Mail Archives: cygwin/2002/11/07/11:51:29
Thank you for the clarification!
This presents an interesting situation.
Users who run 'ssh-keygen' (either directly,
or indirectly using 'ssh-host-config'),
find that they are not able to run ssh
because of the permissions of ~/.ssh/
(and, later, ~/.ssh/authorized_keys*), even
though their permissions are set to the
"correct" values.
Shouldn't this should all be included in
/usr/doc/Cygwin/openssh*README? Namely,
1) If you want the most secure ssh connection,
then you will need to follow Corrina Vinschen's
instructions below to set ACLs for both ~/.ssh/
and ~/.ssh/authorized_keys*.
2) If you don't want to attempt to manipulate
ACLs, then simply chmod 755 ~/.ssh/ and
chmod 644 ~/.ssh/authorized_keys.
What about a third alternative?
$ chgrp system ~/.ssh/ ~/.ssh/authorized_keys*
$ chmod 750 ~/.ssh/
$ chmod 640 ~/.ssh/authorized_keys*
This works, but does it merely give the illusion of
more security without actually making the files secure?
> >
> > Could this be a bug in Cygwin's implementation of openssh?
>
> It isn't. It's a problem with the permission model of NTFS. Even
> though SYSTEM is *the* major player on the machine, it gets an
> "access denied" if it has no permissions on a file. Don't ask for
> my opinion on this behaviour.
>
> However, since NTFS uses ACLs, you can give SYSTEM explicitely access
> to the file:
>
> [~/.ssh]$ chmod 600 authorized_keys
> [~/.ssh]$ getfacl authorized_keys
> # file: authorized_keys
> # owner: corinna
> # group: root
> user::rw-
> group::---
> mask::---
> other::---
> [~/.ssh]$ setfacl -m g:SYSTEM:r-- authorized_keys
> [~/.ssh]$ getfacl authorized_keys
> # file: authorized_keys
> # owner: corinna
> # group: root
> user::rw-
> group::---
> group:SYSTEM:r--
> mask::---
> other::---
>
> HTH,
> Corinna
>
> --
> Corinna Vinschen Please, send mails
> regarding Cygwin to
> Cygwin Developer
mailto:cygwin AT cygwin DOT comRed Hat, Inc.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Bug reporting: http://cygwin.com/bugs.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -