This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Is RSA authentication on SSH still broken?

From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
To: cygwin at cygwin dot com
Date: Fri, 8 Nov 2002 09:47:42 +0100
Subject: Re: Is RSA authentication on SSH still broken?
References: <BADF3C947A1BD54FBA75C70C241B0B9E90B9CC@ex02.idirect.net>
Reply-to: cygwin at cygwin dot com

On Thu, Nov 07, 2002 at 06:54:48PM -0500, Harig, Mark A. wrote:
> I must be missing a piece of information.  Setting the
> permissions of ~/.ssh to 700 causes ssh to require me
> to enter a password, that is, the encryption-key processing
> is failing.  Setting the permissions of ~/.ssh to 750 (if
> the group setting is SYSTEM) or to 755 (if the group setting
> is not SYSTEM) allows ssh to access the encryption-key files.

Are you actually sure?  The permissions of directories don't influence
the permissions to the underlying files and directories unless an
administrator changes the setting of the above "Bypass traverse checking"
user right.  Just to be sure I did check that yesterday on my system so
I'm pretty confident.

"Bypass traverse checking" is on by default for Everyone.  This is
annoyingly different from UNIX file systems from my point of view
but AFAIK professional Windows admins like it.  And since it's the
default and most users don't know what it's doing anyway, I don't
change it on my test system, too.

> > Second, I don't see the point in setting the permissions of
> > .ssh/authorized_keys to 0600 at all.  The content of that 
> > file is a list
> > of the *public* part of the keys so it's their intent to be 
> > readable by
> > anybody.
> 
> That was my understanding also.  I assumed that my understanding
> was incorrect because ssh would report that my permissions for
> ~/.ssh/authorized_keys was too open.  I'm unable to reproduce that
> at this time.  This issue is closed as far as I am concerned, until
> I can reproduce the problem.

OpenSSH is a UNIX-centric application as most are in the Cygwin distro.
As such, OpenSSH checks permissions in a UNIX sense.  Actually, OpenSSH
checks also the permissions of the parent directory chain up to the
users home directory.  It requires as minimum

755 on ~
755 on ~/.ssh
644 on ~/.ssh/authorized keys

as long as StrictModes is on.  If one of them doesn't meet that
requirements, sshd complains.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

References:
- RE: Is RSA authentication on SSH still broken?
  - From: Harig, Mark A.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]