Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
X-MimeOLE: Produced By Microsoft Exchange V6.0.4417.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Subject: RE: Is RSA authentication on SSH still broken?
Date: Wed, 6 Nov 2002 19:19:40 -0500
Message-ID: <BADF3C947A1BD54FBA75C70C241B0B9E90B9C8@ex02.idirect.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
From: "Harig, Mark A." <maharig AT idirect DOT net>
To: "Antonio Bemfica" <antonio AT axolotl DOT ic DOT gc DOT ca>, <cygwin AT cygwin DOT com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id gA70JxE19570

> 
> chmod 755 $HOME/.ssh
> chmod 644 $HOME/.ssh/authorized_keys*
> 
> I had $HOME set to 700 and authorized_keys* to 600 before and that
> somehow broke RSA authentication - it is odd that stricter permissions
> would cause that. I suppose this is because the SYSTEM or 
> sshd user need
> to read the keys and cannot without the appropriate privileges.
> 

Could this be a bug in Cygwin's implementation of openssh?

Try the following in a bash shell:

$ /usr/bin/mv  ~/.ssh  ~/save.ssh
$ /usr/bin/ssh-keygen -t rsa -C "some useful comment"

Then respond to the 'ssh-keygen' prompts by simply
pressing [Enter] (or [Return]).  ssh-keygen will
create a new ~/.ssh directory for you, along with
the requested ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub
files.

After ssh-keygen has completed, set up your
authorized_keys2 file:

$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys2

$ ls -ld ~/.ssh

ssh-keygen created a ~/.ssh directory with the
permissions set to 700.  (These permissions match
what ssh-keygen does on my Linux installation.)
But if you attempt to connect to your Cygwin system
via ssh, you'll find that you cannot, unless you make
the permissions less restrictive, that is
"chmod 755 ~/.ssh".

Similarly, if ~/.ssh/authorized_keys* is set to 600
on Linux, then ssh works without errors, but if you set
the file permissions to 644, then it might work, but
I have had some versions of ssh issue a warning that
the permissions for ~/.ssh/authorized_keys are "too open".
In other words, ssh should work with the more secure
setting of 600, but does not on Cygwin.

In the meantime, the following rules appear to be in effect:

Cygwin:

    chmod 755 ~/.ssh
    chmod 644 ~/.ssh/authorized_keys*

Non-Cygwin:

    chmod 700 ~/.ssh
    chmod 600 ~/.ssh/authorized_keys*

---

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/