This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: Re: Anybody really runs sshd in win2K? (fwd)


BTW, the /etc/sshd_config setting

	StrictModes no

might help as well...

Corinna


On Fri, Jul 27, 2001 at 05:34:00PM -0400, Prentis Brooks wrote:
> Hey Chris,
> 	I do appoligize, I will have to word my emails better in the future.
> I asked that of Corinna since I recall that she was the one who provided the
> answer to me before.
> 
> 	After a search, I found this entry from Chuck Wilson:
> 
> For months, I've been getting the "WARNING" banner from ssh, complaining
> that my private keys were not properly protected.  I finally tracked it
> down, and will demonstrate here:
> 
> ~ > ls -ln foo
> -rw-------    1 500      544           532 May 20 13:30 foo
> 
> Okay, so this file is mode 600, owned by Administrator and group
> Administrators.  That's good, because I'm running sshd from the
> Administrator account (appropriate privileges granted).
> 
> ~ > getfacl foo
> # file: foo
> # owner: 500
> # group: 544
> user::rw-
> group::---
> mask::---
> other::---
> 
> Yes, everything's fine here.  But that's not what my ssh_host_key file
> had.  It had an additional ACL for the user 'cwilson', as demonstrated
> below:
> 
> ~ > ls -ln foo
> -rw-------    1 500      544           532 May 20 13:30 foo
> 
> It *looks* okay, but getfacl shows:
> 
> ~ > getfacl foo
> # file: foo
> # owner: 500
> # group: 544
> user::rw-
> user:1002:r-x
> group::---
> mask::---
> other::---
> 
> Oh, NO! readable by user 1002!!!  You can't use chmod to fix this.
> 
> I fixed this by removing the extra ACL using windows tools
> (Properties->Security->Permissions).  This problem is especially
> pernicious on W2K systems, with the "inherit ACL's from parent
> directories" behavior.
> 
> So here's the question: I can't find any documentation on how to use
> 'setfacl' -- which seems to be the appropriate tool here.  Rather than
> 'chmod', we want to instruct new sshd users to 'setfacl ssh_host*_key'
> to allow only user::rw- group::--- other::--- mask::---, with owner:
> SYSTEM, group: SYSTEM.  (Not admin, admin like I'm doing).
> 
> How do you use setfacl to set the correct permission properties on the
> hostkey files (regardless of whatever ACL's were previously applied)?
> 
> --Chuck
> 
> Again, I appologize for not following list protocol :).  Let me know if
> that helps answer the question.
> 
> 
> Prentis Brooks	| prentis@aol.net | 703-265-0914 | AIM: PrentisB
> System Administrator - Web Infrastructure & Security
> 
>        A knight is sworn to valor.  His heart knows only virtue.  His blade
>        defends the helpless.  His word speaks only truth.  His wrath undoes the
>        wicked. - the old code of Bowen, last of the dragonslayers
> 
> 
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Bug reporting:         http://cygwin.com/bugs.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]