diff --git a/winsup/doc/ChangeLog b/winsup/doc/ChangeLog index 47d0893b8..b7223eac9 100644 --- a/winsup/doc/ChangeLog +++ b/winsup/doc/ChangeLog @@ -1,3 +1,8 @@ +2015-02-04 Corinna Vinschen + + * faq-using.xml (faq.using.ssh-pubkey-stops-working): New entry. + (faq.using.same-with-rhosts): Ditto. + 2015-02-03 Corinna Vinschen * utils.xml (regtool): Clarify save action. Add description for diff --git a/winsup/doc/faq-using.xml b/winsup/doc/faq-using.xml index 3b6694df4..522a06551 100644 --- a/winsup/doc/faq-using.xml +++ b/winsup/doc/faq-using.xml @@ -932,6 +932,101 @@ usually all set and you can start the sshd service via + +Why does public key authentication with ssh fail after updating to Cygwin 1.7.34? + + + +This is the result of fixing a long-standing security problem in Cygwin's +POSIX ACL handling. IEEE 1003.1e draft 17 defines that the permissions +of secondary user and group entries in an ACL are reflected in the group +permission mask by or'ing the permissions of the file's primary group with +all permissions of secondary users and groups in the ACL. The background +is that this way the standard POSIX permission bits reflect the fact that +somebody else has additional, otherwise +potentially invisible permissions on the file. This relatively complex +interface has been defined in order to ensure that applications that are +compliant with IEEE 1003.1 (“POSIX.1”) will still function as expected on +systems with ACLs. + +So, what does that mean for your situation? Typically this means the +private key file, for instance ~/.ssh/id_rsa, has too +open permissions. OpenSSH expects the permissions of the private key file +to be 0600. Let's use the default SSH2 RSA keyfile as example: + + + $ ls -l .ssh/id_rsa + -rw------- 1 user group 1766 Aug 26 2013 .ssh/id_rsa + + +However, if other accounts can read the file, the key is potentially +compromised. Consider the file has additional rw- permissions for a group +bad_guys. Up to Cygwin 1.7.33 that would have looked +like this: + + + $ ls -l .ssh/id_rsa + -rw-------+ 1 user group 1766 Aug 26 2013 .ssh/id_rsa + + +Notice the extra + character following +the permission string. This shows that additional ACL entries are in the ACL. +But an application only checking the POSIX permission bits (and ssh is one of +them!), will not notice the fact, because it gets the permissions 0600 for the +file. + +Starting with Cygwin 1.7.34, the extra permissions are reflected in +the group permission bits per IEEE 1003.1e draft 17: + + + $ ls -l .ssh/id_rsa + -rw-rw----+ 1 user group 1766 Aug 26 2013 .ssh/id_rsa + + +So now ssh will notice that the file has extra permissions and it will +complain. The same problem occurs if the file +~/.ssh/authorized_keys has too open permissions. On +the client side you won't get any helping text, though, other than that you're +suddenly asked for a password. That's a rather good hint to have a closer +look at the server's ~/.ssh/authorized_keys file. + +To fix the permissions of your private key file or your +~/.ssh/authorized_keys file, simply use the +setfacl command with the -b option. +This removes all additional ACL entries and thus fixes the permissions to +be not too open: + + + $ ls -l .ssh/id_rsa + -rw-rw----+ 1 user group 1766 Aug 26 2013 .ssh/id_rsa + $ setfacl -b .ssh/id_rsa + $ ls -l .ssh/id_rsa + -rw------- 1 user group 1766 Aug 26 2013 .ssh/id_rsa + + +For more information on setfacl, see + + + + +Why is my .rhosts file not recognized by rlogin anymore after updating to Cygwin 1.7.34? + + +The problem is exactly the same as with the key files of SSH. See +. + +The solution is the same: + + + $ ls -l .rhosts + -rw-rw----+ 1 user group 42 Nov 12 2010 .rhosts + $ setfacl -b .rhosts + $ ls -l .rhosts + -rw------- 1 user group 42 Nov 12 2010 .rhosts + + + + Why do my Tk programs not work anymore?