Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com From: swamp-dog AT ntlworld DOT com (Guy Harrison) To: Subject: Re: sshd and fstat Date: Thu, 17 Jan 2002 18:41:59 GMT Reply-To: swamp-dog AT ntlworld DOT com Message-ID: <3c4716a0.875131242@smtp.ntlworld.com> References: <3c46d28e DOT 857705044 AT post DOT ntlworld DOT com> <3C46E6E0 DOT 9030900 AT cportcorp DOT com> In-Reply-To: <3C46E6E0.9030900@cportcorp.com> X-Mailer: Forte Agent 1.5/32.451 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id g0HIgMR22621 On Thu, 17 Jan 2002 09:59:44 -0500, Peter Buckley wrote: >IIRC, SYSTEM should be the owner of the keys. And it is highly >recommended that the service be run as SYSTEM. Check out >http://tech.erdelynet.com for more info on the permissions for the key >files etc. Info is much appreciated. The service is running as SYSTEM though, and I had also run the script from tech.erdelynet.com. For verification is this correct for /etc... ? -rw-r--r-- 1 Administ Administ 955 Jan 13 06:43 ssh_config -rw------- 1 SYSTEM SYSTEM 668 Oct 29 21:37 ssh_host_dsa_key -rw-r--r-- 1 Administ Administ 606 Oct 29 21:37 ssh_host_dsa_key.pub -rw------- 1 SYSTEM SYSTEM 531 Oct 29 21:36 ssh_host_key -rw-r--r-- 1 Administ Administ 335 Oct 29 21:36 ssh_host_key.pub -rw------- 1 SYSTEM SYSTEM 887 Oct 29 21:36 ssh_host_rsa_key -rw-r--r-- 1 Administ Administ 226 Oct 29 21:36 ssh_host_rsa_key.pub -rw-r--r-- 1 Administ None 1.5k Jan 17 14:43 sshd_config As for the files in the individual /home/.ssh directories, assuming the script worked ok, they should be owned by the relevent /home owner? Incidentally I did try changing their ownership to SYSTEM but to no avail. >Guy Harrison wrote: > >> Hi, >> >> Not knowing anything about SSH I didn't realise openssh-3.0.2p1-4 (and >> former) versions shouldn't have been asking for a password with the >> correct keys at either end. I assumed I'd got something in a mess. It >> appears not. >> >> In the end I compiled openssh so I could get a bit more information on >> the failure. >> >> >> int >> secure_filename(FILE *f, const char *file, struct passwd *pw, >> char *err, size_t errlen) >> { >> uid_t uid = pw->pw_uid; >> char buf[MAXPATHLEN], homedir[MAXPATHLEN]; >> char *cp; >> struct stat st; >> int zzz; >> if (realpath(file, buf) == NULL) { >> snprintf(err, errlen, "realpath %s failed: %s", file, >> strerror(errno)); >> return -1; >> } >> if (realpath(pw->pw_dir, homedir) == NULL) { >> snprintf(err, errlen, "realpath %s failed: %s", >> pw->pw_dir, >> strerror(errno)); >> return -1; >> } >> log("realpath=[%s][%s]",buf,homedir); >> /* check the open file to avoid races */ >> zzz = fstat(fileno(f), &st); >> log("st_uid=[%d] pw_uid=[%d]",st.st_uid,uid); >> if ((zzz < 0) || >> (st.st_uid != 0 && st.st_uid != uid) || >> (st.st_mode & 022) != 0) { >> snprintf(err, errlen, "bad ownership or modes for file >> %s", >> buf); >> return -1; >> } >> >> >> When run as a service sshd is emitting... >> >> The description for Event ID ( 0 ) in Source ( /usr/sbin/sshd.exe ) >> could not be found. It contains the following insertion string(s): >> /usr/sbin/sshd.exe : Win32 Process Id = 0x1B0 : Cygwin Process Id = >> 0x1B0 : debug1: temporarily_use_uid: 500/513 (e=18). >> >> The description for Event ID ( 0 ) in Source ( /usr/sbin/sshd.exe ) >> could not be found. It contains the following insertion string(s): >> /usr/sbin/sshd.exe : Win32 Process Id = 0x1B0 : Cygwin Process Id = >> 0x1B0 : >> realpath=[/home/Administrator/.ssh/authorized_keys][/home/Administrator]. >> >> The description for Event ID ( 0 ) in Source ( /usr/sbin/sshd.exe ) >> could not be found. It contains the following insertion string(s): >> /usr/sbin/sshd.exe : Win32 Process Id = 0x1B0 : Cygwin Process Id = >> 0x1B0 : st_uid=[18] pw_uid=[500]. >> >> The description for Event ID ( 0 ) in Source ( /usr/sbin/sshd.exe ) >> could not be found. It contains the following insertion string(s): >> /usr/sbin/sshd.exe : Win32 Process Id = 0x1B0 : Cygwin Process Id = >> 0x1B0 : Authentication refused: bad ownership or modes for file >> /home/Administrator/.ssh/authorized_keys. >> >> Seems to think authorized_keys is owned by SYSTEM:18 but it isn't. >> Stopping sshd as a service and running from within bash "sshd -d" works >> fine and emits... >> >> debug1: temporarily_use_uid: 500/513 (e=500) >> debug1: trying public RSA key file >> /home/Administrator/.ssh/authorized_keys >> realpath=[/home/Administrator/.ssh/authorized_keys][/home/Administrator] >> st_uid=[500] pw_uid=[500] >> debug1: restore_uid >> Accepted rsa for Administrator from 192.168.0.1 port 2446 >> >> ...which isn't the end of it. I fired up a bash shell, launched from a >> service with SYSTEM authority expecting a failure... >> >> debug1: temporarily_use_uid: 500/513 (e=18) >> debug1: trying public key file /home/Administrator/.ssh/authorized_keys >> realpath=[/home/Administrator/.ssh/authorized_keys][/home/Administrator] >> st_uid=[500] pw_uid=[500] >> >> ...but it worked, both as "sshd -d" and as a straight "sshd" (so it >> forked in case that was it). >> >> fstat will only fail when sshd is running as a service as SYSTEM. The >> only viable approach I can think of at this point is to attach gdb to >> the process forked by sshd and I can't for the life of me figure out how >> to do that. I hope this info is useful to you folks with more intimate >> knowledge 'cos I'm stuck! :-| >> >> >> > > >-- >Your mouse has moved. >Windows NT must be restarted for the change to take effect. >Reboot now? [OK] > >-- -- swamp-dog AT ntlworld DOT com -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/