This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

ssh login with [rd]sa key, permissions on keyfile problems


Hello list
 
I thought it might be nice to log on using an rsa or dsa key. So I
created both an rsa and a dsa key using ssh-user-config. The keys were
created in ~/.ssh, and the required changes made to authized_keys.
 
Logging in to the server using
 
ssh -i ~/.ssh/id_rsa -l fermin -v localhost
 
gives me all kind of output, the essential being:
 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '//dcp1/users/fermin/.ssh/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by
others.
This private key will be ignored.
bad permissions: ignore key: //dcp1/users/fermin/.ssh/id_rsa
Enter passphrase for key '//dcp1/users/fermin/.ssh/id_rsa':

 
After entering the passphrase for my key, there is more:
 
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: password
fermin@localhost's password:

It falls back to 'normal' password authentication, which also works, of
course. But it's not what I had in mind. So I went into ~/.ssh, listed
the contents:
 
$ ls -l
total 6
-rw-r--r--    1 fermin   Domain U      822 Sep 20 15:23 authorized_keys
-rw-r--r--    1 fermin   Domain U      668 Sep 20 15:48 id_dsa
-rw-r--r--    1 fermin   Domain U      601 Sep 20 15:23 id_dsa.pub
-rw-r--r--    1 fermin   Domain U      883 Sep 20 15:48 id_rsa
-rw-r--r--    1 fermin   Domain U      221 Sep 20 15:23 id_rsa.pub
-rw-r--r--    1 fermin   Domain U      220 Sep 20 15:23 known_hosts

 
$ chmod -v 600 id_*sa
mode of `id_dsa' changed to 0600 (rw-------)
mode of `id_rsa' changed to 0600 (rw-------)

 
Unfortunately, the files are not impressed by my actions, and the '-v'
parameter does only show what would have happened in a normal world.
Which my system doesn't seem to be. "chmod -c 600 id_*sa" works
correctly, though, not showing any changes having happened.
 
At this point I figured it must have something to do with NTFS
permissions (being MCSE and all that) and tried to change the
permissions of the id files in Windows (and ownership, while I was at
it). I also mad sure that "StrictModes no" is active in sshd_config,
which it is. 
 
>From the windows point of view, everything should be fine, but I think
there's a difference in file rights between *unix systems and Windows:
In Windows, the actual file permission overrides the directory
permission, meaning that you could have access (read/write/whatever) to
a file while not being able to access the directory where the file is.
Don't ask me why or say "that's insane" - it's just the way it is, I
didn't come up with NTFS in the first place. afair from my recent
Solaris course, *nix does it the other way round, directory permissions
always override file permissions? 
 
Not wanting to screw around any more than I already have, could somebody
please confirm that I probably need to adjust the directory permissions
for ~/.ssh (to what, who should be the owner, what about 'other'?), and
then it should work? And of course I will have to turn off inherited
rights on that directory, as well...
 
Because work it did:
 
mkdir /tmp/fermin
cp ~/.ssh/id_rsa /tmp/fermin
chmod 600 /tmp/fermin/id_rsa
ssh -l fermin -i /tmp/fermin/id_rsa localhost
 
... worked like a charm.
 
 
Hopefully, somebody ran into this problem before and can give me a hint
or two? Thanky you!
 
Regards
Fermin


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]