Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Message-ID: <3B311D93.20902@ece.gatech.edu>
Date: Wed, 20 Jun 2001 18:02:59 -0400
From: "Charles S. Wilson" <cwilson AT ece DOT gatech DOT edu>
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.1) Gecko/20010607 Netscape6/6.1b1
X-Accept-Language: en-us
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: ssh private key permissions
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

For months, I've been getting the "WARNING" banner from ssh, complaining 
that my private keys were not properly protected.  I finally tracked it 
down, and will demonstrate here:

~ > ls -ln foo
-rw-------    1 500      544           532 May 20 13:30 foo

Okay, so this file is mode 600, owned by Administrator and group 
Administrators.  That's good, because I'm running sshd from the 
Administrator account (appropriate privileges granted).

~ > getfacl foo
# file: foo
# owner: 500
# group: 544
user::rw-
group::---
mask::---
other::---

Yes, everything's fine here.  But that's not what my ssh_host_key file 
had.  It had an additional ACL for the user 'cwilson', as demonstrated 
below:

~ > ls -ln foo
-rw-------    1 500      544           532 May 20 13:30 foo

It *looks* okay, but getfacl shows:

~ > getfacl foo
# file: foo
# owner: 500
# group: 544
user::rw-
user:1002:r-x
group::---
mask::---
other::---

Oh, NO! readable by user 1002!!!  You can't use chmod to fix this.

I fixed this by removing the extra ACL using windows tools 
(Properties->Security->Permissions).  This problem is especially 
pernicious on W2K systems, with the "inherit ACL's from parent 
directories" behavior.

So here's the question: I can't find any documentation on how to use 
'setfacl' -- which seems to be the appropriate tool here.  Rather than 
'chmod', we want to instruct new sshd users to 'setfacl ssh_host*_key' 
to allow only user::rw- group::--- other::--- mask::---, with owner: 
SYSTEM, group: SYSTEM.  (Not admin, admin like I'm doing).

How do you use setfacl to set the correct permission properties on the 
hostkey files (regardless of whatever ACL's were previously applied)?

--Chuck



--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple