This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: Re: Anybody really runs sshd in win2K? (fwd)


Hey Chris,
	I do appoligize, I will have to word my emails better in the future.
I asked that of Corinna since I recall that she was the one who provided the
answer to me before.

	After a search, I found this entry from Chuck Wilson:

For months, I've been getting the "WARNING" banner from ssh, complaining
that my private keys were not properly protected.  I finally tracked it
down, and will demonstrate here:

~ > ls -ln foo
-rw-------    1 500      544           532 May 20 13:30 foo

Okay, so this file is mode 600, owned by Administrator and group
Administrators.  That's good, because I'm running sshd from the
Administrator account (appropriate privileges granted).

~ > getfacl foo
# file: foo
# owner: 500
# group: 544
user::rw-
group::---
mask::---
other::---

Yes, everything's fine here.  But that's not what my ssh_host_key file
had.  It had an additional ACL for the user 'cwilson', as demonstrated
below:

~ > ls -ln foo
-rw-------    1 500      544           532 May 20 13:30 foo

It *looks* okay, but getfacl shows:

~ > getfacl foo
# file: foo
# owner: 500
# group: 544
user::rw-
user:1002:r-x
group::---
mask::---
other::---

Oh, NO! readable by user 1002!!!  You can't use chmod to fix this.

I fixed this by removing the extra ACL using windows tools
(Properties->Security->Permissions).  This problem is especially
pernicious on W2K systems, with the "inherit ACL's from parent
directories" behavior.

So here's the question: I can't find any documentation on how to use
'setfacl' -- which seems to be the appropriate tool here.  Rather than
'chmod', we want to instruct new sshd users to 'setfacl ssh_host*_key'
to allow only user::rw- group::--- other::--- mask::---, with owner:
SYSTEM, group: SYSTEM.  (Not admin, admin like I'm doing).

How do you use setfacl to set the correct permission properties on the
hostkey files (regardless of whatever ACL's were previously applied)?

--Chuck

Again, I appologize for not following list protocol :).  Let me know if
that helps answer the question.


Prentis Brooks	| prentis@aol.net | 703-265-0914 | AIM: PrentisB
System Administrator - Web Infrastructure & Security

       A knight is sworn to valor.  His heart knows only virtue.  His blade
       defends the helpless.  His word speaks only truth.  His wrath undoes the
       wicked. - the old code of Bowen, last of the dragonslayers


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]