Is RSA authentication on SSH still broken?
Igor Pechtchanski
pechtcha@cs.nyu.edu
Mon Nov 11 08:48:00 GMT 2002
On Mon, 11 Nov 2002, Harig, Mark A. wrote:
> > > chmod 700 ~ && \
> > ^^^^^^^^^^^
> > This is your problem. By setting home and .ssh to 700 you
> > disallow sshd to
> > stat() ~/.ssh. Cygwin has two chances to retrieve
> > information about a file
> > or directory, by either calling FindFileFirst() or by trying
> > to open the
> > file and calling various Win32 access functions.
> >
> > FindFileFirst() requires to have read permissions on the
> > parent directory,
> > opening the file/dir requires read permissions on it. If home as well
> > as .ssh are 700, sshd has neither of these rights ==> The
> > check for .ssh
> > fails.
>
> OK. So, it appears that Cygwin users
> of openssh have one of two options:
>
> 1. chmod 700 ~
> chgrp 18 ~/.ssh
> chmod 750 ~/.ssh
>
> or
>
> 2. chmod 755 ~
> chmod 700 ~/.ssh
>
> Do you have a recommendation on which of
> these two options is more secure?
According to what I remember about Unix permissions, 'chmod 711 ~' should
suffice. This will allow anyone to access a subdirectory of your $HOME
*if they know the exact path*. Same with ~/.ssh. You can then make
authorized_keys world-readable without exposing the rest of your home
directory.
Igor
--
http://cs.nyu.edu/~pechtcha/
|\ _,,,---,,_ pechtcha@cs.nyu.edu
ZZZzz /,`.-'`' -. ;-;;,_ igor@watson.ibm.com
|,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski
'---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow!
"Water molecules expand as they grow warmer" (C) Popular Science, Oct'02, p.51
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Bug reporting: http://cygwin.com/bugs.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
More information about the Cygwin
mailing list