Re: Is RSA authentication on SSH still broken?
On Mon, Nov 11, 2002 at 10:57:22AM -0500, Harig, Mark A. wrote: > > Harig, Mark A. <[EMAIL PROTECTED]> wrote: > I have been using option 1. My question comes from the fact > that Corinna Vinschen recommended that ~/.ssh be set to 700 > (which is what 'set-keygen' sets it to) and that she had > pointed to my 'chmod 700 ~' as the reason that openssh would > not work if I set ~/.ssh to 700. > > Is there a consensus about what to recommend to Cygwin users, It's a matter of taste. Personally I let it 755 on ~ and 700 on ~/.ssh. As long as sshd works, it's fine. No worries. > or does openssh work for some people with both ~ and ~/.ssh > set to 700? It can't, except there is that additional ACE for SYSTEM in the ~/.ssh ACL. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developermailto:cygwin@;cygwin.com Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Is RSA authentication on SSH still broken?
On Mon, 11 Nov 2002, Harig, Mark A. wrote: > > >chmod 700 ~ && \ > > ^^^ > > This is your problem. By setting home and .ssh to 700 you > > disallow sshd to > > stat() ~/.ssh. Cygwin has two chances to retrieve > > information about a file > > or directory, by either calling FindFileFirst() or by trying > > to open the > > file and calling various Win32 access functions. > > > > FindFileFirst() requires to have read permissions on the > > parent directory, > > opening the file/dir requires read permissions on it. If home as well > > as .ssh are 700, sshd has neither of these rights ==> The > > check for .ssh > > fails. > > OK. So, it appears that Cygwin users > of openssh have one of two options: > > 1. chmod 700 ~ >chgrp 18 ~/.ssh >chmod 750 ~/.ssh > > or > > 2. chmod 755 ~ >chmod 700 ~/.ssh > > Do you have a recommendation on which of > these two options is more secure? According to what I remember about Unix permissions, 'chmod 711 ~' should suffice. This will allow anyone to access a subdirectory of your $HOME *if they know the exact path*. Same with ~/.ssh. You can then make authorized_keys world-readable without exposing the rest of your home directory. Igor -- http://cs.nyu.edu/~pechtcha/ |\ _,,,---,,_[EMAIL PROTECTED] ZZZzz /,`.-'`'-. ;-;;,_[EMAIL PROTECTED] |,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow! "Water molecules expand as they grow warmer" (C) Popular Science, Oct'02, p.51 -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Is RSA authentication on SSH still broken?
> > Harig, Mark A. <[EMAIL PROTECTED]> wrote: > > OK. So, it appears that Cygwin users > > of openssh have one of two options: > > > > 1. chmod 700 ~ > >chgrp 18 ~/.ssh > >chmod 750 ~/.ssh > > > > or > > > > 2. chmod 755 ~ > >chmod 700 ~/.ssh > > > > Do you have a recommendation on which of > > these two options is more secure? > > I'm assuming you meant: > $ chmod 750 ~ > $ chgrp 18 ~ > $ chmod 700 ~/.ssh > Since obviously world-readable ~ is less secure than > user-only-readable ~. > > In which case, 1. seems better to me, because it actually > grants SYSTEM > permissions where it needs them, rather than granting them > somewhere else > and Windows weirdness making things work. > > I have been using option 1. My question comes from the fact that Corinna Vinschen recommended that ~/.ssh be set to 700 (which is what 'set-keygen' sets it to) and that she had pointed to my 'chmod 700 ~' as the reason that openssh would not work if I set ~/.ssh to 700. Is there a consensus about what to recommend to Cygwin users, or does openssh work for some people with both ~ and ~/.ssh set to 700? (In which, case multiple recommendations would need to be made.) -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Is RSA authentication on SSH still broken?
Harig, Mark A. <[EMAIL PROTECTED]> wrote: > OK. So, it appears that Cygwin users > of openssh have one of two options: > > 1. chmod 700 ~ >chgrp 18 ~/.ssh >chmod 750 ~/.ssh > > or > > 2. chmod 755 ~ >chmod 700 ~/.ssh > > Do you have a recommendation on which of > these two options is more secure? I'm assuming you meant: $ chmod 750 ~ $ chgrp 18 ~ $ chmod 700 ~/.ssh Since obviously world-readable ~ is less secure than user-only-readable ~. In which case, 1. seems better to me, because it actually grants SYSTEM permissions where it needs them, rather than granting them somewhere else and Windows weirdness making things work. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Is RSA authentication on SSH still broken?
> >chmod 700 ~ && \ > ^^^ > This is your problem. By setting home and .ssh to 700 you > disallow sshd to > stat() ~/.ssh. Cygwin has two chances to retrieve > information about a file > or directory, by either calling FindFileFirst() or by trying > to open the > file and calling various Win32 access functions. > > FindFileFirst() requires to have read permissions on the > parent directory, > opening the file/dir requires read permissions on it. If home as well > as .ssh are 700, sshd has neither of these rights ==> The > check for .ssh > fails. OK. So, it appears that Cygwin users of openssh have one of two options: 1. chmod 700 ~ chgrp 18 ~/.ssh chmod 750 ~/.ssh or 2. chmod 755 ~ chmod 700 ~/.ssh Do you have a recommendation on which of these two options is more secure? -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Is RSA authentication on SSH still broken?
On Fri, Nov 08, 2002 at 11:37:11AM -0500, Harig, Mark A. wrote: >chmod 700 ~ && \ ^^^ This is your problem. By setting home and .ssh to 700 you disallow sshd to stat() ~/.ssh. Cygwin has two chances to retrieve information about a file or directory, by either calling FindFileFirst() or by trying to open the file and calling various Win32 access functions. FindFileFirst() requires to have read permissions on the parent directory, opening the file/dir requires read permissions on it. If home as well as .ssh are 700, sshd has neither of these rights ==> The check for .ssh fails. Qed, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developermailto:cygwin@;cygwin.com Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Is RSA authentication on SSH still broken?
Harig, Mark A. <[EMAIL PROTECTED]> wrote: >> On Thu, Nov 07, 2002 at 06:54:48PM -0500, Harig, Mark A. wrote: >>> I must be missing a piece of information. Setting the >>> permissions of ~/.ssh to 700 causes ssh to require me >>> to enter a password, that is, the encryption-key processing >>> is failing. Setting the permissions of ~/.ssh to 750 (if >>> the group setting is SYSTEM) or to 755 (if the group setting >>> is not SYSTEM) allows ssh to access the encryption-key files. >> >> Are you actually sure? The permissions of directories don't >> influence the permissions to the underlying files and directories >> unless an administrator changes the setting of the above "Bypass >> traverse checking" >> user right. Just to be sure I did check that yesterday on my >> system so >> I'm pretty confident. >> >> "Bypass traverse checking" is on by default for Everyone. This is >> annoyingly different from UNIX file systems from my point of view >> but AFAIK professional Windows admins like it. And since it's the >> default and most users don't know what it's doing anyway, I don't >> change it on my test system, too. >> > > Hmm. I'm sorry to be so dense, but: > > 1) I had never heard of "Bypass traverse checking" so I'm > pretty sure that I haven't changed it. secpol.msc -> Local Policies -> User Rights Assignment Could someone else? Because thats the only reason I can think of for the behaviour you describe above. > 2) Am I sure that I cannot use ~/.ssh if the mode is set to 700? > Changing the permissions for ~/.ssh to 750 or 755 has been > the solution for me and for a number of other users that > I've suggested it to. Are we all doing something wrong? (a > possibility, of course) > > The following script sets everything up for me (of course, > I respond to the ssh-keygen prompts): > >#!/bin/bash >umask 0022 && \ >chmod 700 ~ && \ >mv ~/.ssh ~/save.ssh && \ >ssh-keygen -t rsa -C "some useful comment" -f ~/.ssh/id_rsa && >\ cat ~/.ssh/id_rsa >> ~/.ssh/authorized_keys2 > > This causes ssh-keygen to create ~/.ssh with whatever permissions > it thinks are correct (i.e., 700). (I'm running sshd on Win2K > using > NTFS, Cygwin DLL 1.3.15, CYGWIN=ntsec, StrictMode=yes, > UsePrivilegeSeparation=yes) After this script completes, I > attempt to connect to my ssh server from the machine that is > running the server. > I can connect, but only if I provide my password. Conversely, if > I set the permissions of ~/.ssh to 755, then I can connect > without providing my password. One way to debug this is: Install a second ssh service, to run with command line parameters -Dddde. This sets debug mode (side effect: sshd dies after one connection). Now try logging on, and verbose debug output will be written to /var/log/.log by cygrunsrv. Post the logs of a password and a pubkey logon. Hopefully that should reveal what is happening. Max. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Is RSA authentication on SSH still broken?
> > On Thu, Nov 07, 2002 at 06:54:48PM -0500, Harig, Mark A. wrote: > > I must be missing a piece of information. Setting the > > permissions of ~/.ssh to 700 causes ssh to require me > > to enter a password, that is, the encryption-key processing > > is failing. Setting the permissions of ~/.ssh to 750 (if > > the group setting is SYSTEM) or to 755 (if the group setting > > is not SYSTEM) allows ssh to access the encryption-key files. > > Are you actually sure? The permissions of directories don't influence > the permissions to the underlying files and directories unless an > administrator changes the setting of the above "Bypass > traverse checking" > user right. Just to be sure I did check that yesterday on my > system so > I'm pretty confident. > > "Bypass traverse checking" is on by default for Everyone. This is > annoyingly different from UNIX file systems from my point of view > but AFAIK professional Windows admins like it. And since it's the > default and most users don't know what it's doing anyway, I don't > change it on my test system, too. > Hmm. I'm sorry to be so dense, but: 1) I had never heard of "Bypass traverse checking" so I'm pretty sure that I haven't changed it. 2) Am I sure that I cannot use ~/.ssh if the mode is set to 700? Changing the permissions for ~/.ssh to 750 or 755 has been the solution for me and for a number of other users that I've suggested it to. Are we all doing something wrong? (a possibility, of course) The following script sets everything up for me (of course, I respond to the ssh-keygen prompts): #!/bin/bash umask 0022 && \ chmod 700 ~ && \ mv ~/.ssh ~/save.ssh && \ ssh-keygen -t rsa -C "some useful comment" -f ~/.ssh/id_rsa && \ cat ~/.ssh/id_rsa >> ~/.ssh/authorized_keys2 This causes ssh-keygen to create ~/.ssh with whatever permissions it thinks are correct (i.e., 700). (I'm running sshd on Win2K using NTFS, Cygwin DLL 1.3.15, CYGWIN=ntsec, StrictMode=yes, UsePrivilegeSeparation=yes) After this script completes, I attempt to connect to my ssh server from the machine that is running the server. I can connect, but only if I provide my password. Conversely, if I set the permissions of ~/.ssh to 755, then I can connect without providing my password. Am I doing something wrong, or assuming something that is false? -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Is RSA authentication on SSH still broken?
On Thu, Nov 07, 2002 at 06:54:48PM -0500, Harig, Mark A. wrote: > I must be missing a piece of information. Setting the > permissions of ~/.ssh to 700 causes ssh to require me > to enter a password, that is, the encryption-key processing > is failing. Setting the permissions of ~/.ssh to 750 (if > the group setting is SYSTEM) or to 755 (if the group setting > is not SYSTEM) allows ssh to access the encryption-key files. Are you actually sure? The permissions of directories don't influence the permissions to the underlying files and directories unless an administrator changes the setting of the above "Bypass traverse checking" user right. Just to be sure I did check that yesterday on my system so I'm pretty confident. "Bypass traverse checking" is on by default for Everyone. This is annoyingly different from UNIX file systems from my point of view but AFAIK professional Windows admins like it. And since it's the default and most users don't know what it's doing anyway, I don't change it on my test system, too. > > Second, I don't see the point in setting the permissions of > > .ssh/authorized_keys to 0600 at all. The content of that > > file is a list > > of the *public* part of the keys so it's their intent to be > > readable by > > anybody. > > That was my understanding also. I assumed that my understanding > was incorrect because ssh would report that my permissions for > ~/.ssh/authorized_keys was too open. I'm unable to reproduce that > at this time. This issue is closed as far as I am concerned, until > I can reproduce the problem. OpenSSH is a UNIX-centric application as most are in the Cygwin distro. As such, OpenSSH checks permissions in a UNIX sense. Actually, OpenSSH checks also the permissions of the parent directory chain up to the users home directory. It requires as minimum 755 on ~ 755 on ~/.ssh 644 on ~/.ssh/authorized keys as long as StrictModes is on. If one of them doesn't meet that requirements, sshd complains. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developermailto:cygwin@;cygwin.com Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Is RSA authentication on SSH still broken?
> > First, the directory permission doesn't restrict the access for SYSTEM > due to the standard "Bypass traverse checking" setting on NT. > So setting > the .ssh permissions to 0700 is perfectly fine. > I must be missing a piece of information. Setting the permissions of ~/.ssh to 700 causes ssh to require me to enter a password, that is, the encryption-key processing is failing. Setting the permissions of ~/.ssh to 750 (if the group setting is SYSTEM) or to 755 (if the group setting is not SYSTEM) allows ssh to access the encryption-key files. > Second, I don't see the point in setting the permissions of > .ssh/authorized_keys to 0600 at all. The content of that > file is a list > of the *public* part of the keys so it's their intent to be > readable by > anybody. That was my understanding also. I assumed that my understanding was incorrect because ssh would report that my permissions for ~/.ssh/authorized_keys was too open. I'm unable to reproduce that at this time. This issue is closed as far as I am concerned, until I can reproduce the problem. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Is RSA authentication on SSH still broken?
On Thu, Nov 07, 2002 at 11:51:16AM -0500, Harig, Mark A. wrote: > Thank you for the clarification! > > This presents an interesting situation. > Users who run 'ssh-keygen' (either directly, > or indirectly using 'ssh-host-config'), > find that they are not able to run ssh > because of the permissions of ~/.ssh/ > (and, later, ~/.ssh/authorized_keys*), even > though their permissions are set to the > "correct" values. > > Shouldn't this should all be included in > /usr/doc/Cygwin/openssh*README? Namely, > >1) If you want the most secure ssh connection, > then you will need to follow Corrina Vinschen's > instructions below to set ACLs for both ~/.ssh/ > and ~/.ssh/authorized_keys*. > >2) If you don't want to attempt to manipulate > ACLs, then simply chmod 755 ~/.ssh/ and > chmod 644 ~/.ssh/authorized_keys. > > What about a third alternative? > >$ chgrp system ~/.ssh/ ~/.ssh/authorized_keys* >$ chmod 750 ~/.ssh/ >$ chmod 640 ~/.ssh/authorized_keys* > > This works, but does it merely give the illusion of > more security without actually making the files secure? First, the directory permission doesn't restrict the access for SYSTEM due to the standard "Bypass traverse checking" setting on NT. So setting the .ssh permissions to 0700 is perfectly fine. Second, I don't see the point in setting the permissions of .ssh/authorized_keys to 0600 at all. The content of that file is a list of the *public* part of the keys so it's their intent to be readable by anybody. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developermailto:cygwin@;cygwin.com Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Is RSA authentication on SSH still broken?
Thank you for the clarification! This presents an interesting situation. Users who run 'ssh-keygen' (either directly, or indirectly using 'ssh-host-config'), find that they are not able to run ssh because of the permissions of ~/.ssh/ (and, later, ~/.ssh/authorized_keys*), even though their permissions are set to the "correct" values. Shouldn't this should all be included in /usr/doc/Cygwin/openssh*README? Namely, 1) If you want the most secure ssh connection, then you will need to follow Corrina Vinschen's instructions below to set ACLs for both ~/.ssh/ and ~/.ssh/authorized_keys*. 2) If you don't want to attempt to manipulate ACLs, then simply chmod 755 ~/.ssh/ and chmod 644 ~/.ssh/authorized_keys. What about a third alternative? $ chgrp system ~/.ssh/ ~/.ssh/authorized_keys* $ chmod 750 ~/.ssh/ $ chmod 640 ~/.ssh/authorized_keys* This works, but does it merely give the illusion of more security without actually making the files secure? > > > > Could this be a bug in Cygwin's implementation of openssh? > > It isn't. It's a problem with the permission model of NTFS. Even > though SYSTEM is *the* major player on the machine, it gets an > "access denied" if it has no permissions on a file. Don't ask for > my opinion on this behaviour. > > However, since NTFS uses ACLs, you can give SYSTEM explicitely access > to the file: > > [~/.ssh]$ chmod 600 authorized_keys > [~/.ssh]$ getfacl authorized_keys > # file: authorized_keys > # owner: corinna > # group: root > user::rw- > group::--- > mask::--- > other::--- > [~/.ssh]$ setfacl -m g:SYSTEM:r-- authorized_keys > [~/.ssh]$ getfacl authorized_keys > # file: authorized_keys > # owner: corinna > # group: root > user::rw- > group::--- > group:SYSTEM:r-- > mask::--- > other::--- > > HTH, > Corinna > > -- > Corinna Vinschen Please, send mails > regarding Cygwin to > Cygwin Developer mailto:cygwin@;cygwin.comRed Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Is RSA authentication on SSH still broken?
On Wed, Nov 06, 2002 at 07:19:40PM -0500, Harig, Mark A. wrote: > > > > chmod 755 $HOME/.ssh > > chmod 644 $HOME/.ssh/authorized_keys* > > > > I had $HOME set to 700 and authorized_keys* to 600 before and that > > somehow broke RSA authentication - it is odd that stricter permissions > > would cause that. I suppose this is because the SYSTEM or > > sshd user need > > to read the keys and cannot without the appropriate privileges. > > > > Could this be a bug in Cygwin's implementation of openssh? It isn't. It's a problem with the permission model of NTFS. Even though SYSTEM is *the* major player on the machine, it gets an "access denied" if it has no permissions on a file. Don't ask for my opinion on this behaviour. However, since NTFS uses ACLs, you can give SYSTEM explicitely access to the file: [~/.ssh]$ chmod 600 authorized_keys [~/.ssh]$ getfacl authorized_keys # file: authorized_keys # owner: corinna # group: root user::rw- group::--- mask::--- other::--- [~/.ssh]$ setfacl -m g:SYSTEM:r-- authorized_keys [~/.ssh]$ getfacl authorized_keys # file: authorized_keys # owner: corinna # group: root user::rw- group::--- group:SYSTEM:r-- mask::--- other::--- HTH, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developermailto:cygwin@;cygwin.com Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Is RSA authentication on SSH still broken?
> > chmod 755 $HOME/.ssh > chmod 644 $HOME/.ssh/authorized_keys* > > I had $HOME set to 700 and authorized_keys* to 600 before and that > somehow broke RSA authentication - it is odd that stricter permissions > would cause that. I suppose this is because the SYSTEM or > sshd user need > to read the keys and cannot without the appropriate privileges. > Could this be a bug in Cygwin's implementation of openssh? Try the following in a bash shell: $ /usr/bin/mv ~/.ssh ~/save.ssh $ /usr/bin/ssh-keygen -t rsa -C "some useful comment" Then respond to the 'ssh-keygen' prompts by simply pressing [Enter] (or [Return]). ssh-keygen will create a new ~/.ssh directory for you, along with the requested ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub files. After ssh-keygen has completed, set up your authorized_keys2 file: $ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys2 $ ls -ld ~/.ssh ssh-keygen created a ~/.ssh directory with the permissions set to 700. (These permissions match what ssh-keygen does on my Linux installation.) But if you attempt to connect to your Cygwin system via ssh, you'll find that you cannot, unless you make the permissions less restrictive, that is "chmod 755 ~/.ssh". Similarly, if ~/.ssh/authorized_keys* is set to 600 on Linux, then ssh works without errors, but if you set the file permissions to 644, then it might work, but I have had some versions of ssh issue a warning that the permissions for ~/.ssh/authorized_keys are "too open". In other words, ssh should work with the more secure setting of 600, but does not on Cygwin. In the meantime, the following rules appear to be in effect: Cygwin: chmod 755 ~/.ssh chmod 644 ~/.ssh/authorized_keys* Non-Cygwin: chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys* --- -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Is RSA authentication on SSH still broken?
Thanks very much for the help! This did it: chmod 755 $HOME/.ssh chmod 644 $HOME/.ssh/authorized_keys* I had $HOME set to 700 and authorized_keys* to 600 before and that somehow broke RSA authentication - it is odd that stricter permissions would cause that. I suppose this is because the SYSTEM or sshd user need to read the keys and cannot without the appropriate privileges. Thanks again. Antonio On Tue, 2002-11-05 at 18:55, Harig, Mark A. wrote: > I am able to use SSH with public/private-key files. > ssh is working on Cygwin, both as a client and > as a server, at least on Win2K. > > # Cygwin version: > $ uname -r > 1.3.14(0.62/3/2) > > # Windows version: > $ uname -s > CYGWIN_NT-5.0 > > # ssh version > $ ssh -V > OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f > > My guess is that your problem is related to file/directory > permissions. One permission problem I found is that > 'ssh-keygen' creates a ~/.ssh directory (if you don't > have one already) with permissions set to 700. I found > that I had to change these to 755. > > Here are the file permissions you should check: > > 1. $HOME - Your home directory should be set to 700. >Only you need access to your home directory. > > 2. $HOME/.ssh - Try setting this to 755. > > 3. $HOME/.ssh/authorized_keys* - Turn off write >permission for anyone other than you, turn on >read permission for everyone. One possible >setting for this is: > > $ chmod 644 $HOME/.ssh/authorized_keys* > >Of course, only 'identity.pub' keys should be >in 'authorized_keys' and only 'id_rsa.pub'/id_dsa.pub' >should be in 'authorized_keys2', depending upon >the type(s) of encryption you chose. > > 4. $HOME/.ssh/ - >Of course, only you should have any permissions >for your private key files 'identity', 'id_rsa', >or 'id_dsa' (you need at least one of these). > > $ chmod 600 identity (or id_rsa or id_dsa, etc.) > > > > -Original Message- > > From: Antonio Bemfica [mailto:antonio@;axolotl.ic.gc.ca] > > Sent: Tuesday, November 05, 2002 5:32 PM > > To: [EMAIL PROTECTED] > > Subject: Is RSA authentication on SSH still broken? > > > > > > Hello > > > > Could someone clarify whether RSA authentication is still not possible > > when running SSH as the SYSTEM user? I have Cygwin 1.3.14-1 > > and OpenSSH > > 3.4p1-5 and can only login via password authentication (I am familiar > > with the process to effect RSA authentication under Unix). I have also > > tightened permissions on the key files, home directory, etc. > > > > The /usr/doc/Cygwin/openssh-3.4p1-5.README file mentions that "The > > following restrictions only apply to Cygwin versions up to 1.3.1" - is > > it safe to assume that I should be able to get it running, since I am > > using 1.3.14-1? I will stop trying otherwise! > > > > Thanks a lot for the help. > > > > A. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Is RSA authentication on SSH still broken?
Also, if checking your file/directory permissions does not solve your problem, then please consider the bug-reporting guidelines for Cygwin - As requested at http://cygwin.com/bugs.html: o Please describe how to reproduce the problem, including a test case, if possible. o Please include at least the version number of the Cygwin release you are using along with the operating system name and its version number, for example, "cygwin v1.3.13 under NT 4.0". o Most of the information about your Cygwin environment is listed by running 'cygcheck -s -v -r > cygcheck.txt'. Please include cygcheck.txt *AS AN ATTACHMENT* to your report. It is important that you include it as an attachment so that searches of the mailing-list archives give fewer false matches. > -Original Message- > From: Antonio Bemfica [mailto:antonio@;axolotl.ic.gc.ca] > Sent: Tuesday, November 05, 2002 5:32 PM > To: [EMAIL PROTECTED] > Subject: Is RSA authentication on SSH still broken? > > > Hello > > Could someone clarify whether RSA authentication is still not possible > when running SSH as the SYSTEM user? I have Cygwin 1.3.14-1 > and OpenSSH > 3.4p1-5 and can only login via password authentication (I am familiar > with the process to effect RSA authentication under Unix). I have also > tightened permissions on the key files, home directory, etc. > > The /usr/doc/Cygwin/openssh-3.4p1-5.README file mentions that "The > following restrictions only apply to Cygwin versions up to 1.3.1" - is > it safe to assume that I should be able to get it running, since I am > using 1.3.14-1? I will stop trying otherwise! > > Thanks a lot for the help. > > A. > > > > > -- > Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple > Bug reporting: http://cygwin.com/bugs.html > Documentation: http://cygwin.com/docs.html > FAQ: http://cygwin.com/faq/ > > -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Is RSA authentication on SSH still broken?
I am able to use SSH with public/private-key files. ssh is working on Cygwin, both as a client and as a server, at least on Win2K. # Cygwin version: $ uname -r 1.3.14(0.62/3/2) # Windows version: $ uname -s CYGWIN_NT-5.0 # ssh version $ ssh -V OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f My guess is that your problem is related to file/directory permissions. One permission problem I found is that 'ssh-keygen' creates a ~/.ssh directory (if you don't have one already) with permissions set to 700. I found that I had to change these to 755. Here are the file permissions you should check: 1. $HOME - Your home directory should be set to 700. Only you need access to your home directory. 2. $HOME/.ssh - Try setting this to 755. 3. $HOME/.ssh/authorized_keys* - Turn off write permission for anyone other than you, turn on read permission for everyone. One possible setting for this is: $ chmod 644 $HOME/.ssh/authorized_keys* Of course, only 'identity.pub' keys should be in 'authorized_keys' and only 'id_rsa.pub'/id_dsa.pub' should be in 'authorized_keys2', depending upon the type(s) of encryption you chose. 4. $HOME/.ssh/ - Of course, only you should have any permissions for your private key files 'identity', 'id_rsa', or 'id_dsa' (you need at least one of these). $ chmod 600 identity (or id_rsa or id_dsa, etc.) > -Original Message- > From: Antonio Bemfica [mailto:antonio@;axolotl.ic.gc.ca] > Sent: Tuesday, November 05, 2002 5:32 PM > To: [EMAIL PROTECTED] > Subject: Is RSA authentication on SSH still broken? > > > Hello > > Could someone clarify whether RSA authentication is still not possible > when running SSH as the SYSTEM user? I have Cygwin 1.3.14-1 > and OpenSSH > 3.4p1-5 and can only login via password authentication (I am familiar > with the process to effect RSA authentication under Unix). I have also > tightened permissions on the key files, home directory, etc. > > The /usr/doc/Cygwin/openssh-3.4p1-5.README file mentions that "The > following restrictions only apply to Cygwin versions up to 1.3.1" - is > it safe to assume that I should be able to get it running, since I am > using 1.3.14-1? I will stop trying otherwise! > > Thanks a lot for the help. > > A. > > > > > -- > Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple > Bug reporting: http://cygwin.com/bugs.html > Documentation: http://cygwin.com/docs.html > FAQ: http://cygwin.com/faq/ > > -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/