This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Is RSA authentication on SSH still broken?


On Thu, Nov 07, 2002 at 11:51:16AM -0500, Harig, Mark A. wrote:
> Thank you for the clarification!
> 
> This presents an interesting situation.
> Users who run 'ssh-keygen' (either directly,
> or indirectly using 'ssh-host-config'),
> find that they are not able to run ssh
> because of the permissions of ~/.ssh/
> (and, later, ~/.ssh/authorized_keys*), even
> though their permissions are set to the
> "correct" values.
> 
> Shouldn't this should all be included in
> /usr/doc/Cygwin/openssh*README? Namely, 
> 
>    1) If you want the most secure ssh connection,
>       then you will need to follow Corrina Vinschen's
>       instructions below to set ACLs for both ~/.ssh/
>       and ~/.ssh/authorized_keys*.
> 
>    2) If you don't want to attempt to manipulate
>       ACLs, then simply chmod 755 ~/.ssh/ and
>       chmod 644 ~/.ssh/authorized_keys.
> 
> What about a third alternative?  
> 
>    $ chgrp system ~/.ssh/ ~/.ssh/authorized_keys*
>    $ chmod 750 ~/.ssh/
>    $ chmod 640 ~/.ssh/authorized_keys*
> 
> This works, but does it merely give the illusion of
> more security without actually making the files secure?

First, the directory permission doesn't restrict the access for SYSTEM
due to the standard "Bypass traverse checking" setting on NT.  So setting
the .ssh permissions to 0700 is perfectly fine.

Second, I don't see the point in setting the permissions of
.ssh/authorized_keys to 0600 at all.  The content of that file is a list
of the *public* part of the keys so it's their intent to be readable by
anybody.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]