This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: ssh login with [rd]sa key, permissions on keyfile problems

From: Igor Pechtchanski <pechtcha at cs dot nyu dot edu>
To: Fermin Sanchez <fermin at fermin dot ch>
Cc: cygwin at cygwin dot com
Date: Sat, 20 Sep 2003 22:32:41 -0400 (EDT)
Subject: Re: ssh login with [rd]sa key, permissions on keyfile problems
References: <99AE13FA0F1F824AA6D299741FE6C82F8F32@dcp1.home.fermin.ch>
Reply-to: cygwin at cygwin dot com

On Sat, 20 Sep 2003, Fermin Sanchez wrote:

> Hello list
>
> I thought it might be nice to log on using an rsa or dsa key. So I
> created both an rsa and a dsa key using ssh-user-config. The keys were
> created in ~/.ssh, and the required changes made to authized_keys.
>
> Logging in to the server using
>
> ssh -i ~/.ssh/id_rsa -l fermin -v localhost
>
> gives me all kind of output, the essential being:
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> Permissions 0644 for '//dcp1/users/fermin/.ssh/id_rsa' are too open.
> It is recommended that your private key files are NOT accessible by
> others.
> This private key will be ignored.
> bad permissions: ignore key: //dcp1/users/fermin/.ssh/id_rsa
> Enter passphrase for key '//dcp1/users/fermin/.ssh/id_rsa':
>
>
> After entering the passphrase for my key, there is more:
>
> debug1: Next authentication method: keyboard-interactive
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug1: Next authentication method: password
> fermin@localhost's password:
>
> It falls back to 'normal' password authentication, which also works, of
> course. But it's not what I had in mind. So I went into ~/.ssh, listed
> the contents:
>
> $ ls -l
> total 6
> -rw-r--r--    1 fermin   Domain U      822 Sep 20 15:23 authorized_keys
> -rw-r--r--    1 fermin   Domain U      668 Sep 20 15:48 id_dsa
> -rw-r--r--    1 fermin   Domain U      601 Sep 20 15:23 id_dsa.pub
> -rw-r--r--    1 fermin   Domain U      883 Sep 20 15:48 id_rsa
> -rw-r--r--    1 fermin   Domain U      221 Sep 20 15:23 id_rsa.pub
> -rw-r--r--    1 fermin   Domain U      220 Sep 20 15:23 known_hosts
>
>
> $ chmod -v 600 id_*sa
> mode of `id_dsa' changed to 0600 (rw-------)
> mode of `id_rsa' changed to 0600 (rw-------)
>
>
> Unfortunately, the files are not impressed by my actions, and the '-v'
> parameter does only show what would have happened in a normal world.
> Which my system doesn't seem to be. "chmod -c 600 id_*sa" works
> correctly, though, not showing any changes having happened.
>
> At this point I figured it must have something to do with NTFS
> permissions (being MCSE and all that) and tried to change the
> permissions of the id files in Windows (and ownership, while I was at
> it). I also mad sure that "StrictModes no" is active in sshd_config,
> which it is.
>
> >From the windows point of view, everything should be fine, but I think
> there's a difference in file rights between *unix systems and Windows:
> In Windows, the actual file permission overrides the directory
> permission, meaning that you could have access (read/write/whatever) to
> a file while not being able to access the directory where the file is.
> Don't ask me why or say "that's insane" - it's just the way it is, I
> didn't come up with NTFS in the first place. afair from my recent
> Solaris course, *nix does it the other way round, directory permissions
> always override file permissions?
>
> Not wanting to screw around any more than I already have, could somebody
> please confirm that I probably need to adjust the directory permissions
> for ~/.ssh (to what, who should be the owner, what about 'other'?), and
> then it should work? And of course I will have to turn off inherited
> rights on that directory, as well...
>
> Because work it did:
>
> mkdir /tmp/fermin
> cp ~/.ssh/id_rsa /tmp/fermin
> chmod 600 /tmp/fermin/id_rsa
> ssh -l fermin -i /tmp/fermin/id_rsa localhost
>
> ... worked like a charm.
>
> Hopefully, somebody ran into this problem before and can give me a hint
> or two? Thanky you!
>
> Regards
> Fermin

Is your home directory on an SMB share?  If so, you may need to add
"smbntsec" to your CYGWIN environment variable.

Also, can you please post the output of "getfacl ~/.ssh" and "getfacl
~/.ssh/id_rsa"?
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha@cs.nyu.edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor@watson.ibm.com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski, Ph.D.
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster."  -- Patrick Naughton

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

References:
- ssh login with [rd]sa key, permissions on keyfile problems
  - From: Fermin Sanchez

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]