delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2003/09/20/22:33:02

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
X-Authentication-Warning: slinky.cs.nyu.edu: pechtcha owned process doing -bs
Date: Sat, 20 Sep 2003 22:32:41 -0400 (EDT)
From: Igor Pechtchanski <pechtcha AT cs DOT nyu DOT edu>
Reply-To: cygwin AT cygwin DOT com
To: Fermin Sanchez <fermin AT fermin DOT ch>
cc: cygwin AT cygwin DOT com
Subject: Re: ssh login with [rd]sa key, permissions on keyfile problems
In-Reply-To: <99AE13FA0F1F824AA6D299741FE6C82F8F32@dcp1.home.fermin.ch>
Message-ID: <Pine.GSO.4.56.0309202231000.12411@slinky.cs.nyu.edu>
References: <99AE13FA0F1F824AA6D299741FE6C82F8F32 AT dcp1 DOT home DOT fermin DOT ch>
Importance: Normal
MIME-Version: 1.0 

On Sat, 20 Sep 2003, Fermin Sanchez wrote:

> Hello list
>
> I thought it might be nice to log on using an rsa or dsa key. So I
> created both an rsa and a dsa key using ssh-user-config. The keys were
> created in ~/.ssh, and the required changes made to authized_keys.
>
> Logging in to the server using
>
> ssh -i ~/.ssh/id_rsa -l fermin -v localhost
>
> gives me all kind of output, the essential being:
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> Permissions 0644 for '//dcp1/users/fermin/.ssh/id_rsa' are too open.
> It is recommended that your private key files are NOT accessible by
> others.
> This private key will be ignored.
> bad permissions: ignore key: //dcp1/users/fermin/.ssh/id_rsa
> Enter passphrase for key '//dcp1/users/fermin/.ssh/id_rsa':
>
>
> After entering the passphrase for my key, there is more:
>
> debug1: Next authentication method: keyboard-interactive
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug1: Next authentication method: password
> fermin AT localhost's password:
>
> It falls back to 'normal' password authentication, which also works, of
> course. But it's not what I had in mind. So I went into ~/.ssh, listed
> the contents:
>
> $ ls -l
> total 6
> -rw-r--r--    1 fermin   Domain U      822 Sep 20 15:23 authorized_keys
> -rw-r--r--    1 fermin   Domain U      668 Sep 20 15:48 id_dsa
> -rw-r--r--    1 fermin   Domain U      601 Sep 20 15:23 id_dsa.pub
> -rw-r--r--    1 fermin   Domain U      883 Sep 20 15:48 id_rsa
> -rw-r--r--    1 fermin   Domain U      221 Sep 20 15:23 id_rsa.pub
> -rw-r--r--    1 fermin   Domain U      220 Sep 20 15:23 known_hosts
>
>
> $ chmod -v 600 id_*sa
> mode of `id_dsa' changed to 0600 (rw-------)
> mode of `id_rsa' changed to 0600 (rw-------)
>
>
> Unfortunately, the files are not impressed by my actions, and the '-v'
> parameter does only show what would have happened in a normal world.
> Which my system doesn't seem to be. "chmod -c 600 id_*sa" works
> correctly, though, not showing any changes having happened.
>
> At this point I figured it must have something to do with NTFS
> permissions (being MCSE and all that) and tried to change the
> permissions of the id files in Windows (and ownership, while I was at
> it). I also mad sure that "StrictModes no" is active in sshd_config,
> which it is.
>
> >From the windows point of view, everything should be fine, but I think
> there's a difference in file rights between *unix systems and Windows:
> In Windows, the actual file permission overrides the directory
> permission, meaning that you could have access (read/write/whatever) to
> a file while not being able to access the directory where the file is.
> Don't ask me why or say "that's insane" - it's just the way it is, I
> didn't come up with NTFS in the first place. afair from my recent
> Solaris course, *nix does it the other way round, directory permissions
> always override file permissions?
>
> Not wanting to screw around any more than I already have, could somebody
> please confirm that I probably need to adjust the directory permissions
> for ~/.ssh (to what, who should be the owner, what about 'other'?), and
> then it should work? And of course I will have to turn off inherited
> rights on that directory, as well...
>
> Because work it did:
>
> mkdir /tmp/fermin
> cp ~/.ssh/id_rsa /tmp/fermin
> chmod 600 /tmp/fermin/id_rsa
> ssh -l fermin -i /tmp/fermin/id_rsa localhost
>
> ... worked like a charm.
>
> Hopefully, somebody ran into this problem before and can give me a hint
> or two? Thanky you!
>
> Regards
> Fermin

Is your home directory on an SMB share?  If so, you may need to add
"smbntsec" to your CYGWIN environment variable.

Also, can you please post the output of "getfacl ~/.ssh" and "getfacl
~/.ssh/id_rsa"?
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha AT cs DOT nyu DOT edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor AT watson DOT ibm DOT com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski, Ph.D.
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster."  -- Patrick Naughton

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019