RE: Is RSA authentication on SSH still broken?

Thu, 07 Nov 2002 08:53:02 -0800 

Thank you for the clarification!

This presents an interesting situation.
Users who run 'ssh-keygen' (either directly,
or indirectly using 'ssh-host-config'),
find that they are not able to run ssh
because of the permissions of ~/.ssh/
(and, later, ~/.ssh/authorized_keys*), even
though their permissions are set to the
"correct" values.

Shouldn't this should all be included in
/usr/doc/Cygwin/openssh*README? Namely, 

   1) If you want the most secure ssh connection,
      then you will need to follow Corrina Vinschen's
      instructions below to set ACLs for both ~/.ssh/
      and ~/.ssh/authorized_keys*.

   2) If you don't want to attempt to manipulate
      ACLs, then simply chmod 755 ~/.ssh/ and
      chmod 644 ~/.ssh/authorized_keys.

What about a third alternative?  

   $ chgrp system ~/.ssh/ ~/.ssh/authorized_keys*
   $ chmod 750 ~/.ssh/
   $ chmod 640 ~/.ssh/authorized_keys*

This works, but does it merely give the illusion of
more security without actually making the files secure?

> > 
> > Could this be a bug in Cygwin's implementation of openssh?
> 
> It isn't.  It's a problem with the permission model of NTFS.  Even
> though SYSTEM is *the* major player on the machine, it gets an
> "access denied" if it has no permissions on a file.  Don't ask for
> my opinion on this behaviour.
> 
> However, since NTFS uses ACLs, you can give SYSTEM explicitely access
> to the file:
> 
> [~/.ssh]$ chmod 600 authorized_keys
> [~/.ssh]$ getfacl authorized_keys
> # file: authorized_keys
> # owner: corinna
> # group: root
> user::rw-
> group::---
> mask::---
> other::---
> [~/.ssh]$ setfacl -m g:SYSTEM:r-- authorized_keys
> [~/.ssh]$ getfacl authorized_keys
> # file: authorized_keys
> # owner: corinna
> # group: root
> user::rw-
> group::---
> group:SYSTEM:r--
> mask::---
> other::---
> 
> HTH,
> Corinna
> 
> -- 
> Corinna Vinschen                  Please, send mails 
> regarding Cygwin to
> Cygwin Developer
mailto:cygwin@;cygwin.comRed Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Reply via email to