Mail Archives: cygwin/2001/06/21/01:33:55
For months, I've been getting the "WARNING" banner from ssh, complaining
that my private keys were not properly protected. I finally tracked it
down, and will demonstrate here:
~ > ls -ln foo
-rw------- 1 500 544 532 May 20 13:30 foo
Okay, so this file is mode 600, owned by Administrator and group
Administrators. That's good, because I'm running sshd from the
Administrator account (appropriate privileges granted).
~ > getfacl foo
# file: foo
# owner: 500
# group: 544
user::rw-
group::---
mask::---
other::---
Yes, everything's fine here. But that's not what my ssh_host_key file
had. It had an additional ACL for the user 'cwilson', as demonstrated
below:
~ > ls -ln foo
-rw------- 1 500 544 532 May 20 13:30 foo
It *looks* okay, but getfacl shows:
~ > getfacl foo
# file: foo
# owner: 500
# group: 544
user::rw-
user:1002:r-x
group::---
mask::---
other::---
Oh, NO! readable by user 1002!!! You can't use chmod to fix this.
I fixed this by removing the extra ACL using windows tools
(Properties->Security->Permissions). This problem is especially
pernicious on W2K systems, with the "inherit ACL's from parent
directories" behavior.
So here's the question: I can't find any documentation on how to use
'setfacl' -- which seems to be the appropriate tool here. Rather than
'chmod', we want to instruct new sshd users to 'setfacl ssh_host*_key'
to allow only user::rw- group::--- other::--- mask::---, with owner:
SYSTEM, group: SYSTEM. (Not admin, admin like I'm doing).
How do you use setfacl to set the correct permission properties on the
hostkey files (regardless of whatever ACL's were previously applied)?
--Chuck
--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple
- Raw text -