Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com X-Originating-IP: [195.92.67.67] From: "Elfyn McBratney" To: karlm30 AT hotmail DOT com, cygwin AT cygwin DOT com Subject: Re: [ANNOUNCEMENT] Updated: OpenSSH-3.5p1-1 Date: Thu, 07 Nov 2002 17:34:49 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 07 Nov 2002 17:34:49.0877 (UTC) FILETIME=[F927D450:01C28683] If you check your /var/log/sshd.log you might see that the permissions are too open on your key files... Elfyn emcb_exposure AT hotmail DOT com ----------------------------------------------- elfyn AT exposure DOT org DOT uk >From: "Karl M" >To: cygwin AT cygwin DOT com >Subject: Re: [ANNOUNCEMENT] Updated: OpenSSH-3.5p1-1 >Date: Thu, 07 Nov 2002 09:23:30 -0800 >MIME-Version: 1.0 >X-Originating-IP: [63.208.109.50] >Received: from sources.redhat.com ([209.249.29.67]) by >mc2-f31.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Thu, 7 Nov >2002 09:24:01 -0800 >Received: (qmail 17249 invoked by alias); 7 Nov 2002 17:23:32 -0000 >Received: (qmail 17219 invoked from network); 7 Nov 2002 17:23:31 -0000 >Received: from unknown (HELO hotmail.com) (64.4.21.134) by >sources.redhat.com with SMTP; 7 Nov 2002 17:23:31 -0000 >Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; >Thu, 7 Nov 2002 09:23:30 -0800 >Received: from 63.208.109.50 by lw14fd.law14.hotmail.msn.com with HTTP;Thu, >07 Nov 2002 17:23:30 GMT >Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm >Precedence: bulk >List-Unsubscribe: > >List-Subscribe: >List-Archive: >List-Post: >List-Help: , > >Sender: cygwin-owner AT cygwin DOT com >Mail-Followup-To: cygwin AT cygwin DOT com >Delivered-To: mailing list cygwin AT cygwin DOT com >Message-ID: >X-OriginalArrivalTime: 07 Nov 2002 17:23:30.0444 (UTC) >FILETIME=[642E94C0:01C28682] >Return-Path: cygwin-return-61106-emcb_exposure=hotmail DOT com AT cygwin DOT com > >The behavior I see now is that if I do > >chown administrators.none /etc/ssh_host_rsa_key* >chmod 777 /etc/ssh_host_rsa_key* > >Then with StrictModes enabled, sshd will start and run just fine (running >as system). But if I then do > >chown system.none /etc/ssh_host_rsa_key* > >Then sshd fails to start. But I (think I) recall that in the past the >protection had to be tight and the owner had to be system for sshd to >start? Am I remembering correctly? > >Thanks, > >...Karl > > > >>From: Corinna Vinschen >>Reply-To: cygwin AT cygwin DOT com >>To: cygwin AT cygwin DOT com >>Subject: Re: [ANNOUNCEMENT] Updated: OpenSSH-3.5p1-1 >>Date: Thu, 7 Nov 2002 17:11:57 +0100 >> >>On Thu, Nov 07, 2002 at 06:59:08AM -0800, Karl M wrote: >> > Hi All... >> > >> > I just updated to 3.5p1-1. I had to set PermitUserEnvironment in my >> > sshd_config file. Should this be included by default in the >>ssh-host-config >> > script? >> >>You're right that PermitUserEnvironment should be added to >>ssh-host-config. >>But it's set to no by default, so you have to change it anyway. >> >> > I was a bit puzzled by the file owner and permission checking for the >>host >> > keys now (with StrictModes enabled)...If the owner is wrong, the mode >> > checking is ignored. I recall this test being stronger in the >>past...didn't >> > the owner have to be correct (SYSTEM)? If so, why the change to a >>kinder >> > gentler (less effective) safety check? >> >>auth.c, line 378ff: >> >> if (options.strict_modes && >> (stat(user_hostfile, &st) == 0) && >> ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || >> (st.st_mode & 022) != 0)) { >> log("Authentication refused for %.100s: " >> "bad owner or modes for %.200s", >> pw->pw_name, user_hostfile); >> >>The above code checks the mode additionally to the user id so what's >>gentler here? Or do you mean another piece of code? >> >> > Given the host local security issues with using Cygwim, is there much >> > advantage to priv sep? Could someone please give a brief overview of >>what it >> > is and how and why it helps? >> >>README.privsep? >> >>Corinna >> >>-- >>Corinna Vinschen Please, send mails regarding Cygwin to >>Cygwin Developer mailto:cygwin AT cygwin DOT com >>Red Hat, Inc. >> >>-- >>Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple >>Bug reporting: http://cygwin.com/bugs.html >>Documentation: http://cygwin.com/docs.html >>FAQ: http://cygwin.com/faq/ > > >_________________________________________________________________ >Protect your PC - get McAfee.com VirusScan Online >http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > >-- >Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple >Bug reporting: http://cygwin.com/bugs.html >Documentation: http://cygwin.com/docs.html >FAQ: http://cygwin.com/faq/ _________________________________________________________________ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/