ssh login with [rd]sa key, permissions on keyfile problems

ssh login with [rd]sa key, permissions on keyfile problems

[Fermin Sanchez]

Hello list
 
I thought it might be nice to log on using an rsa or dsa key. So I
created both an rsa and a dsa key using ssh-user-config. The keys were
created in ~/.ssh, and the required changes made to authized_keys.
 
Logging in to the server using
 
ssh -i ~/.ssh/id_rsa -l fermin -v localhost
 
gives me all kind of output, the essential being:
 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '//dcp1/users/fermin/.ssh/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by
others.
This private key will be ignored.
bad permissions: ignore key: //dcp1/users/fermin/.ssh/id_rsa
Enter passphrase for key '//dcp1/users/fermin/.ssh/id_rsa':

 
After entering the passphrase for my key, there is more:
 
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: password
fermin@localhost's password:

It falls back to 'normal' password authentication, which also works, of
course. But it's not what I had in mind. So I went into ~/.ssh, listed
the contents:
 
$ ls -l
total 6
-rw-r--r--    1 fermin   Domain U      822 Sep 20 15:23 authorized_keys
-rw-r--r--    1 fermin   Domain U      668 Sep 20 15:48 id_dsa
-rw-r--r--    1 fermin   Domain U      601 Sep 20 15:23 id_dsa.pub
-rw-r--r--    1 fermin   Domain U      883 Sep 20 15:48 id_rsa
-rw-r--r--    1 fermin   Domain U      221 Sep 20 15:23 id_rsa.pub
-rw-r--r--    1 fermin   Domain U      220 Sep 20 15:23 known_hosts

 
$ chmod -v 600 id_*sa
mode of `id_dsa' changed to 0600 (rw-------)
mode of `id_rsa' changed to 0600 (rw-------)

 
Unfortunately, the files are not impressed by my actions, and the '-v'
parameter does only show what would have happened in a normal world.
Which my system doesn't seem to be. "chmod -c 600 id_*sa" works
correctly, though, not showing any changes having happened.
 
At this point I figured it must have something to do with NTFS
permissions (being MCSE and all that) and tried to change the
permissions of the id files in Windows (and ownership, while I was at
it). I also mad sure that "StrictModes no" is active in sshd_config,
which it is. 
 
From the windows point of view, everything should be fine, but I think
there's a difference in file rights between *unix systems and Windows:
In Windows, the actual file permission overrides the directory
permission, meaning that you could have access (read/write/whatever) to
a file while not being able to access the directory where the file is.
Don't ask me why or say "that's insane" - it's just the way it is, I
didn't come up with NTFS in the first place. afair from my recent
Solaris course, *nix does it the other way round, directory permissions
always override file permissions? 
 
Not wanting to screw around any more than I already have, could somebody
please confirm that I probably need to adjust the directory permissions
for ~/.ssh (to what, who should be the owner, what about 'other'?), and
then it should work? And of course I will have to turn off inherited
rights on that directory, as well...
 
Because work it did:
 
mkdir /tmp/fermin
cp ~/.ssh/id_rsa /tmp/fermin
chmod 600 /tmp/fermin/id_rsa
ssh -l fermin -i /tmp/fermin/id_rsa localhost
 
... worked like a charm.
 
 
Hopefully, somebody ran into this problem before and can give me a hint
or two? Thanky you!
 
Regards
Fermin


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: ssh login with [rd]sa key, permissions on keyfile problems

[Igor Pechtchanski]

On Sat, 20 Sep 2003, Fermin Sanchez wrote:

> Hello list
>
> I thought it might be nice to log on using an rsa or dsa key. So I
> created both an rsa and a dsa key using ssh-user-config. The keys were
> created in ~/.ssh, and the required changes made to authized_keys.
>
> Logging in to the server using
>
> ssh -i ~/.ssh/id_rsa -l fermin -v localhost
>
> gives me all kind of output, the essential being:
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> Permissions 0644 for '//dcp1/users/fermin/.ssh/id_rsa' are too open.
> It is recommended that your private key files are NOT accessible by
> others.
> This private key will be ignored.
> bad permissions: ignore key: //dcp1/users/fermin/.ssh/id_rsa
> Enter passphrase for key '//dcp1/users/fermin/.ssh/id_rsa':
>
>
> After entering the passphrase for my key, there is more:
>
> debug1: Next authentication method: keyboard-interactive
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug1: Next authentication method: password
> fermin@localhost's password:
>
> It falls back to 'normal' password authentication, which also works, of
> course. But it's not what I had in mind. So I went into ~/.ssh, listed
> the contents:
>
> $ ls -l
> total 6
> -rw-r--r--    1 fermin   Domain U      822 Sep 20 15:23 authorized_keys
> -rw-r--r--    1 fermin   Domain U      668 Sep 20 15:48 id_dsa
> -rw-r--r--    1 fermin   Domain U      601 Sep 20 15:23 id_dsa.pub
> -rw-r--r--    1 fermin   Domain U      883 Sep 20 15:48 id_rsa
> -rw-r--r--    1 fermin   Domain U      221 Sep 20 15:23 id_rsa.pub
> -rw-r--r--    1 fermin   Domain U      220 Sep 20 15:23 known_hosts
>
>
> $ chmod -v 600 id_*sa
> mode of `id_dsa' changed to 0600 (rw-------)
> mode of `id_rsa' changed to 0600 (rw-------)
>
>
> Unfortunately, the files are not impressed by my actions, and the '-v'
> parameter does only show what would have happened in a normal world.
> Which my system doesn't seem to be. "chmod -c 600 id_*sa" works
> correctly, though, not showing any changes having happened.
>
> At this point I figured it must have something to do with NTFS
> permissions (being MCSE and all that) and tried to change the
> permissions of the id files in Windows (and ownership, while I was at
> it). I also mad sure that "StrictModes no" is active in sshd_config,
> which it is.
>
> >From the windows point of view, everything should be fine, but I think
> there's a difference in file rights between *unix systems and Windows:
> In Windows, the actual file permission overrides the directory
> permission, meaning that you could have access (read/write/whatever) to
> a file while not being able to access the directory where the file is.
> Don't ask me why or say "that's insane" - it's just the way it is, I
> didn't come up with NTFS in the first place. afair from my recent
> Solaris course, *nix does it the other way round, directory permissions
> always override file permissions?
>
> Not wanting to screw around any more than I already have, could somebody
> please confirm that I probably need to adjust the directory permissions
> for ~/.ssh (to what, who should be the owner, what about 'other'?), and
> then it should work? And of course I will have to turn off inherited
> rights on that directory, as well...
>
> Because work it did:
>
> mkdir /tmp/fermin
> cp ~/.ssh/id_rsa /tmp/fermin
> chmod 600 /tmp/fermin/id_rsa
> ssh -l fermin -i /tmp/fermin/id_rsa localhost
>
> ... worked like a charm.
>
> Hopefully, somebody ran into this problem before and can give me a hint
> or two? Thanky you!
>
> Regards
> Fermin

Is your home directory on an SMB share?  If so, you may need to add
"smbntsec" to your CYGWIN environment variable.

Also, can you please post the output of "getfacl ~/.ssh" and "getfacl
~/.ssh/id_rsa"?
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha@cs.nyu.edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor@watson.ibm.com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski, Ph.D.
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster."  -- Patrick Naughton

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

RE: ssh login with [rd]sa key, permissions on keyfile problems

[Fermin Sanchez]

Hello Igor 

> Is your home directory on an SMB share?  If so, you may need 
> to add "smbntsec" to your CYGWIN environment variable.

Yes it is - so to speak. It's on a Windows Server 2003 Share, not on
Samba.

> Also, can you please post the output of "getfacl ~/.ssh" and 
> "getfacl ~/.ssh/id_rsa"?

Not a problem, here we go:

$ getfacl ~/.ssh
# file: //dcp1/users/fermin/.ssh
# owner: fermin
# group: Domain Users
user::rwx
group::r-x
other:r-x
mask:rwx

$ getfacl ~/.ssh/id_rsa
# file: //dcp1/users/fermin/.ssh/id_rsa
# owner: fermin
# group: Domain Users
user::rw-
group::r--
other:r--
mask:rwx


Regards
Fermin

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: ssh login with [rd]sa key, permissions on keyfile problems

[Corinna Vinschen]

On Sun, Sep 21, 2003 at 10:17:32AM +0200, Fermin Sanchez wrote:
> Hello Igor 
> 
> > Is your home directory on an SMB share?  If so, you may need 
> > to add "smbntsec" to your CYGWIN environment variable.
> 
> Yes it is - so to speak. It's on a Windows Server 2003 Share, not on
> Samba.

Does your CYGWIN env. variable contain "nontsec"?

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

RE: ssh login with [rd]sa key, permissions on keyfile problems

[Fermin Sanchez]

Hello Corinna 

> > > Is your home directory on an SMB share?  If so, you may 
> > > need to add "smbntsec" to your CYGWIN environment variable.
> > Yes it is - so to speak. It's on a Windows Server 2003 
> > Share, not on Samba.
> Does your CYGWIN env. variable contain "nontsec"?

No, it does not:

$ echo $CYGWIN
binmode ntsec tty


Is this the solution, "nontsec" instead of "ntsec"? My fault, then;
never took the time or thought it to be important enough to read about
the CYGWIN variable. I'll do this right now. Thanks for pointing me in
the right direction.


Regards
Fermin


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: ssh login with [rd]sa key, permissions on keyfile problems

[Corinna Vinschen]

On Sun, Sep 21, 2003 at 02:43:29PM +0200, Fermin Sanchez wrote:
> Hello Corinna 
> 
> > > > Is your home directory on an SMB share?  If so, you may 
> > > > need to add "smbntsec" to your CYGWIN environment variable.
> > > Yes it is - so to speak. It's on a Windows Server 2003 
> > > Share, not on Samba.
> > Does your CYGWIN env. variable contain "nontsec"?
> 
> No, it does not:
> 
> $ echo $CYGWIN
> binmode ntsec tty
> 
> Is this the solution, "nontsec" instead of "ntsec"? My fault, then;

No, it was a question.  Not being able to set the permissions means
to have either nontsec (or nosmbntsec) or the underlying file system
is not NTFS.  I can't imagine any other reason for that in your
situation.

Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/