Mail Archives: cygwin/2001/07/27/17:48:18
BTW, the /etc/sshd_config setting
StrictModes no
might help as well...
Corinna
On Fri, Jul 27, 2001 at 05:34:00PM -0400, Prentis Brooks wrote:
> Hey Chris,
> I do appoligize, I will have to word my emails better in the future.
> I asked that of Corinna since I recall that she was the one who provided the
> answer to me before.
>
> After a search, I found this entry from Chuck Wilson:
>
> For months, I've been getting the "WARNING" banner from ssh, complaining
> that my private keys were not properly protected. I finally tracked it
> down, and will demonstrate here:
>
> ~ > ls -ln foo
> -rw------- 1 500 544 532 May 20 13:30 foo
>
> Okay, so this file is mode 600, owned by Administrator and group
> Administrators. That's good, because I'm running sshd from the
> Administrator account (appropriate privileges granted).
>
> ~ > getfacl foo
> # file: foo
> # owner: 500
> # group: 544
> user::rw-
> group::---
> mask::---
> other::---
>
> Yes, everything's fine here. But that's not what my ssh_host_key file
> had. It had an additional ACL for the user 'cwilson', as demonstrated
> below:
>
> ~ > ls -ln foo
> -rw------- 1 500 544 532 May 20 13:30 foo
>
> It *looks* okay, but getfacl shows:
>
> ~ > getfacl foo
> # file: foo
> # owner: 500
> # group: 544
> user::rw-
> user:1002:r-x
> group::---
> mask::---
> other::---
>
> Oh, NO! readable by user 1002!!! You can't use chmod to fix this.
>
> I fixed this by removing the extra ACL using windows tools
> (Properties->Security->Permissions). This problem is especially
> pernicious on W2K systems, with the "inherit ACL's from parent
> directories" behavior.
>
> So here's the question: I can't find any documentation on how to use
> 'setfacl' -- which seems to be the appropriate tool here. Rather than
> 'chmod', we want to instruct new sshd users to 'setfacl ssh_host*_key'
> to allow only user::rw- group::--- other::--- mask::---, with owner:
> SYSTEM, group: SYSTEM. (Not admin, admin like I'm doing).
>
> How do you use setfacl to set the correct permission properties on the
> hostkey files (regardless of whatever ACL's were previously applied)?
>
> --Chuck
>
> Again, I appologize for not following list protocol :). Let me know if
> that helps answer the question.
>
>
> Prentis Brooks | prentis AT aol DOT net | 703-265-0914 | AIM: PrentisB
> System Administrator - Web Infrastructure & Security
>
> A knight is sworn to valor. His heart knows only virtue. His blade
> defends the helpless. His word speaks only truth. His wrath undoes the
> wicked. - the old code of Bowen, last of the dragonslayers
>
>
> --
> Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
> Bug reporting: http://cygwin.com/bugs.html
> Documentation: http://cygwin.com/docs.html
> FAQ: http://cygwin.com/faq/
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:cygwin AT cygwin DOT com
Red Hat, Inc.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Bug reporting: http://cygwin.com/bugs.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -