Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT sources DOT redhat DOT com Delivered-To: mailing list cygwin AT sources DOT redhat DOT com Date: Fri, 27 Jul 2001 23:46:31 +0200 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: Re: Anybody really runs sshd in win2K? (fwd) Message-ID: <20010727234631.A490@cygbert.vinschen.de> Mail-Followup-To: cygwin AT cygwin DOT com References: <20010727170214 DOT A19762 AT redhat DOT com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from prentis@aol.net on Fri, Jul 27, 2001 at 05:34:00PM -0400 BTW, the /etc/sshd_config setting StrictModes no might help as well... Corinna On Fri, Jul 27, 2001 at 05:34:00PM -0400, Prentis Brooks wrote: > Hey Chris, > I do appoligize, I will have to word my emails better in the future. > I asked that of Corinna since I recall that she was the one who provided the > answer to me before. > > After a search, I found this entry from Chuck Wilson: > > For months, I've been getting the "WARNING" banner from ssh, complaining > that my private keys were not properly protected. I finally tracked it > down, and will demonstrate here: > > ~ > ls -ln foo > -rw------- 1 500 544 532 May 20 13:30 foo > > Okay, so this file is mode 600, owned by Administrator and group > Administrators. That's good, because I'm running sshd from the > Administrator account (appropriate privileges granted). > > ~ > getfacl foo > # file: foo > # owner: 500 > # group: 544 > user::rw- > group::--- > mask::--- > other::--- > > Yes, everything's fine here. But that's not what my ssh_host_key file > had. It had an additional ACL for the user 'cwilson', as demonstrated > below: > > ~ > ls -ln foo > -rw------- 1 500 544 532 May 20 13:30 foo > > It *looks* okay, but getfacl shows: > > ~ > getfacl foo > # file: foo > # owner: 500 > # group: 544 > user::rw- > user:1002:r-x > group::--- > mask::--- > other::--- > > Oh, NO! readable by user 1002!!! You can't use chmod to fix this. > > I fixed this by removing the extra ACL using windows tools > (Properties->Security->Permissions). This problem is especially > pernicious on W2K systems, with the "inherit ACL's from parent > directories" behavior. > > So here's the question: I can't find any documentation on how to use > 'setfacl' -- which seems to be the appropriate tool here. Rather than > 'chmod', we want to instruct new sshd users to 'setfacl ssh_host*_key' > to allow only user::rw- group::--- other::--- mask::---, with owner: > SYSTEM, group: SYSTEM. (Not admin, admin like I'm doing). > > How do you use setfacl to set the correct permission properties on the > hostkey files (regardless of whatever ACL's were previously applied)? > > --Chuck > > Again, I appologize for not following list protocol :). Let me know if > that helps answer the question. > > > Prentis Brooks | prentis AT aol DOT net | 703-265-0914 | AIM: PrentisB > System Administrator - Web Infrastructure & Security > > A knight is sworn to valor. His heart knows only virtue. His blade > defends the helpless. His word speaks only truth. His wrath undoes the > wicked. - the old code of Bowen, last of the dragonslayers > > > -- > Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple > Bug reporting: http://cygwin.com/bugs.html > Documentation: http://cygwin.com/docs.html > FAQ: http://cygwin.com/faq/ -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin AT cygwin DOT com Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/