RE: Is RSA authentication on SSH still broken?

RE: Is RSA authentication on SSH still broken?

[Harig, Mark A.]

> 
> chmod 755 $HOME/.ssh
> chmod 644 $HOME/.ssh/authorized_keys*
> 
> I had $HOME set to 700 and authorized_keys* to 600 before and that
> somehow broke RSA authentication - it is odd that stricter permissions
> would cause that. I suppose this is because the SYSTEM or 
> sshd user need
> to read the keys and cannot without the appropriate privileges.
> 

Could this be a bug in Cygwin's implementation of openssh?

Try the following in a bash shell:

$ /usr/bin/mv  ~/.ssh  ~/save.ssh
$ /usr/bin/ssh-keygen -t rsa -C "some useful comment"

Then respond to the 'ssh-keygen' prompts by simply
pressing [Enter] (or [Return]).  ssh-keygen will
create a new ~/.ssh directory for you, along with
the requested ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub
files.

After ssh-keygen has completed, set up your
authorized_keys2 file:

$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys2

$ ls -ld ~/.ssh

ssh-keygen created a ~/.ssh directory with the
permissions set to 700.  (These permissions match
what ssh-keygen does on my Linux installation.)
But if you attempt to connect to your Cygwin system
via ssh, you'll find that you cannot, unless you make
the permissions less restrictive, that is
"chmod 755 ~/.ssh".

Similarly, if ~/.ssh/authorized_keys* is set to 600
on Linux, then ssh works without errors, but if you set
the file permissions to 644, then it might work, but
I have had some versions of ssh issue a warning that
the permissions for ~/.ssh/authorized_keys are "too open".
In other words, ssh should work with the more secure
setting of 600, but does not on Cygwin.

In the meantime, the following rules appear to be in effect:

Cygwin:

    chmod 755 ~/.ssh
    chmod 644 ~/.ssh/authorized_keys*

Non-Cygwin:

    chmod 700 ~/.ssh
    chmod 600 ~/.ssh/authorized_keys*

---

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Is RSA authentication on SSH still broken?

[Corinna Vinschen]

On Wed, Nov 06, 2002 at 07:19:40PM -0500, Harig, Mark A. wrote:
> > 
> > chmod 755 $HOME/.ssh
> > chmod 644 $HOME/.ssh/authorized_keys*
> > 
> > I had $HOME set to 700 and authorized_keys* to 600 before and that
> > somehow broke RSA authentication - it is odd that stricter permissions
> > would cause that. I suppose this is because the SYSTEM or 
> > sshd user need
> > to read the keys and cannot without the appropriate privileges.
> > 
> 
> Could this be a bug in Cygwin's implementation of openssh?

It isn't.  It's a problem with the permission model of NTFS.  Even
though SYSTEM is *the* major player on the machine, it gets an
"access denied" if it has no permissions on a file.  Don't ask for
my opinion on this behaviour.

However, since NTFS uses ACLs, you can give SYSTEM explicitely access
to the file:

[~/.ssh]$ chmod 600 authorized_keys
[~/.ssh]$ getfacl authorized_keys
# file: authorized_keys
# owner: corinna
# group: root
user::rw-
group::---
mask::---
other::---
[~/.ssh]$ setfacl -m g:SYSTEM:r-- authorized_keys
[~/.ssh]$ getfacl authorized_keys
# file: authorized_keys
# owner: corinna
# group: root
user::rw-
group::---
group:SYSTEM:r--
mask::---
other::---

HTH,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

RE: Is RSA authentication on SSH still broken?

[Harig, Mark A.]

> >
> > OK.  So, it appears that Cygwin users
> > of openssh have one of two options:
> >
> > 1. chmod 700 ~
> >    chgrp 18 ~/.ssh
> >    chmod 750 ~/.ssh
> >
> > or
> >
> > 2. chmod 755 ~
> >    chmod 700 ~/.ssh
> >
> > Do you have a recommendation on which of
> > these two options is more secure?
> 
> According to what I remember about Unix permissions, 'chmod 
> 711 ~' should
> suffice.  This will allow anyone to access a subdirectory of 
> your $HOME
> *if they know the exact path*.  Same with ~/.ssh.  You can then make
> authorized_keys world-readable without exposing the rest of your home
> directory.

Are you able to make this work?

1. If I 'chmod 711 ~' and 'chmod 700 ~/.ssh',
then ssh is not able to read my private/public keys
(i.e., it prompts me for a password).

2. If I follow that with 'chmod 750 ~', then ssh 
allows access without prompting for a password.

Both of these assume 'chgrp 18 ~'.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Is RSA authentication on SSH still broken?

[Corinna Vinschen]

On Mon, Nov 11, 2002 at 10:57:22AM -0500, Harig, Mark A. wrote:
> > Harig, Mark A. <maharig@idirect.net> wrote:
> I have been using option 1.  My question comes from the fact
> that Corinna Vinschen recommended that ~/.ssh be set to 700
> (which is what 'set-keygen' sets it to) and that she had
> pointed to my 'chmod 700 ~' as the reason that openssh would
> not work if I set ~/.ssh to 700.
> 
> Is there a consensus about what to recommend to Cygwin users,

It's a matter of taste.  Personally I let it 755 on ~ and 700
on ~/.ssh.  As long as sshd works, it's fine.  No worries.

> or does openssh work for some people with both ~ and ~/.ssh
> set to 700?

It can't, except there is that additional ACE for SYSTEM in the
~/.ssh ACL.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

RE: Is RSA authentication on SSH still broken?

[Igor Pechtchanski]

On Mon, 11 Nov 2002, Harig, Mark A. wrote:

> > >        chmod 700 ~ && \
> >          ^^^^^^^^^^^
> > This is your problem.  By setting home and .ssh to 700 you
> > disallow sshd to
> > stat() ~/.ssh.  Cygwin has two chances to retrieve
> > information about a file
> > or directory, by either calling FindFileFirst() or by trying
> > to open the
> > file and calling various Win32 access functions.
> >
> > FindFileFirst() requires to have read permissions on the
> > parent directory,
> > opening the file/dir requires read permissions on it.  If home as well
> > as .ssh are 700, sshd has neither of these rights ==> The
> > check for .ssh
> > fails.
>
> OK.  So, it appears that Cygwin users
> of openssh have one of two options:
>
> 1. chmod 700 ~
>    chgrp 18 ~/.ssh
>    chmod 750 ~/.ssh
>
> or
>
> 2. chmod 755 ~
>    chmod 700 ~/.ssh
>
> Do you have a recommendation on which of
> these two options is more secure?

According to what I remember about Unix permissions, 'chmod 711 ~' should
suffice.  This will allow anyone to access a subdirectory of your $HOME
*if they know the exact path*.  Same with ~/.ssh.  You can then make
authorized_keys world-readable without exposing the rest of your home
directory.
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha@cs.nyu.edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor@watson.ibm.com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"Water molecules expand as they grow warmer" (C) Popular Science, Oct'02, p.51


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

RE: Is RSA authentication on SSH still broken?

[Harig, Mark A.]

> 
> Harig, Mark A. <maharig@idirect.net> wrote:
> > OK.  So, it appears that Cygwin users
> > of openssh have one of two options:
> >
> > 1. chmod 700 ~
> >    chgrp 18 ~/.ssh
> >    chmod 750 ~/.ssh
> >
> > or
> >
> > 2. chmod 755 ~
> >    chmod 700 ~/.ssh
> >
> > Do you have a recommendation on which of
> > these two options is more secure?
> 
> I'm assuming you meant:
> $ chmod 750 ~
> $ chgrp 18 ~
> $ chmod 700 ~/.ssh
> Since obviously world-readable ~ is less secure than 
> user-only-readable ~.
> 
> In which case, 1. seems better to me, because it actually 
> grants SYSTEM
> permissions where it needs them, rather than granting them 
> somewhere else
> and Windows weirdness making things work.
> 
> 

I have been using option 1.  My question comes from the fact
that Corinna Vinschen recommended that ~/.ssh be set to 700
(which is what 'set-keygen' sets it to) and that she had
pointed to my 'chmod 700 ~' as the reason that openssh would
not work if I set ~/.ssh to 700.

Is there a consensus about what to recommend to Cygwin users,
or does openssh work for some people with both ~ and ~/.ssh
set to 700?  (In which, case multiple recommendations would
need to be made.)





--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Is RSA authentication on SSH still broken?

[Max Bowsher]

Harig, Mark A. <maharig@idirect.net> wrote:
> OK.  So, it appears that Cygwin users
> of openssh have one of two options:
>
> 1. chmod 700 ~
>    chgrp 18 ~/.ssh
>    chmod 750 ~/.ssh
>
> or
>
> 2. chmod 755 ~
>    chmod 700 ~/.ssh
>
> Do you have a recommendation on which of
> these two options is more secure?

I'm assuming you meant:
$ chmod 750 ~
$ chgrp 18 ~
$ chmod 700 ~/.ssh
Since obviously world-readable ~ is less secure than user-only-readable ~.

In which case, 1. seems better to me, because it actually grants SYSTEM
permissions where it needs them, rather than granting them somewhere else
and Windows weirdness making things work.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

RE: Is RSA authentication on SSH still broken?

[Harig, Mark A.]

> >        chmod 700 ~ && \
>          ^^^^^^^^^^^
> This is your problem.  By setting home and .ssh to 700 you 
> disallow sshd to
> stat() ~/.ssh.  Cygwin has two chances to retrieve 
> information about a file
> or directory, by either calling FindFileFirst() or by trying 
> to open the
> file and calling various Win32 access functions.
> 
> FindFileFirst() requires to have read permissions on the 
> parent directory,
> opening the file/dir requires read permissions on it.  If home as well
> as .ssh are 700, sshd has neither of these rights ==> The 
> check for .ssh
> fails.

OK.  So, it appears that Cygwin users
of openssh have one of two options:

1. chmod 700 ~
   chgrp 18 ~/.ssh
   chmod 750 ~/.ssh

or 

2. chmod 755 ~
   chmod 700 ~/.ssh 

Do you have a recommendation on which of
these two options is more secure?

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Is RSA authentication on SSH still broken?

[Corinna Vinschen]

On Fri, Nov 08, 2002 at 11:37:11AM -0500, Harig, Mark A. wrote:
>        chmod 700 ~ && \
         ^^^^^^^^^^^
This is your problem.  By setting home and .ssh to 700 you disallow sshd to
stat() ~/.ssh.  Cygwin has two chances to retrieve information about a file
or directory, by either calling FindFileFirst() or by trying to open the
file and calling various Win32 access functions.

FindFileFirst() requires to have read permissions on the parent directory,
opening the file/dir requires read permissions on it.  If home as well
as .ssh are 700, sshd has neither of these rights ==> The check for .ssh
fails.

Qed,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Is RSA authentication on SSH still broken?

[Max Bowsher]

Harig, Mark A. <maharig@idirect.net> wrote:

>> On Thu, Nov 07, 2002 at 06:54:48PM -0500, Harig, Mark A. wrote:
>>> I must be missing a piece of information.  Setting the
>>> permissions of ~/.ssh to 700 causes ssh to require me
>>> to enter a password, that is, the encryption-key processing
>>> is failing.  Setting the permissions of ~/.ssh to 750 (if
>>> the group setting is SYSTEM) or to 755 (if the group setting
>>> is not SYSTEM) allows ssh to access the encryption-key files.
>>
>> Are you actually sure?  The permissions of directories don't
>> influence the permissions to the underlying files and directories
>> unless an administrator changes the setting of the above "Bypass
>> traverse checking"
>> user right.  Just to be sure I did check that yesterday on my
>> system so
>> I'm pretty confident.
>>
>> "Bypass traverse checking" is on by default for Everyone.  This is
>> annoyingly different from UNIX file systems from my point of view
>> but AFAIK professional Windows admins like it.  And since it's the
>> default and most users don't know what it's doing anyway, I don't
>> change it on my test system, too.
>>
>
> Hmm.  I'm sorry to be so dense, but:
>
>   1) I had never heard of "Bypass traverse checking" so I'm
>      pretty sure that I haven't changed it.

secpol.msc -> Local Policies -> User Rights Assignment

Could someone else? Because thats the only reason I can think of for the
behaviour you describe above.

>   2) Am I sure that I cannot use ~/.ssh if the mode is set to 700?
>      Changing the permissions for ~/.ssh to 750 or 755 has been
>      the solution for me and for a number of other users that
>      I've suggested it to.  Are we all doing something wrong? (a
>      possibility, of course)
>
>      The following script sets everything up for me (of course,
>      I respond to the ssh-keygen prompts):
>
>        #!/bin/bash
>        umask 0022 && \
>        chmod 700 ~ && \
>        mv ~/.ssh  ~/save.ssh && \
>        ssh-keygen -t rsa -C "some useful comment" -f ~/.ssh/id_rsa &&
>        \ cat ~/.ssh/id_rsa >> ~/.ssh/authorized_keys2
>
>      This causes ssh-keygen to create ~/.ssh with whatever permissions
>      it thinks are correct (i.e., 700).  (I'm running sshd on Win2K
> using
>      NTFS, Cygwin DLL 1.3.15, CYGWIN=ntsec, StrictMode=yes,
>      UsePrivilegeSeparation=yes)  After this script completes, I
>      attempt to connect to my ssh server from the machine that is
> running the server.
>      I can connect, but only if I provide my password.  Conversely, if
>      I set the permissions of ~/.ssh to 755, then I can connect
>      without providing my password.

One way to debug this is:

Install a second ssh service, to run with command line parameters -Dddde.
This sets debug mode (side effect: sshd dies after one connection).
Now try logging on, and verbose debug output will be written to
/var/log/<serviceshortname>.log by cygrunsrv.

Post the logs of a password and a pubkey logon. Hopefully that should reveal
what is happening.

Max.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

RE: Is RSA authentication on SSH still broken?

[Harig, Mark A.]

> 
> On Thu, Nov 07, 2002 at 06:54:48PM -0500, Harig, Mark A. wrote:
> > I must be missing a piece of information.  Setting the
> > permissions of ~/.ssh to 700 causes ssh to require me
> > to enter a password, that is, the encryption-key processing
> > is failing.  Setting the permissions of ~/.ssh to 750 (if
> > the group setting is SYSTEM) or to 755 (if the group setting
> > is not SYSTEM) allows ssh to access the encryption-key files.
> 
> Are you actually sure?  The permissions of directories don't influence
> the permissions to the underlying files and directories unless an
> administrator changes the setting of the above "Bypass 
> traverse checking"
> user right.  Just to be sure I did check that yesterday on my 
> system so
> I'm pretty confident.
> 
> "Bypass traverse checking" is on by default for Everyone.  This is
> annoyingly different from UNIX file systems from my point of view
> but AFAIK professional Windows admins like it.  And since it's the
> default and most users don't know what it's doing anyway, I don't
> change it on my test system, too.
> 

Hmm.  I'm sorry to be so dense, but:

  1) I had never heard of "Bypass traverse checking" so I'm
     pretty sure that I haven't changed it.

  2) Am I sure that I cannot use ~/.ssh if the mode is set to 700?
     Changing the permissions for ~/.ssh to 750 or 755 has been 
     the solution for me and for a number of other users that
     I've suggested it to.  Are we all doing something wrong? (a
     possibility, of course)

     The following script sets everything up for me (of course,
     I respond to the ssh-keygen prompts):

       #!/bin/bash
       umask 0022 && \
       chmod 700 ~ && \
       mv ~/.ssh  ~/save.ssh && \
       ssh-keygen -t rsa -C "some useful comment" -f ~/.ssh/id_rsa && \
       cat ~/.ssh/id_rsa >> ~/.ssh/authorized_keys2

     This causes ssh-keygen to create ~/.ssh with whatever permissions
     it thinks are correct (i.e., 700).  (I'm running sshd on Win2K
using
     NTFS, Cygwin DLL 1.3.15, CYGWIN=ntsec, StrictMode=yes,  
     UsePrivilegeSeparation=yes)  After this script completes, I attempt
     to connect to my ssh server from the machine that is running the
server.
     I can connect, but only if I provide my password.  Conversely, if
     I set the permissions of ~/.ssh to 755, then I can connect without
     providing my password.

     Am I doing something wrong, or assuming something that is false?

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Is RSA authentication on SSH still broken?

[Corinna Vinschen]

On Thu, Nov 07, 2002 at 06:54:48PM -0500, Harig, Mark A. wrote:
> I must be missing a piece of information.  Setting the
> permissions of ~/.ssh to 700 causes ssh to require me
> to enter a password, that is, the encryption-key processing
> is failing.  Setting the permissions of ~/.ssh to 750 (if
> the group setting is SYSTEM) or to 755 (if the group setting
> is not SYSTEM) allows ssh to access the encryption-key files.

Are you actually sure?  The permissions of directories don't influence
the permissions to the underlying files and directories unless an
administrator changes the setting of the above "Bypass traverse checking"
user right.  Just to be sure I did check that yesterday on my system so
I'm pretty confident.

"Bypass traverse checking" is on by default for Everyone.  This is
annoyingly different from UNIX file systems from my point of view
but AFAIK professional Windows admins like it.  And since it's the
default and most users don't know what it's doing anyway, I don't
change it on my test system, too.

> > Second, I don't see the point in setting the permissions of
> > .ssh/authorized_keys to 0600 at all.  The content of that 
> > file is a list
> > of the *public* part of the keys so it's their intent to be 
> > readable by
> > anybody.
> 
> That was my understanding also.  I assumed that my understanding
> was incorrect because ssh would report that my permissions for
> ~/.ssh/authorized_keys was too open.  I'm unable to reproduce that
> at this time.  This issue is closed as far as I am concerned, until
> I can reproduce the problem.

OpenSSH is a UNIX-centric application as most are in the Cygwin distro.
As such, OpenSSH checks permissions in a UNIX sense.  Actually, OpenSSH
checks also the permissions of the parent directory chain up to the
users home directory.  It requires as minimum

755 on ~
755 on ~/.ssh
644 on ~/.ssh/authorized keys

as long as StrictModes is on.  If one of them doesn't meet that
requirements, sshd complains.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

RE: Is RSA authentication on SSH still broken?

[Harig, Mark A.]

> 
> First, the directory permission doesn't restrict the access for SYSTEM
> due to the standard "Bypass traverse checking" setting on NT. 
>  So setting
> the .ssh permissions to 0700 is perfectly fine.
> 

I must be missing a piece of information.  Setting the
permissions of ~/.ssh to 700 causes ssh to require me
to enter a password, that is, the encryption-key processing
is failing.  Setting the permissions of ~/.ssh to 750 (if
the group setting is SYSTEM) or to 755 (if the group setting
is not SYSTEM) allows ssh to access the encryption-key files.

> Second, I don't see the point in setting the permissions of
> .ssh/authorized_keys to 0600 at all.  The content of that 
> file is a list
> of the *public* part of the keys so it's their intent to be 
> readable by
> anybody.

That was my understanding also.  I assumed that my understanding
was incorrect because ssh would report that my permissions for
~/.ssh/authorized_keys was too open.  I'm unable to reproduce that
at this time.  This issue is closed as far as I am concerned, until
I can reproduce the problem.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: Is RSA authentication on SSH still broken?

[Corinna Vinschen]

On Thu, Nov 07, 2002 at 11:51:16AM -0500, Harig, Mark A. wrote:
> Thank you for the clarification!
> 
> This presents an interesting situation.
> Users who run 'ssh-keygen' (either directly,
> or indirectly using 'ssh-host-config'),
> find that they are not able to run ssh
> because of the permissions of ~/.ssh/
> (and, later, ~/.ssh/authorized_keys*), even
> though their permissions are set to the
> "correct" values.
> 
> Shouldn't this should all be included in
> /usr/doc/Cygwin/openssh*README? Namely, 
> 
>    1) If you want the most secure ssh connection,
>       then you will need to follow Corrina Vinschen's
>       instructions below to set ACLs for both ~/.ssh/
>       and ~/.ssh/authorized_keys*.
> 
>    2) If you don't want to attempt to manipulate
>       ACLs, then simply chmod 755 ~/.ssh/ and
>       chmod 644 ~/.ssh/authorized_keys.
> 
> What about a third alternative?  
> 
>    $ chgrp system ~/.ssh/ ~/.ssh/authorized_keys*
>    $ chmod 750 ~/.ssh/
>    $ chmod 640 ~/.ssh/authorized_keys*
> 
> This works, but does it merely give the illusion of
> more security without actually making the files secure?

First, the directory permission doesn't restrict the access for SYSTEM
due to the standard "Bypass traverse checking" setting on NT.  So setting
the .ssh permissions to 0700 is perfectly fine.

Second, I don't see the point in setting the permissions of
.ssh/authorized_keys to 0600 at all.  The content of that file is a list
of the *public* part of the keys so it's their intent to be readable by
anybody.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

RE: Is RSA authentication on SSH still broken?

[Harig, Mark A.]

Thank you for the clarification!

This presents an interesting situation.
Users who run 'ssh-keygen' (either directly,
or indirectly using 'ssh-host-config'),
find that they are not able to run ssh
because of the permissions of ~/.ssh/
(and, later, ~/.ssh/authorized_keys*), even
though their permissions are set to the
"correct" values.

Shouldn't this should all be included in
/usr/doc/Cygwin/openssh*README? Namely, 

   1) If you want the most secure ssh connection,
      then you will need to follow Corrina Vinschen's
      instructions below to set ACLs for both ~/.ssh/
      and ~/.ssh/authorized_keys*.

   2) If you don't want to attempt to manipulate
      ACLs, then simply chmod 755 ~/.ssh/ and
      chmod 644 ~/.ssh/authorized_keys.

What about a third alternative?  

   $ chgrp system ~/.ssh/ ~/.ssh/authorized_keys*
   $ chmod 750 ~/.ssh/
   $ chmod 640 ~/.ssh/authorized_keys*

This works, but does it merely give the illusion of
more security without actually making the files secure?

> > 
> > Could this be a bug in Cygwin's implementation of openssh?
> 
> It isn't.  It's a problem with the permission model of NTFS.  Even
> though SYSTEM is *the* major player on the machine, it gets an
> "access denied" if it has no permissions on a file.  Don't ask for
> my opinion on this behaviour.
> 
> However, since NTFS uses ACLs, you can give SYSTEM explicitely access
> to the file:
> 
> [~/.ssh]$ chmod 600 authorized_keys
> [~/.ssh]$ getfacl authorized_keys
> # file: authorized_keys
> # owner: corinna
> # group: root
> user::rw-
> group::---
> mask::---
> other::---
> [~/.ssh]$ setfacl -m g:SYSTEM:r-- authorized_keys
> [~/.ssh]$ getfacl authorized_keys
> # file: authorized_keys
> # owner: corinna
> # group: root
> user::rw-
> group::---
> group:SYSTEM:r--
> mask::---
> other::---
> 
> HTH,
> Corinna
> 
> -- 
> Corinna Vinschen                  Please, send mails 
> regarding Cygwin to
> Cygwin Developer
mailto:cygwin@cygwin.comRed Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

RE: Is RSA authentication on SSH still broken?

[Antonio Bemfica]

Thanks very much for the help! This did it:

chmod 755 $HOME/.ssh
chmod 644 $HOME/.ssh/authorized_keys*

I had $HOME set to 700 and authorized_keys* to 600 before and that
somehow broke RSA authentication - it is odd that stricter permissions
would cause that. I suppose this is because the SYSTEM or sshd user need
to read the keys and cannot without the appropriate privileges.

Thanks again.

Antonio

On Tue, 2002-11-05 at 18:55, Harig, Mark A. wrote:

> I am able to use SSH with public/private-key files.
> ssh is working on Cygwin, both as a client and
> as a server, at least on Win2K.
> 
> # Cygwin version:
> $ uname -r
> 1.3.14(0.62/3/2)
> 
> # Windows version:
> $ uname -s
> CYGWIN_NT-5.0
> 
> # ssh version
> $ ssh -V
> OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f
> 
> My guess is that your problem is related to file/directory
> permissions.  One permission problem I found is that
> 'ssh-keygen' creates a ~/.ssh directory (if you don't
> have one already) with permissions set to 700.  I found
> that I had to change these to 755.
> 
> Here are the file permissions you should check:
> 
> 1. $HOME - Your home directory should be set to 700.
>    Only you need access to your home directory.
> 
> 2. $HOME/.ssh - Try setting this to 755.
> 
> 3. $HOME/.ssh/authorized_keys* - Turn off write
>    permission for anyone other than you, turn on
>    read permission for everyone.  One possible
>    setting for this is:
> 
>      $ chmod 644 $HOME/.ssh/authorized_keys*
> 
>    Of course, only 'identity.pub' keys should be
>    in 'authorized_keys' and only 'id_rsa.pub'/id_dsa.pub'
>    should be in 'authorized_keys2', depending upon
>    the type(s) of encryption you chose.
> 
> 4. $HOME/.ssh/<private keys> -
>    Of course, only you should have any permissions
>    for your private key files 'identity', 'id_rsa',
>    or 'id_dsa' (you need at least one of these).
> 
>       $ chmod 600 identity (or id_rsa or id_dsa, etc.)
> 
> 
> > -----Original Message-----
> > From: Antonio Bemfica [mailto:antonio@axolotl.ic.gc.ca]
> > Sent: Tuesday, November 05, 2002 5:32 PM
> > To: cygwin@cygwin.com
> > Subject: Is RSA authentication on SSH still broken?
> > 
> > 
> > Hello
> > 
> > Could someone clarify whether RSA authentication is still not possible
> > when running SSH as the SYSTEM user? I have Cygwin 1.3.14-1 
> > and OpenSSH
> > 3.4p1-5 and can only login via password authentication (I am familiar
> > with the process to effect RSA authentication under Unix). I have also
> > tightened permissions on the key files, home directory, etc.
> > 
> > The /usr/doc/Cygwin/openssh-3.4p1-5.README file mentions that "The
> > following restrictions only apply to Cygwin versions up to 1.3.1" - is
> > it safe to assume that I should be able to get it running, since I am
> > using 1.3.14-1? I will stop trying otherwise!
> > 
> > Thanks a lot for the help.
> > 
> > A.



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

RE: Is RSA authentication on SSH still broken?

[Harig, Mark A.]

Also, if checking your file/directory permissions does
not solve your problem, then please consider the
bug-reporting guidelines for Cygwin -

As requested at http://cygwin.com/bugs.html:

o Please describe how to reproduce the problem,
  including a test case, if possible.

o Please include at least the version number of the
  Cygwin release you are using along with the 
  operating system name and its version number,
  for example, "cygwin v1.3.13 under NT 4.0".

o Most of the information about your Cygwin environment
  is listed by running 'cygcheck -s -v -r > cygcheck.txt'.
  Please include cygcheck.txt *AS AN ATTACHMENT* to your
  report.  It is important that you include it as an
  attachment so that searches of the mailing-list archives
  give fewer false matches.

> -----Original Message-----
> From: Antonio Bemfica [mailto:antonio@axolotl.ic.gc.ca]
> Sent: Tuesday, November 05, 2002 5:32 PM
> To: cygwin@cygwin.com
> Subject: Is RSA authentication on SSH still broken?
> 
> 
> Hello
> 
> Could someone clarify whether RSA authentication is still not possible
> when running SSH as the SYSTEM user? I have Cygwin 1.3.14-1 
> and OpenSSH
> 3.4p1-5 and can only login via password authentication (I am familiar
> with the process to effect RSA authentication under Unix). I have also
> tightened permissions on the key files, home directory, etc.
> 
> The /usr/doc/Cygwin/openssh-3.4p1-5.README file mentions that "The
> following restrictions only apply to Cygwin versions up to 1.3.1" - is
> it safe to assume that I should be able to get it running, since I am
> using 1.3.14-1? I will stop trying otherwise!
> 
> Thanks a lot for the help.
> 
> A.
> 
> 
> 
> 
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Bug reporting:         http://cygwin.com/bugs.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
> 
> 

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

RE: Is RSA authentication on SSH still broken?

[Harig, Mark A.]

I am able to use SSH with public/private-key files.
ssh is working on Cygwin, both as a client and
as a server, at least on Win2K.

# Cygwin version:
$ uname -r
1.3.14(0.62/3/2)

# Windows version:
$ uname -s
CYGWIN_NT-5.0

# ssh version
$ ssh -V
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f

My guess is that your problem is related to file/directory
permissions.  One permission problem I found is that
'ssh-keygen' creates a ~/.ssh directory (if you don't
have one already) with permissions set to 700.  I found
that I had to change these to 755.

Here are the file permissions you should check:

1. $HOME - Your home directory should be set to 700.
   Only you need access to your home directory.

2. $HOME/.ssh - Try setting this to 755.

3. $HOME/.ssh/authorized_keys* - Turn off write
   permission for anyone other than you, turn on
   read permission for everyone.  One possible
   setting for this is:

     $ chmod 644 $HOME/.ssh/authorized_keys*

   Of course, only 'identity.pub' keys should be
   in 'authorized_keys' and only 'id_rsa.pub'/id_dsa.pub'
   should be in 'authorized_keys2', depending upon
   the type(s) of encryption you chose.

4. $HOME/.ssh/<private keys> -
   Of course, only you should have any permissions
   for your private key files 'identity', 'id_rsa',
   or 'id_dsa' (you need at least one of these).

      $ chmod 600 identity (or id_rsa or id_dsa, etc.)


> -----Original Message-----
> From: Antonio Bemfica [mailto:antonio@axolotl.ic.gc.ca]
> Sent: Tuesday, November 05, 2002 5:32 PM
> To: cygwin@cygwin.com
> Subject: Is RSA authentication on SSH still broken?
> 
> 
> Hello
> 
> Could someone clarify whether RSA authentication is still not possible
> when running SSH as the SYSTEM user? I have Cygwin 1.3.14-1 
> and OpenSSH
> 3.4p1-5 and can only login via password authentication (I am familiar
> with the process to effect RSA authentication under Unix). I have also
> tightened permissions on the key files, home directory, etc.
> 
> The /usr/doc/Cygwin/openssh-3.4p1-5.README file mentions that "The
> following restrictions only apply to Cygwin versions up to 1.3.1" - is
> it safe to assume that I should be able to get it running, since I am
> using 1.3.14-1? I will stop trying otherwise!
> 
> Thanks a lot for the help.
> 
> A.
> 
> 
> 
> 
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Bug reporting:         http://cygwin.com/bugs.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
> 
> 

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Is RSA authentication on SSH still broken?

[Antonio Bemfica]

Hello

Could someone clarify whether RSA authentication is still not possible
when running SSH as the SYSTEM user? I have Cygwin 1.3.14-1 and OpenSSH
3.4p1-5 and can only login via password authentication (I am familiar
with the process to effect RSA authentication under Unix). I have also
tightened permissions on the key files, home directory, etc.

The /usr/doc/Cygwin/openssh-3.4p1-5.README file mentions that "The
following restrictions only apply to Cygwin versions up to 1.3.1" - is
it safe to assume that I should be able to get it running, since I am
using 1.3.14-1? I will stop trying otherwise!

Thanks a lot for the help.

A.




--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/