Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
X-MimeOLE: Produced By Microsoft Exchange V6.0.4417.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Subject: RE: Is RSA authentication on SSH still broken?
Date: Thu, 7 Nov 2002 11:51:16 -0500
Message-ID: <BADF3C947A1BD54FBA75C70C241B0B9E90B9CA@ex02.idirect.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
From: "Harig, Mark A." <maharig AT idirect DOT net>
To: <cygwin AT cygwin DOT com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id gA7GpSA13304

Thank you for the clarification!

This presents an interesting situation.
Users who run 'ssh-keygen' (either directly,
or indirectly using 'ssh-host-config'),
find that they are not able to run ssh
because of the permissions of ~/.ssh/
(and, later, ~/.ssh/authorized_keys*), even
though their permissions are set to the
"correct" values.

Shouldn't this should all be included in
/usr/doc/Cygwin/openssh*README? Namely, 

   1) If you want the most secure ssh connection,
      then you will need to follow Corrina Vinschen's
      instructions below to set ACLs for both ~/.ssh/
      and ~/.ssh/authorized_keys*.

   2) If you don't want to attempt to manipulate
      ACLs, then simply chmod 755 ~/.ssh/ and
      chmod 644 ~/.ssh/authorized_keys.

What about a third alternative?  

   $ chgrp system ~/.ssh/ ~/.ssh/authorized_keys*
   $ chmod 750 ~/.ssh/
   $ chmod 640 ~/.ssh/authorized_keys*

This works, but does it merely give the illusion of
more security without actually making the files secure?

> > 
> > Could this be a bug in Cygwin's implementation of openssh?
> 
> It isn't.  It's a problem with the permission model of NTFS.  Even
> though SYSTEM is *the* major player on the machine, it gets an
> "access denied" if it has no permissions on a file.  Don't ask for
> my opinion on this behaviour.
> 
> However, since NTFS uses ACLs, you can give SYSTEM explicitely access
> to the file:
> 
> [~/.ssh]$ chmod 600 authorized_keys
> [~/.ssh]$ getfacl authorized_keys
> # file: authorized_keys
> # owner: corinna
> # group: root
> user::rw-
> group::---
> mask::---
> other::---
> [~/.ssh]$ setfacl -m g:SYSTEM:r-- authorized_keys
> [~/.ssh]$ getfacl authorized_keys
> # file: authorized_keys
> # owner: corinna
> # group: root
> user::rw-
> group::---
> group:SYSTEM:r--
> mask::---
> other::---
> 
> HTH,
> Corinna
> 
> -- 
> Corinna Vinschen                  Please, send mails 
> regarding Cygwin to
> Cygwin Developer
mailto:cygwin AT cygwin DOT comRed Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/