Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Content-class: urn:content-classes:message
Subject: ssh login with [rd]sa key, permissions on keyfile problems
Date: Sat, 20 Sep 2003 21:39:57 +0200
Message-ID: <99AE13FA0F1F824AA6D299741FE6C82F8F32@dcp1.home.fermin.ch>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="US-ASCII"
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0
From: "Fermin Sanchez" <fermin AT fermin DOT ch>
To: <cygwin AT cygwin DOT com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id h8KJfn9m021857

Hello list
 
I thought it might be nice to log on using an rsa or dsa key. So I
created both an rsa and a dsa key using ssh-user-config. The keys were
created in ~/.ssh, and the required changes made to authized_keys.
 
Logging in to the server using
 
ssh -i ~/.ssh/id_rsa -l fermin -v localhost
 
gives me all kind of output, the essential being:
 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '//dcp1/users/fermin/.ssh/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by
others.
This private key will be ignored.
bad permissions: ignore key: //dcp1/users/fermin/.ssh/id_rsa
Enter passphrase for key '//dcp1/users/fermin/.ssh/id_rsa':

 
After entering the passphrase for my key, there is more:
 
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: password
fermin AT localhost's password:

It falls back to 'normal' password authentication, which also works, of
course. But it's not what I had in mind. So I went into ~/.ssh, listed
the contents:
 
$ ls -l
total 6
-rw-r--r--    1 fermin   Domain U      822 Sep 20 15:23 authorized_keys
-rw-r--r--    1 fermin   Domain U      668 Sep 20 15:48 id_dsa
-rw-r--r--    1 fermin   Domain U      601 Sep 20 15:23 id_dsa.pub
-rw-r--r--    1 fermin   Domain U      883 Sep 20 15:48 id_rsa
-rw-r--r--    1 fermin   Domain U      221 Sep 20 15:23 id_rsa.pub
-rw-r--r--    1 fermin   Domain U      220 Sep 20 15:23 known_hosts

 
$ chmod -v 600 id_*sa
mode of `id_dsa' changed to 0600 (rw-------)
mode of `id_rsa' changed to 0600 (rw-------)

 
Unfortunately, the files are not impressed by my actions, and the '-v'
parameter does only show what would have happened in a normal world.
Which my system doesn't seem to be. "chmod -c 600 id_*sa" works
correctly, though, not showing any changes having happened.
 
At this point I figured it must have something to do with NTFS
permissions (being MCSE and all that) and tried to change the
permissions of the id files in Windows (and ownership, while I was at
it). I also mad sure that "StrictModes no" is active in sshd_config,
which it is. 
 
From the windows point of view, everything should be fine, but I think
there's a difference in file rights between *unix systems and Windows:
In Windows, the actual file permission overrides the directory
permission, meaning that you could have access (read/write/whatever) to
a file while not being able to access the directory where the file is.
Don't ask me why or say "that's insane" - it's just the way it is, I
didn't come up with NTFS in the first place. afair from my recent
Solaris course, *nix does it the other way round, directory permissions
always override file permissions? 
 
Not wanting to screw around any more than I already have, could somebody
please confirm that I probably need to adjust the directory permissions
for ~/.ssh (to what, who should be the owner, what about 'other'?), and
then it should work? And of course I will have to turn off inherited
rights on that directory, as well...
 
Because work it did:
 
mkdir /tmp/fermin
cp ~/.ssh/id_rsa /tmp/fermin
chmod 600 /tmp/fermin/id_rsa
ssh -l fermin -i /tmp/fermin/id_rsa localhost
 
... worked like a charm.
 
 
Hopefully, somebody ran into this problem before and can give me a hint
or two? Thanky you!
 
Regards
Fermin


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/