ssh login with [rd]sa key, permissions on keyfile problems

Igor Pechtchanski pechtcha@cs.nyu.edu
Sun Sep 21 03:37:00 GMT 2003


On Sat, 20 Sep 2003, Fermin Sanchez wrote:

> Hello list
>
> I thought it might be nice to log on using an rsa or dsa key. So I
> created both an rsa and a dsa key using ssh-user-config. The keys were
> created in ~/.ssh, and the required changes made to authized_keys.
>
> Logging in to the server using
>
> ssh -i ~/.ssh/id_rsa -l fermin -v localhost
>
> gives me all kind of output, the essential being:
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> Permissions 0644 for '//dcp1/users/fermin/.ssh/id_rsa' are too open.
> It is recommended that your private key files are NOT accessible by
> others.
> This private key will be ignored.
> bad permissions: ignore key: //dcp1/users/fermin/.ssh/id_rsa
> Enter passphrase for key '//dcp1/users/fermin/.ssh/id_rsa':
>
>
> After entering the passphrase for my key, there is more:
>
> debug1: Next authentication method: keyboard-interactive
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug1: Next authentication method: password
> fermin@localhost's password:
>
> It falls back to 'normal' password authentication, which also works, of
> course. But it's not what I had in mind. So I went into ~/.ssh, listed
> the contents:
>
> $ ls -l
> total 6
> -rw-r--r--    1 fermin   Domain U      822 Sep 20 15:23 authorized_keys
> -rw-r--r--    1 fermin   Domain U      668 Sep 20 15:48 id_dsa
> -rw-r--r--    1 fermin   Domain U      601 Sep 20 15:23 id_dsa.pub
> -rw-r--r--    1 fermin   Domain U      883 Sep 20 15:48 id_rsa
> -rw-r--r--    1 fermin   Domain U      221 Sep 20 15:23 id_rsa.pub
> -rw-r--r--    1 fermin   Domain U      220 Sep 20 15:23 known_hosts
>
>
> $ chmod -v 600 id_*sa
> mode of `id_dsa' changed to 0600 (rw-------)
> mode of `id_rsa' changed to 0600 (rw-------)
>
>
> Unfortunately, the files are not impressed by my actions, and the '-v'
> parameter does only show what would have happened in a normal world.
> Which my system doesn't seem to be. "chmod -c 600 id_*sa" works
> correctly, though, not showing any changes having happened.
>
> At this point I figured it must have something to do with NTFS
> permissions (being MCSE and all that) and tried to change the
> permissions of the id files in Windows (and ownership, while I was at
> it). I also mad sure that "StrictModes no" is active in sshd_config,
> which it is.
>
> >From the windows point of view, everything should be fine, but I think
> there's a difference in file rights between *unix systems and Windows:
> In Windows, the actual file permission overrides the directory
> permission, meaning that you could have access (read/write/whatever) to
> a file while not being able to access the directory where the file is.
> Don't ask me why or say "that's insane" - it's just the way it is, I
> didn't come up with NTFS in the first place. afair from my recent
> Solaris course, *nix does it the other way round, directory permissions
> always override file permissions?
>
> Not wanting to screw around any more than I already have, could somebody
> please confirm that I probably need to adjust the directory permissions
> for ~/.ssh (to what, who should be the owner, what about 'other'?), and
> then it should work? And of course I will have to turn off inherited
> rights on that directory, as well...
>
> Because work it did:
>
> mkdir /tmp/fermin
> cp ~/.ssh/id_rsa /tmp/fermin
> chmod 600 /tmp/fermin/id_rsa
> ssh -l fermin -i /tmp/fermin/id_rsa localhost
>
> ... worked like a charm.
>
> Hopefully, somebody ran into this problem before and can give me a hint
> or two? Thanky you!
>
> Regards
> Fermin

Is your home directory on an SMB share?  If so, you may need to add
"smbntsec" to your CYGWIN environment variable.

Also, can you please post the output of "getfacl ~/.ssh" and "getfacl
~/.ssh/id_rsa"?
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha@cs.nyu.edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor@watson.ibm.com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski, Ph.D.
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster."  -- Patrick Naughton

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/



More information about the Cygwin mailing list