*S-1-5-32-544') } |