Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Date: Thu, 7 Nov 2002 18:31:00 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: Is RSA authentication on SSH still broken?
Message-ID: <20021107183100.G24497@cygbert.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <BADF3C947A1BD54FBA75C70C241B0B9E90B9CA AT ex02 DOT idirect DOT net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <BADF3C947A1BD54FBA75C70C241B0B9E90B9CA@ex02.idirect.net>
User-Agent: Mutt/1.3.22.1i

On Thu, Nov 07, 2002 at 11:51:16AM -0500, Harig, Mark A. wrote:
> Thank you for the clarification!
> 
> This presents an interesting situation.
> Users who run 'ssh-keygen' (either directly,
> or indirectly using 'ssh-host-config'),
> find that they are not able to run ssh
> because of the permissions of ~/.ssh/
> (and, later, ~/.ssh/authorized_keys*), even
> though their permissions are set to the
> "correct" values.
> 
> Shouldn't this should all be included in
> /usr/doc/Cygwin/openssh*README? Namely, 
> 
>    1) If you want the most secure ssh connection,
>       then you will need to follow Corrina Vinschen's
>       instructions below to set ACLs for both ~/.ssh/
>       and ~/.ssh/authorized_keys*.
> 
>    2) If you don't want to attempt to manipulate
>       ACLs, then simply chmod 755 ~/.ssh/ and
>       chmod 644 ~/.ssh/authorized_keys.
> 
> What about a third alternative?  
> 
>    $ chgrp system ~/.ssh/ ~/.ssh/authorized_keys*
>    $ chmod 750 ~/.ssh/
>    $ chmod 640 ~/.ssh/authorized_keys*
> 
> This works, but does it merely give the illusion of
> more security without actually making the files secure?

First, the directory permission doesn't restrict the access for SYSTEM
due to the standard "Bypass traverse checking" setting on NT.  So setting
the .ssh permissions to 0700 is perfectly fine.

Second, I don't see the point in setting the permissions of
.ssh/authorized_keys to 0600 at all.  The content of that file is a list
of the *public* part of the keys so it's their intent to be readable by
anybody.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/