Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
X-Authentication-Warning: slinky.cs.nyu.edu: pechtcha owned process doing -bs
Date: Fri, 23 May 2003 14:53:23 -0400 (EDT)
From: Igor Pechtchanski <pechtcha AT cs DOT nyu DOT edu>
Reply-To: cygwin AT cygwin DOT com
To: cygwin AT cygwin DOT com
Subject: Re: Question about "rexec" (FAQ alert)
In-Reply-To: <00fd01c32157$49817c80$78d96f83@pomello>
Message-ID: <Pine.GSO.4.44.0305231450410.26092-100000@slinky.cs.nyu.edu>
Importance: Normal
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Fri, 23 May 2003, Igor Pechtchanski wrote:

> On Fri, 23 May 2003, Andrew DeFaria wrote:
>
> > Larry Hall (RFK Partners, Inc.) wrote:
> >
> > > Andrew DeFaria wrote:
> > >
> > >> Bill C. Riemers wrote:
> > >>
> > >>> You might also want to check the ownership of your home directory
> > >>> and .ssh directory, as that is the only thing I can think of that
> > >>> would cause the touch error in your previous message.  If ownership
> > >>> or permissions are wrong, then sshd defaults to require a password
> > >>> rather than trusting that nobody else has changed the key files.
> > >>
> > >> Herein I believe my difficulties lie. That an not understanding
> > >> Windows permissions vs Unix permissions and how such things are
> > >> mapped. Here's what I do know:
> > >>
> > >> $ cd ~/.ssh
> > >> $ ls -l
> > >> total 6
> > >> -rw-r--r--    1 adefaria Domain U      227 May 22 17:10 authorized_keys
> > >> -rw-r--r--    1 adefaria Domain U      227 May 22 15:25 authorizedkeys
> > >> -rw-r--r--    1 adefaria Domain U      887 May 22 15:22 id_rsa
> > >> -rw-r--r--    1 adefaria Domain U      227 May 22 15:22 id_rsa.pub
> > >> -rw-r--r--    1 adefaria Domain U     1624 May 22 15:19 known_hosts
> > >> $ chmod 600 id_rsa*
> > >> $ ls -l
> > >> total 6
> > >> -rw-r--r--    1 adefaria Domain U      227 May 22 17:10 authorized_keys
> > >> -rw-r--r--    1 adefaria Domain U      227 May 22 15:25 authorizedkeys
> > >> -rw-r--r--    1 adefaria Domain U      887 May 22 15:22 id_rsa
> > >> -rw-r--r--    1 adefaria Domain U      227 May 22 15:22 id_rsa.pub
> > >> -rw-r--r--    1 adefaria Domain U     1624 May 22 15:19 known_hosts
> > >>
> > >> Nothing. So I go into Windows Explorer and look at the Security
> > >> setting on the Properties dialog. I attempt to remove the users in
> > >> the Security section and it tells me that I have to stop inheriting
> > >> permissions. So I go to stop inheriting permissions and tell it to
> > >> remove everything. Now nobody's listed in the Securities section.
> > >> Windows warns me that only the create of the file will be able to
> > >> access it. I look in Cygwin with ls -l and the mode bits are the
> > >> same. I try the chmod again and there is no change! So I add my user
> > >> back to having full control. My user is the only user listed now but
> > >> the mode bits are still 644.
> > >>
> > >> When I try to ssh $(hostname) cmd I get:
> > >>
> > >> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> > >> @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
> > >> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> > >> Permissions 0644 for '/us/adefaria/.ssh/id_rsa' are too open.
> > >> It is recommended that your private key files are NOT accessible by
> > >> others.
> > >> This private key will be ignored.
> > >> bad permissions: ignore key: /us/adefaria/.ssh/id_rsa
> > >>
> > >> Now what?!?
> > >>
> > >> (It would be nice if somebody who really knew the algorithm could
> > >> explain Windows permissions and how they are mapped to Unix mode bits).
> > >
> > > Or you could just look at the FAQ:
> > >
> > > Why doesn't chmod work?
> > > <http://cygwin.com/faq/faq_toc.html#TOC45>
> >
> > All that this says is to insure that you have ntsec set. I have it set.
> > chmod still doesn't work! BTW I'm on Windows XP and use NTFS. My home
> > directory is on the server (/us is a mount of //<server>/<share>).
>
> Andrew,
>
> For Samba shares you need to have 'smbntsec' set -- 'ntsec' only affects
> local drives (and the ability to set user/group ids correctly, so you
> still need that set).  Also make sure your /etc/passwd and /etc/group are
> up to date.  I've found that I actually had to create a fake group in
> /etc/group and set it as my primary to be able to access a Samba share
> mapped from DFS on AIX.  *sigh*
>
> > Next idea?
> >
> > P.S. It would still be nice if somebody who really knew the algorithm
> > could explain Windows permissions and how they are mapped to Unix mode bits!
>
> I believe <http://cygwin.com/cygwin-ug-net/ntsec.html#NTSEC-FILES> does an
> adequate job of this...
>         Igor
>

On Fri, 23 May 2003, Max Bowsher wrote:

> > All that this says is to insure that you have ntsec set. I have it set.
> > chmod still doesn't work! BTW I'm on Windows XP and use NTFS. My home
> > directory is on the server (/us is a mount of //<server>/<share>).
>
> Aha! Then have a look at smbntsec.
>
> Max.

Perhaps the FAQ entry (<http://cygwin.com/faq/faq.html#SEC45>) should be
augmented with the above information?
	Igor

-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha AT cs DOT nyu DOT edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor AT watson DOT ibm DOT com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster."  -- Patrick Naughton


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/