# If there's an error in a call such as $cfg.LockServerSettings(), it is important that the script stops. # Continuing while another application is also potentially modifying settings may corrupt them. # Alternately, your script can also handle errors in a Try/Catch block. $ErrorActionPreference = "Stop" # Check BssCfgManip.htm in your SSH Server installation directory for the correct COM object name for your installation. # The PowerShell instance executing this script needs to run elevated, as administrator, to access SSH Server settings. Write-Host "" Write-Host "Run this in an elevated, administrative PowerShell or Command Prompt window." Write-Host "Checks for DSA keys in Bitvise SSH Server versions 7.xx starting with 7.26." Write-Host "Must be modified to use SetSite if there are multiple SSH Server instances." Write-Host "" Write-Host "Instantiating BssCfg object..." $cfg = new-object -com "BssCfg726.BssCfg726" Write-Host "BssCfg object instantiated." Write-Host "" # This example only walks through keypairs and settings, so does not need to lock them. If you're going to use methods that # alter settings or keypairs, make sure to lock the appropriate portion of settings before loading them or changing them. # If you lock settings or keypairs and do not unlock them, no other process will be able to edit them until the object is released. # Look for DSA keys (standard 1024-bit or non-standard large DSA keys) among server host keys $cfg.LoadServerKeypairs() $nrHostKeys = $cfg.GetKeypairsCount() $nrDsaFound = 0 for ($i=0; $i -ne $nrHostKeys; ++$i) { $keyBits = [UInt32]0 $keyType = $cfg.GetKeyInfo($i, [ref]$keyBits) if ($keyType -eq "DSA") { if ($keyBits -eq 1024) { $std = "standard"; } else { $std = "non-standard"; } Write-Host "Found a $std DSA host key at index $i" ++$nrDsaFound } } if ($nrDsaFound -eq 0) { Write-Host "No DSA keys found in host keypairs" } # Look for DSA public keys imported in account and group settings entries of all types function CheckPubKeys { param($entry, [bool]$isVirtual, [bool]$isGroup) $nrKeys = $entry.auth.keys.count; $nrDsaFound = 0 for ($i=0; $i -ne $nrKeys; ++$i) { $info = $entry.auth.keys.InfoByIndex($i) $line = ($info -split '\n')[0].Trim() if ($line.Contains(", Algorithm: DSA,")) { if ($line.EndsWith(", Size: 1024")) { $std = "standard" } else { $std = "non-standard" } if ($isGroup) { if ($isVirtual) { $desc = "virtual group " + $entry.group } elseif ($entry.winDomain -eq "") { $desc = "Windows local group " + $entry.group } else { $desc = "Windows domain group " + $entry.group + "@" + $entry.winDomain } } else { if ($isVirtual) { $desc = "virtual account " + $entry.virtAccount } elseif ($entry.winDomain -eq "") { $desc = "Windows local account " + $entry.winAccount } else { $desc = "Windows domain account " + $entry.winAccount + "@" + $entry.winDomain } } Write-Host "Found a $std DSA public key at index $i in $desc" ++$nrDsaFound } } return $nrDsaFound } function CheckSection { param($section, [bool]$isVirtual, [bool]$isGroup) $nrDsaFound = 0 foreach ($entry in $section) { $result = CheckPubKeys $entry $isVirtual $isGroup $nrDsaFoundInEntry = $result[-1] $nrDsaFound = $nrDsaFound + $nrDsaFoundInEntry } if ($nrDsaFound -eq 0) { $virtOrWindows = if ($isVirtual) {"virtual"} else {"Windows"} $groupsOrAccts = if ($isGroup) {"groups"} else {"accounts"} Write-Host "No DSA keys found in $virtOrWindows $groupsOrAccts" } } $cfg.LoadServerSettings() CheckSection $cfg.settings.access.winGroups $false $true CheckSection $cfg.settings.access.winAccounts $false $false CheckSection $cfg.settings.access.virtGroups $true $true CheckSection $cfg.settings.access.virtAccounts $true $false Write-Host ""