Mail Archives: cygwin/2002/11/07/12:31:30
On Thu, Nov 07, 2002 at 11:51:16AM -0500, Harig, Mark A. wrote:
> Thank you for the clarification!
>
> This presents an interesting situation.
> Users who run 'ssh-keygen' (either directly,
> or indirectly using 'ssh-host-config'),
> find that they are not able to run ssh
> because of the permissions of ~/.ssh/
> (and, later, ~/.ssh/authorized_keys*), even
> though their permissions are set to the
> "correct" values.
>
> Shouldn't this should all be included in
> /usr/doc/Cygwin/openssh*README? Namely,
>
> 1) If you want the most secure ssh connection,
> then you will need to follow Corrina Vinschen's
> instructions below to set ACLs for both ~/.ssh/
> and ~/.ssh/authorized_keys*.
>
> 2) If you don't want to attempt to manipulate
> ACLs, then simply chmod 755 ~/.ssh/ and
> chmod 644 ~/.ssh/authorized_keys.
>
> What about a third alternative?
>
> $ chgrp system ~/.ssh/ ~/.ssh/authorized_keys*
> $ chmod 750 ~/.ssh/
> $ chmod 640 ~/.ssh/authorized_keys*
>
> This works, but does it merely give the illusion of
> more security without actually making the files secure?
First, the directory permission doesn't restrict the access for SYSTEM
due to the standard "Bypass traverse checking" setting on NT. So setting
the .ssh permissions to 0700 is perfectly fine.
Second, I don't see the point in setting the permissions of
.ssh/authorized_keys to 0600 at all. The content of that file is a list
of the *public* part of the keys so it's their intent to be readable by
anybody.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:cygwin AT cygwin DOT com
Red Hat, Inc.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Bug reporting: http://cygwin.com/bugs.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -