Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
X-Authentication-Warning: slinky.cs.nyu.edu: pechtcha owned process doing -bs
Date: Mon, 11 Nov 2002 11:48:33 -0500 (EST)
From: Igor Pechtchanski <pechtcha AT cs DOT nyu DOT edu>
Reply-To: cygwin AT cygwin DOT com
To: "Harig, Mark A." <maharig AT idirect DOT net>
cc: cygwin AT cygwin DOT com
Subject: RE: Is RSA authentication on SSH still broken?
In-Reply-To: <BADF3C947A1BD54FBA75C70C241B0B9E763046@ex02.idirect.net>
Message-ID: <Pine.GSO.4.44.0211111146060.4275-100000@slinky.cs.nyu.edu>
Importance: Normal
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Mon, 11 Nov 2002, Harig, Mark A. wrote:

> > >        chmod 700 ~ && \
> >          ^^^^^^^^^^^
> > This is your problem.  By setting home and .ssh to 700 you
> > disallow sshd to
> > stat() ~/.ssh.  Cygwin has two chances to retrieve
> > information about a file
> > or directory, by either calling FindFileFirst() or by trying
> > to open the
> > file and calling various Win32 access functions.
> >
> > FindFileFirst() requires to have read permissions on the
> > parent directory,
> > opening the file/dir requires read permissions on it.  If home as well
> > as .ssh are 700, sshd has neither of these rights ==> The
> > check for .ssh
> > fails.
>
> OK.  So, it appears that Cygwin users
> of openssh have one of two options:
>
> 1. chmod 700 ~
>    chgrp 18 ~/.ssh
>    chmod 750 ~/.ssh
>
> or
>
> 2. chmod 755 ~
>    chmod 700 ~/.ssh
>
> Do you have a recommendation on which of
> these two options is more secure?

According to what I remember about Unix permissions, 'chmod 711 ~' should
suffice.  This will allow anyone to access a subdirectory of your $HOME
*if they know the exact path*.  Same with ~/.ssh.  You can then make
authorized_keys world-readable without exposing the rest of your home
directory.
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha AT cs DOT nyu DOT edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor AT watson DOT ibm DOT com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"Water molecules expand as they grow warmer" (C) Popular Science, Oct'02, p.51


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/