[ANNOUNCEMENT] Updated: OpenSSH-3.5p1-1

Elfyn McBratney emcb_exposure@hotmail.com
Thu Nov 7 09:34:00 GMT 2002 

If you check your /var/log/sshd.log you might see that the permissions are 
too open on your key files...

Elfyn
emcb_exposure@hotmail.com
-----------------------------------------------
elfyn@exposure.org.uk

>From: "Karl M" <karlm30@hotmail.com>
>To: cygwin@cygwin.com
>Subject: Re: [ANNOUNCEMENT] Updated: OpenSSH-3.5p1-1
>Date: Thu, 07 Nov 2002 09:23:30 -0800
>MIME-Version: 1.0
>X-Originating-IP: [63.208.109.50]
>Received: from sources.redhat.com ([209.249.29.67]) by 
>mc2-f31.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Thu, 7 Nov 
>2002 09:24:01 -0800
>Received: (qmail 17249 invoked by alias); 7 Nov 2002 17:23:32 -0000
>Received: (qmail 17219 invoked from network); 7 Nov 2002 17:23:31 -0000
>Received: from unknown (HELO hotmail.com) (64.4.21.134)  by 
>sources.redhat.com with SMTP; 7 Nov 2002 17:23:31 -0000
>Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; 
>Thu, 7 Nov 2002 09:23:30 -0800
>Received: from 63.208.109.50 by lw14fd.law14.hotmail.msn.com with HTTP;Thu, 
>07 Nov 2002 17:23:30 GMT
>Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
>Precedence: bulk
>List-Unsubscribe: 
><mailto:cygwin-unsubscribe-emcb_exposure=hotmail.com@cygwin.com>
>List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
>List-Archive: <http://sources.redhat.com/ml/cygwin/>
>List-Post: <mailto:cygwin@cygwin.com>
>List-Help: <mailto:cygwin-help@cygwin.com>, 
><http://sources.redhat.com/ml/#faqs>
>Sender: cygwin-owner@cygwin.com
>Mail-Followup-To: cygwin@cygwin.com
>Delivered-To: mailing list cygwin@cygwin.com
>Message-ID: <F134oznxWrwjvzWvTlt000010f3@hotmail.com>
>X-OriginalArrivalTime: 07 Nov 2002 17:23:30.0444 (UTC) 
>FILETIME=[642E94C0:01C28682]
>Return-Path: cygwin-return-61106-emcb_exposure=hotmail.com@cygwin.com
>
>The behavior I see now is that if I do
>
>chown administrators.none /etc/ssh_host_rsa_key*
>chmod 777 /etc/ssh_host_rsa_key*
>
>Then with StrictModes enabled, sshd will start and run just fine (running 
>as system). But if I then do
>
>chown system.none /etc/ssh_host_rsa_key*
>
>Then sshd fails to start. But I (think I) recall that in the past the 
>protection had to be tight and the owner had to be system for sshd to 
>start? Am I remembering correctly?
>
>Thanks,
>
>...Karl
>
>
>
>>From: Corinna Vinschen <corinna-cygwin@cygwin.com>
>>Reply-To: cygwin@cygwin.com
>>To: cygwin@cygwin.com
>>Subject: Re: [ANNOUNCEMENT] Updated: OpenSSH-3.5p1-1
>>Date: Thu, 7 Nov 2002 17:11:57 +0100
>>
>>On Thu, Nov 07, 2002 at 06:59:08AM -0800, Karl M wrote:
>> > Hi All...
>> >
>> > I just updated to 3.5p1-1. I had to set PermitUserEnvironment in my
>> > sshd_config file. Should this be included by default in the 
>>ssh-host-config
>> > script?
>>
>>You're right that PermitUserEnvironment should be added to 
>>ssh-host-config.
>>But it's set to no by default, so you have to change it anyway.
>>
>> > I was a bit puzzled by the file owner and permission checking for the 
>>host
>> > keys now (with StrictModes enabled)...If the owner is wrong, the mode
>> > checking is ignored. I recall this test being stronger in the 
>>past...didn't
>> > the owner have to be correct (SYSTEM)? If so, why the change to a 
>>kinder
>> > gentler (less effective) safety check?
>>
>>auth.c, line 378ff:
>>
>>   if (options.strict_modes &&
>>       (stat(user_hostfile, &st) == 0) &&
>>       ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
>>       (st.st_mode & 022) != 0)) {
>>	  log("Authentication refused for %.100s: "
>>	      "bad owner or modes for %.200s",
>>	      pw->pw_name, user_hostfile);
>>
>>The above code checks the mode additionally to the user id so what's
>>gentler here?  Or do you mean another piece of code?
>>
>> > Given the host local security issues with using Cygwim, is there much
>> > advantage to priv sep? Could someone please give a brief overview of 
>>what it
>> > is and how and why it helps?
>>
>>README.privsep?
>>
>>Corinna
>>
>>--
>>Corinna Vinschen                  Please, send mails regarding Cygwin to
>>Cygwin Developer                                mailto:cygwin@cygwin.com
>>Red Hat, Inc.
>>
>>--
>>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>>Bug reporting:         http://cygwin.com/bugs.html
>>Documentation:         http://cygwin.com/docs.html
>>FAQ:                   http://cygwin.com/faq/
>
>
>_________________________________________________________________
>Protect your PC - get McAfee.com VirusScan Online 
>http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
>
>--
>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>Bug reporting:         http://cygwin.com/bugs.html
>Documentation:         http://cygwin.com/docs.html
>FAQ:                   http://cygwin.com/faq/


_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

More information about the Cygwin mailing list