Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sources.redhat.com/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Date:	Fri, 8 Nov 2002 09:47:42 +0100
From:	Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To:	cygwin AT cygwin DOT com
Subject:	Re: Is RSA authentication on SSH still broken?
Message-ID:	<20021108094742.L24497@cygbert.vinschen.de>
Reply-To:	cygwin AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
References:	<BADF3C947A1BD54FBA75C70C241B0B9E90B9CC AT ex02 DOT idirect DOT net>
Mime-Version:	1.0
In-Reply-To:	<BADF3C947A1BD54FBA75C70C241B0B9E90B9CC@ex02.idirect.net>
User-Agent:	Mutt/1.3.22.1i

On Thu, Nov 07, 2002 at 06:54:48PM -0500, Harig, Mark A. wrote:
> I must be missing a piece of information.  Setting the
> permissions of ~/.ssh to 700 causes ssh to require me
> to enter a password, that is, the encryption-key processing
> is failing.  Setting the permissions of ~/.ssh to 750 (if
> the group setting is SYSTEM) or to 755 (if the group setting
> is not SYSTEM) allows ssh to access the encryption-key files.

Are you actually sure?  The permissions of directories don't influence
the permissions to the underlying files and directories unless an
administrator changes the setting of the above "Bypass traverse checking"
user right.  Just to be sure I did check that yesterday on my system so
I'm pretty confident.

"Bypass traverse checking" is on by default for Everyone.  This is
annoyingly different from UNIX file systems from my point of view
but AFAIK professional Windows admins like it.  And since it's the
default and most users don't know what it's doing anyway, I don't
change it on my test system, too.

> > Second, I don't see the point in setting the permissions of
> > .ssh/authorized_keys to 0600 at all.  The content of that 
> > file is a list
> > of the *public* part of the keys so it's their intent to be 
> > readable by
> > anybody.
> 
> That was my understanding also.  I assumed that my understanding
> was incorrect because ssh would report that my permissions for
> ~/.ssh/authorized_keys was too open.  I'm unable to reproduce that
> at this time.  This issue is closed as far as I am concerned, until
> I can reproduce the problem.

OpenSSH is a UNIX-centric application as most are in the Cygwin distro.
As such, OpenSSH checks permissions in a UNIX sense.  Actually, OpenSSH
checks also the permissions of the parent directory chain up to the
users home directory.  It requires as minimum

755 on ~
755 on ~/.ssh
644 on ~/.ssh/authorized keys

as long as StrictModes is on.  If one of them doesn't meet that
requirements, sshd complains.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -