Public/Generate-AuthorizedPrincipalsFile.ps1
|
<#
.SYNOPSIS This function adds the specified User Accounts (both Local and Domain) to the file 'C:\ProgramData\ssh\authorized_principals' on the Local Host. Adding these User Accounts to the 'authorized_principals' file allows these users to ssh into the Local Host. IMPORTANT NOTE: The Generate-AuthorizedPrincipalsFile will only ADD users to the authorized_principals file (if they're not already in there). It WILL NOT delete or otherwise overwrite existing users in the file .DESCRIPTION See .SYNOPSIS .NOTES .PARAMETER AuthorizedPrincipalsFileLocation This parameter is OPTIONAL. This parameter takes a string that represents the full path to desired location of the newly generated 'authorized_principals' file. If this parameter is NOT used, the function will default to writing the 'authorized_principals' file to the 'C:\ProgramData\ssh' directory. If that directory does not exist, then it will be written to the 'C:\Program Files\OpenSSH-Win64' directory. If that directory does not exist, the function will halt. .PARAMETER UserGroupToAdd This parameter is OPTIONAL, however, either this parameter or the -UsersToAdd parameter is REQUIRED. This parameter takes an array of strings. Possible string values are: - AllUsers - LocalAdmins - LocalUsers - DomainAdmins - DomainUsers Using "LocalAdmins" will add all User Accounts that are members of the Built-In 'Administrators' Security Group on the Local Host to the authorized_principals file. Using "LocalUsers" will add all user Accounts that are members of the Built-In 'Users' Security Group on the Local Host to the authorized_principals file. Using "DomainAdmins" will add all User Accounts that are members of the "Domain Admins" Security Group in Active Directory to the authorized_principals file. Using "Domain Users" will add all User Accounts that are members of the "Domain Users" Security Group in Active Directory to the authorized_principals file. Using "AllUsers" will add User Accounts that are members of all of the above Security Groups to the authorized_principals file. You CAN use this parameter in conjunction with the -UsersToAdd parameter, and this function DOES check for repeats, so don't worry about overlap. .PARAMETER UsersToAdd This parameter is OPTIONAL, however, either this parameter or the -UserGroupToAdd parameter is REQUIRED. This parameter takes an array of strings, each of which represents either a Local User Account or a Domain User Account. Local User Accounts MUST be in the format <UserName>@<LocalHostComputerName> and Domain User Accounts MUST be in the format <UserName>@<DomainPrefix>. (To clarify DomainPrefix: if your domain is, for example, 'zero.lab', your DomainPrefix would be 'zero'). These strings will be added to the authorized_principals file, and these User Accounts will be permitted to SSH into the Local Host. You CAN use this parameter in conjunction with the -UserGroupToAdd parameter, and this function DOES check for repeats, so don't worry about overlap. .EXAMPLE # Open an elevated PowerShell Session, import the module, and - PS C:\Users\zeroadmin> $AuthorizedPrincipalsFile = Generate-AuthorizedPrincipalsFile -UserGroupToAdd @("LocalAdmins","DomainAdmins") #> function Generate-AuthorizedPrincipalsFile { [CmdletBinding()] Param( [Parameter(Mandatory=$False)] [string]$AuthorizedPrincipalsFileLocation, [Parameter(Mandatory=$False)] [ValidateSet("AllUsers","LocalAdmins","LocalUsers","DomainAdmins","DomainUsers")] [string[]]$UserGroupToAdd, [Parameter(Mandatory=$False)] [ValidatePattern("[\w]+@[\w]+")] [string[]]$UsersToAdd ) if (!$AuthorizedPrincipalsFileLocation) { if (Test-Path "$env:ProgramData\ssh") { $sshdir = "$env:ProgramData\ssh" } elseif (Test-Path "$env:ProgramFiles\OpenSSH-Win64") { $sshdir = "$env:ProgramFiles\OpenSSH-Win64" } if (!$sshdir) { Write-Error "Unable to find ssh directory at '$env:ProgramData\ssh' or '$env:ProgramFiles\OpenSSH-Win64'! Halting!" $global:FunctionResult = "1" return } $AuthorizedPrincipalsFileLocation = "$sshdir\authorized_principals" } $AuthorizedPrincipalsFileLocation = $AuthorizedPrincipalsFileLocation -replace '\\','/' # Get the content of $AuthorizedPrincipalsFileLocation to make sure we don't add anything that is already in there if (Test-Path $AuthorizedPrincipalsFileLocation) { $OriginalAuthPrincContent = Get-Content $AuthorizedPrincipalsFileLocation } if ($(!$UserGroupToAdd -and !$UsersToAdd) -or $UserGroupToAdd -contains "AllUsers") { $AllUsers = $True } if ($AllUsers) { $LocalAdmins = $True $LocalUsers = $True $DomainAdmins = $True $DomainUsers = $True } else { # Switch automatically loops through an array if the object passed is an array if ($UserGroupToAdd) { switch ($UserGroupToAdd) { 'LocalAdmins' {$LocalAdmins = $True} 'LocalUsers' {$LocalUsers = $True} 'DomainAdmins' {$DomainAdmins = $True} 'DomainUsers' {$DomainUsers = $True} } } } $ComputerSystemCim = Get-CimInstance Win32_ComputerSystem $PartOfDomain = $ComputerSystemCim.PartOfDomain if (!$PartOfDomain) { if ($DomainAdmins) { $DomainAdmins = $False } if ($DomainUsers) { $DomainUsers = $False } } else { $ThisDomainAsArrayOfStrings = $(Get-CimInstance Win32_NTDomain).DomainName | Where-Object {$_ -match "[\w]"} $ThisDomainName = $ThisDomainAsArrayOfStrings -join "." } # Get ready to start writing to $sshdir\authorized_principals... $StreamWriter = [System.IO.StreamWriter]::new($AuthorizedPrincipalsFileLocation, $True) [System.Collections.ArrayList]$AccountsAdded = @() try { if ($LocalAdmins) { $LocalAdminAccounts = Get-LocalGroupMember -Group "Administrators" | Where-Object {$_.PrincipalSource -eq "Local"} $AccountsReformatted = foreach ($AcctItem in $LocalAdminAccounts) { $AcctNameSplit = $AcctItem.Name -split "\\" $ReformattedName = "$($AcctNameSplit[1])@$($AcctNameSplit[0].ToLowerInvariant())" $ReformattedName } foreach ($Acct in $AccountsReformatted) { if ($AccountsAdded -notcontains $Acct -and $OriginalAuthPrincContent -notcontains $Acct) { # NOTE: $True below means that the content will *appended* to $AuthorizedPrincipalsFileLocation $StreamWriter.WriteLine($Acct) # Keep track of the accounts we're adding... $null = $AccountsAdded.Add($Acct) } } } if ($LocalUsers) { $LocalUserAccounts = Get-LocalGroupMember -Group "Users" | Where-Object {$_.PrincipalSource -eq "Local"} $AccountsReformatted = foreach ($AcctItem in $LocalUserAccounts) { $AcctNameSplit = $AcctItem.Name -split "\\" $ReformattedName = "$($AcctNameSplit[1])@$($AcctNameSplit[0].ToLowerInvariant())" $ReformattedName } foreach ($Acct in $AccountsReformatted) { if ($AccountsAdded -notcontains $Acct -and $OriginalAuthPrincContent -notcontains $Acct) { # NOTE: $True below means that the content will *appended* to $AuthorizedPrincipalsFileLocation $StreamWriter.WriteLine($Acct) # Keep track of the accounts we're adding... $null = $AccountsAdded.Add($Acct) } } } if ($DomainAdmins) { if (!$UserObjectsInLDAP) { try { $UserObjectsInLDAP = GetUserObjectsInLDAP -ErrorAction Stop if (!$UserObjectsInLDAP) {throw "Problem with GetUserObjectsInLDAP function! Halting!"} } catch { Write-Error $_ $global:FunctionResult = "1" throw } } foreach ($DirectoryEntry in $UserObjectsInLDAP) { if (![bool]$($DirectoryEntry | Get-Member -MemberType NoteProperty -Name Groups)) { $searcher = [System.DirectoryServices.DirectorySearcher]::new($DirectoryEntry) $searcher.SearchScope = [System.DirectoryServices.SearchScope]::Base $searcher.ExtendedDN = [System.DirectoryServices.ExtendedDN]::Standard $searcher.PropertiesToLoad.Clear() $null = $searcher.PropertiesToLoad.Add("memberof") $Groups = $searcher.FindOne().Properties.memberof | foreach {$($_ -split ';')[-1]} $DirectoryEntry | Add-Member -Type NoteProperty -Name Groups -Value $Groups -Force } } $DomainAdminsPrep = $UserObjectsInLDAP | Where-Object {$_.Groups -match "Domain Admins"} $DomainAdminAccounts = $DomainAdminsPrep.Name | foreach { if ($_ -match '=') { $($_ -split "=")[-1] } else { $_ } } $AccountsReformatted = $DomainAdminAccounts | foreach { if (![System.String]::IsNullOrWhiteSpace($_)) { $_ + "@" + $ThisDomainName.ToLowerInvariant() } } foreach ($Acct in $AccountsReformatted) { if ($AccountsAdded -notcontains $Acct -and $OriginalAuthPrincContent -notcontains $Acct) { # NOTE: $True below means that the content will *appended* to $AuthorizedPrincipalsFileLocation $StreamWriter.WriteLine($Acct) # Keep track of the accounts we're adding... $null = $AccountsAdded.Add($Acct) } } } if ($DomainUsers) { if (!$UserObjectsInLDAP) { try { $UserObjectsInLDAP = GetUserObjectsInLDAP -ErrorAction Stop if (!$UserObjectsInLDAP) {throw "Problem with GetUserObjectsInLDAP function! Halting!"} } catch { Write-Error $_ $global:FunctionResult = "1" throw } } foreach ($DirectoryEntry in $UserObjectsInLDAP) { if (![bool]$($DirectoryEntry | Get-Member -MemberType NoteProperty -Name Groups)) { $searcher = [System.DirectoryServices.DirectorySearcher]::new($DirectoryEntry) $searcher.SearchScope = [System.DirectoryServices.SearchScope]::Base $searcher.ExtendedDN = [System.DirectoryServices.ExtendedDN]::Standard $searcher.PropertiesToLoad.Clear() $null = $searcher.PropertiesToLoad.Add("memberof") $null = $searcher.PropertiesToLoad.Add("distinguishedname") $Groups = $searcher.FindOne().Properties.memberof | foreach {$($_ -split ';')[-1]} $DirectoryEntry | Add-Member -Type NoteProperty -Name Groups -Value $Groups -Force } } $DomainUsersPrep = $UserObjectsInLDAP | Where-Object {$_.Groups -match "Domain Users"} $DomainUserAccounts = $DomainUsersPrep.Name | foreach { if ($_ -match '=') { $($_ -split "=")[-1] } else { $_ } } $AccountsReformatted = $DomainUserAccounts | foreach { if (![System.String]::IsNullOrWhiteSpace($_)) { $_ + "@" + $ThisDomainName.ToLowerInvariant() } } foreach ($Acct in $AccountsReformatted) { if ($AccountsAdded -notcontains $Acct -and $OriginalAuthPrincContent -notcontains $Acct) { # NOTE: $True below means that the content will *appended* to $AuthorizedPrincipalsFileLocation $StreamWriter.WriteLine($Acct) # Keep track of the accounts we're adding... $null = $AccountsAdded.Add($Acct) } } } if ($UsersToAdd) { foreach ($Acct in $UsersToAdd) { if ($AccountsAdded -notcontains $Acct -and $OriginalAuthPrincContent -notcontains $Acct) { # NOTE: $True below means that the content will *appended* to $AuthorizedPrincipalsFileLocation $StreamWriter.WriteLine($Acct) # Keep track of the accounts we're adding... $null = $AccountsAdded.Add($Acct) } } } $StreamWriter.Close() Get-Item $AuthorizedPrincipalsFileLocation } catch { $StreamWriter.Close() } } |