This is the mail archive of the
cygwin@cygwin.com
mailing list for the Cygwin project.
ssh login with [rd]sa key, permissions on keyfile problems
- From: "Fermin Sanchez" <fermin at fermin dot ch>
- To: <cygwin at cygwin dot com>
- Date: Sat, 20 Sep 2003 21:39:57 +0200
- Subject: ssh login with [rd]sa key, permissions on keyfile problems
Hello list
I thought it might be nice to log on using an rsa or dsa key. So I
created both an rsa and a dsa key using ssh-user-config. The keys were
created in ~/.ssh, and the required changes made to authized_keys.
Logging in to the server using
ssh -i ~/.ssh/id_rsa -l fermin -v localhost
gives me all kind of output, the essential being:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '//dcp1/users/fermin/.ssh/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by
others.
This private key will be ignored.
bad permissions: ignore key: //dcp1/users/fermin/.ssh/id_rsa
Enter passphrase for key '//dcp1/users/fermin/.ssh/id_rsa':
After entering the passphrase for my key, there is more:
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: password
fermin@localhost's password:
It falls back to 'normal' password authentication, which also works, of
course. But it's not what I had in mind. So I went into ~/.ssh, listed
the contents:
$ ls -l
total 6
-rw-r--r-- 1 fermin Domain U 822 Sep 20 15:23 authorized_keys
-rw-r--r-- 1 fermin Domain U 668 Sep 20 15:48 id_dsa
-rw-r--r-- 1 fermin Domain U 601 Sep 20 15:23 id_dsa.pub
-rw-r--r-- 1 fermin Domain U 883 Sep 20 15:48 id_rsa
-rw-r--r-- 1 fermin Domain U 221 Sep 20 15:23 id_rsa.pub
-rw-r--r-- 1 fermin Domain U 220 Sep 20 15:23 known_hosts
$ chmod -v 600 id_*sa
mode of `id_dsa' changed to 0600 (rw-------)
mode of `id_rsa' changed to 0600 (rw-------)
Unfortunately, the files are not impressed by my actions, and the '-v'
parameter does only show what would have happened in a normal world.
Which my system doesn't seem to be. "chmod -c 600 id_*sa" works
correctly, though, not showing any changes having happened.
At this point I figured it must have something to do with NTFS
permissions (being MCSE and all that) and tried to change the
permissions of the id files in Windows (and ownership, while I was at
it). I also mad sure that "StrictModes no" is active in sshd_config,
which it is.
>From the windows point of view, everything should be fine, but I think
there's a difference in file rights between *unix systems and Windows:
In Windows, the actual file permission overrides the directory
permission, meaning that you could have access (read/write/whatever) to
a file while not being able to access the directory where the file is.
Don't ask me why or say "that's insane" - it's just the way it is, I
didn't come up with NTFS in the first place. afair from my recent
Solaris course, *nix does it the other way round, directory permissions
always override file permissions?
Not wanting to screw around any more than I already have, could somebody
please confirm that I probably need to adjust the directory permissions
for ~/.ssh (to what, who should be the owner, what about 'other'?), and
then it should work? And of course I will have to turn off inherited
rights on that directory, as well...
Because work it did:
mkdir /tmp/fermin
cp ~/.ssh/id_rsa /tmp/fermin
chmod 600 /tmp/fermin/id_rsa
ssh -l fermin -i /tmp/fermin/id_rsa localhost
... worked like a charm.
Hopefully, somebody ran into this problem before and can give me a hint
or two? Thanky you!
Regards
Fermin
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/