Mail Archives: cygwin/2002/01/17/13:42:23
On Thu, 17 Jan 2002 09:59:44 -0500, Peter Buckley
<peter DOT buckley AT cportcorp DOT com> wrote:
>IIRC, SYSTEM should be the owner of the keys. And it is highly
>recommended that the service be run as SYSTEM. Check out
>http://tech.erdelynet.com for more info on the permissions for the key
>files etc.
Info is much appreciated. The service is running as SYSTEM though, and I
had also run the script from tech.erdelynet.com. For verification is
this correct for /etc... ?
-rw-r--r-- 1 Administ Administ 955 Jan 13 06:43 ssh_config
-rw------- 1 SYSTEM SYSTEM 668 Oct 29 21:37 ssh_host_dsa_key
-rw-r--r-- 1 Administ Administ 606 Oct 29 21:37 ssh_host_dsa_key.pub
-rw------- 1 SYSTEM SYSTEM 531 Oct 29 21:36 ssh_host_key
-rw-r--r-- 1 Administ Administ 335 Oct 29 21:36 ssh_host_key.pub
-rw------- 1 SYSTEM SYSTEM 887 Oct 29 21:36 ssh_host_rsa_key
-rw-r--r-- 1 Administ Administ 226 Oct 29 21:36 ssh_host_rsa_key.pub
-rw-r--r-- 1 Administ None 1.5k Jan 17 14:43 sshd_config
As for the files in the individual /home/.ssh directories, assuming the
script worked ok, they should be owned by the relevent /home owner?
Incidentally I did try changing their ownership to SYSTEM but to no
avail.
>Guy Harrison wrote:
>
>> Hi,
>>
>> Not knowing anything about SSH I didn't realise openssh-3.0.2p1-4 (and
>> former) versions shouldn't have been asking for a password with the
>> correct keys at either end. I assumed I'd got something in a mess. It
>> appears not.
>>
>> In the end I compiled openssh so I could get a bit more information on
>> the failure.
>>
>> <snippet auth.c>
>> int
>> secure_filename(FILE *f, const char *file, struct passwd *pw,
>> char *err, size_t errlen)
>> {
>> uid_t uid = pw->pw_uid;
>> char buf[MAXPATHLEN], homedir[MAXPATHLEN];
>> char *cp;
>> struct stat st;
>> int zzz;
>> if (realpath(file, buf) == NULL) {
>> snprintf(err, errlen, "realpath %s failed: %s", file,
>> strerror(errno));
>> return -1;
>> }
>> if (realpath(pw->pw_dir, homedir) == NULL) {
>> snprintf(err, errlen, "realpath %s failed: %s",
>> pw->pw_dir,
>> strerror(errno));
>> return -1;
>> }
>> log("realpath=[%s][%s]",buf,homedir);
>> /* check the open file to avoid races */
>> zzz = fstat(fileno(f), &st);
>> log("st_uid=[%d] pw_uid=[%d]",st.st_uid,uid);
>> if ((zzz < 0) ||
>> (st.st_uid != 0 && st.st_uid != uid) ||
>> (st.st_mode & 022) != 0) {
>> snprintf(err, errlen, "bad ownership or modes for file
>> %s",
>> buf);
>> return -1;
>> }
>> <snippet /auth.c>
>>
>> When run as a service sshd is emitting...
>>
>> The description for Event ID ( 0 ) in Source ( /usr/sbin/sshd.exe )
>> could not be found. It contains the following insertion string(s):
>> /usr/sbin/sshd.exe : Win32 Process Id = 0x1B0 : Cygwin Process Id =
>> 0x1B0 : debug1: temporarily_use_uid: 500/513 (e=18).
>>
>> The description for Event ID ( 0 ) in Source ( /usr/sbin/sshd.exe )
>> could not be found. It contains the following insertion string(s):
>> /usr/sbin/sshd.exe : Win32 Process Id = 0x1B0 : Cygwin Process Id =
>> 0x1B0 :
>> realpath=[/home/Administrator/.ssh/authorized_keys][/home/Administrator].
>>
>> The description for Event ID ( 0 ) in Source ( /usr/sbin/sshd.exe )
>> could not be found. It contains the following insertion string(s):
>> /usr/sbin/sshd.exe : Win32 Process Id = 0x1B0 : Cygwin Process Id =
>> 0x1B0 : st_uid=[18] pw_uid=[500].
>>
>> The description for Event ID ( 0 ) in Source ( /usr/sbin/sshd.exe )
>> could not be found. It contains the following insertion string(s):
>> /usr/sbin/sshd.exe : Win32 Process Id = 0x1B0 : Cygwin Process Id =
>> 0x1B0 : Authentication refused: bad ownership or modes for file
>> /home/Administrator/.ssh/authorized_keys.
>>
>> Seems to think authorized_keys is owned by SYSTEM:18 but it isn't.
>> Stopping sshd as a service and running from within bash "sshd -d" works
>> fine and emits...
>>
>> debug1: temporarily_use_uid: 500/513 (e=500)
>> debug1: trying public RSA key file
>> /home/Administrator/.ssh/authorized_keys
>> realpath=[/home/Administrator/.ssh/authorized_keys][/home/Administrator]
>> st_uid=[500] pw_uid=[500]
>> debug1: restore_uid
>> Accepted rsa for Administrator from 192.168.0.1 port 2446
>>
>> ...which isn't the end of it. I fired up a bash shell, launched from a
>> service with SYSTEM authority expecting a failure...
>>
>> debug1: temporarily_use_uid: 500/513 (e=18)
>> debug1: trying public key file /home/Administrator/.ssh/authorized_keys
>> realpath=[/home/Administrator/.ssh/authorized_keys][/home/Administrator]
>> st_uid=[500] pw_uid=[500]
>>
>> ...but it worked, both as "sshd -d" and as a straight "sshd" (so it
>> forked in case that was it).
>>
>> fstat will only fail when sshd is running as a service as SYSTEM. The
>> only viable approach I can think of at this point is to attach gdb to
>> the process forked by sshd and I can't for the life of me figure out how
>> to do that. I hope this info is useful to you folks with more intimate
>> knowledge 'cos I'm stuck! :-|
>>
>>
>>
>
>
>--
>Your mouse has moved.
>Windows NT must be restarted for the change to take effect.
>Reboot now? [OK]
>
>--
--
swamp-dog AT ntlworld DOT com
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Bug reporting: http://cygwin.com/bugs.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -