Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Date: Fri, 27 Jul 2001 17:34:00 -0400 (EDT)
From: Prentis Brooks <prentis AT aol DOT net>
To: <cygwin AT cygwin DOT com>
Subject: Re: Re: Anybody really runs sshd in win2K? (fwd)
In-Reply-To: <20010727170214.A19762@redhat.com>
Message-ID: <Pine.GSO.4.33.0107271725380.7097-100000@magetower.office.aol.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

Hey Chris,
	I do appoligize, I will have to word my emails better in the future.
I asked that of Corinna since I recall that she was the one who provided the
answer to me before.

	After a search, I found this entry from Chuck Wilson:

For months, I've been getting the "WARNING" banner from ssh, complaining
that my private keys were not properly protected.  I finally tracked it
down, and will demonstrate here:

~ > ls -ln foo
-rw-------    1 500      544           532 May 20 13:30 foo

Okay, so this file is mode 600, owned by Administrator and group
Administrators.  That's good, because I'm running sshd from the
Administrator account (appropriate privileges granted).

~ > getfacl foo
# file: foo
# owner: 500
# group: 544
user::rw-
group::---
mask::---
other::---

Yes, everything's fine here.  But that's not what my ssh_host_key file
had.  It had an additional ACL for the user 'cwilson', as demonstrated
below:

~ > ls -ln foo
-rw-------    1 500      544           532 May 20 13:30 foo

It *looks* okay, but getfacl shows:

~ > getfacl foo
# file: foo
# owner: 500
# group: 544
user::rw-
user:1002:r-x
group::---
mask::---
other::---

Oh, NO! readable by user 1002!!!  You can't use chmod to fix this.

I fixed this by removing the extra ACL using windows tools
(Properties->Security->Permissions).  This problem is especially
pernicious on W2K systems, with the "inherit ACL's from parent
directories" behavior.

So here's the question: I can't find any documentation on how to use
'setfacl' -- which seems to be the appropriate tool here.  Rather than
'chmod', we want to instruct new sshd users to 'setfacl ssh_host*_key'
to allow only user::rw- group::--- other::--- mask::---, with owner:
SYSTEM, group: SYSTEM.  (Not admin, admin like I'm doing).

How do you use setfacl to set the correct permission properties on the
hostkey files (regardless of whatever ACL's were previously applied)?

--Chuck

Again, I appologize for not following list protocol :).  Let me know if
that helps answer the question.


Prentis Brooks	| prentis AT aol DOT net | 703-265-0914 | AIM: PrentisB
System Administrator - Web Infrastructure & Security

       A knight is sworn to valor.  His heart knows only virtue.  His blade
       defends the helpless.  His word speaks only truth.  His wrath undoes the
       wicked. - the old code of Bowen, last of the dragonslayers


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/