From: "Matt D." <codespunk@gmail.com>
To: cygwin@cygwin.com
Subject: Re: No way to use ssh ~/.ssh/config with "noacl" option
Date: Sat, 04 Nov 2017 13:31:00 -0000 [thread overview]
Message-ID: <59FDC12F.1080005@codespunk.com> (raw)
In-Reply-To: <59FDA8D9.6050808@gmail.com>
On 11/4/2017 7:47 AM, Matt D. wrote:
> On 11/4/2017 7:37 AM, Corinna Vinschen wrote:
>> On Nov 4 05:47, Matt D. wrote:
>>> I mount with "noacl" as I don't need ACLs for my purposes and prefer to
>>> leave everything up to Windows permissions.
>>>
>>> The problem with this is that ssh insists that ~/.ssh/config be less
>>> permissive. But this file is bound to --rw-r--r-- for this option.
>>>
>>> Would it be appropriate to request ssh to ignore this requirement when
>>> "noacl" present on the mounted volume?
>>
>> Yes, in theory. However, this shouldn't be necessary.
>>
>> Ssh already has code to check extrem perms only in "acl" mounted
>> directories, but it does not have this extra check for config files,
>> basically because it was never necessary:
>>
>> If you use noacl, your file perms are faked to always be 644, or
>> 444 if the DOS R/O bit is set, or 755/555 if executable/directory.
>> Additionally all files are faked as if they are owned by your own
>> account.
>>
>> Ssh checks the config file like this:
>>
>> if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
>> (sb.st_mode & 022) != 0))
>> fatal("Bad owner or permissions on %s", filename);
>>
>> Which means, 0644 permissions are perfectly fine. As are 755 perms
>> for the ~/.ssh and ~ dirs.
>>
>> I just mounted my home dir "noacl". The perms are as expected:
>>
>> $ ls -ld . .ssh .ssh/config .ssh/id_local
>> drwxr-xr-x 1 corinna vinschen 0 Nov 4 12:27 .
>> drwxr-xr-x 1 corinna vinschen 0 Mar 14 2017 .ssh
>> -rw-r--r-- 1 corinna vinschen 703 Jan 19 2017 .ssh/config
>> -rw-r--r-- 1 corinna vinschen 7329 Jan 12 2017 .ssh/id_local
>>
>> Note especially the too open perms in case of the private keyfile
>> "id_local". Still, I can ssh into one of my other machines just fine.
>>
>> How come this doesn't work for you?
>>
>>
>> Corinna
>>
>
> I don't know why it doesn't work for me other than the reported error. I
> am trying to use ssh combined with git. My .ssh permissions are:
>
> $ls -ld . .ssh .ssh/config .ssh/github
> drwxr-xr-x 1 Matthew D'Onofrio None 0 Nov 4 06:42 .
> drwxr-xr-x 1 Matthew D'Onofrio None 0 Nov 4 04:51 .ssh
> -rw-r--r-- 1 Matthew D'Onofrio None 80 Nov 4 04:51 .ssh/config
> -rw-r--r-- 1 Matthew D'Onofrio None 3243 Nov 3 10:53 .ssh/github
>
> I removed the noacl option in fstab, re-ran Cygwin setup, set
> .ssh/config to 600 and ssh was happy. I then reverted back to noacl and
> the problem returned.
>
> I'm in the process of trying to build openssh with cygpath for debugging
> but this is my first time building anything from Cygwin or using
> cygports so it's taking some time.
>
>
> Matt D.
Please stand by. Looking into this further.
Matt D.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next prev parent reply other threads:[~2017-11-04 13:31 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-04 9:47 Matt D.
2017-11-04 11:37 ` Corinna Vinschen
2017-11-04 11:47 ` Matt D.
2017-11-04 13:31 ` Matt D. [this message]
2017-11-04 15:30 ` Matt D.
2017-11-04 15:43 ` Achim Gratz
2017-11-04 17:15 ` Matt D.
2017-11-04 18:25 ` Achim Gratz
2017-11-04 21:20 ` Brian Inglis
2017-11-04 16:37 ` Corinna Vinschen
2017-11-04 17:22 ` Matt D.
2017-11-04 17:38 ` Matt D.
2017-11-08 23:07 ` Matt D.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=59FDC12F.1080005@codespunk.com \
--to=codespunk@gmail.com \
--cc=codespunk+cygwin@gmail.com \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).