libs/newlib-cygwin
libs
/
newlib-cygwin
mirror of git://sourceware.org/git/newlib-cygwin.git
4
0
Fork 0
Code Issues Projects Releases Wiki Activity

* faq-using.xml (faq.using.ssh-pubkey-stops-working): New entry. 

(faq.using.same-with-rhosts): Ditto.
This commit is contained in:
Corinna Vinschen 2015-02-04 10:40:22 +00:00
parent 7656f3f4d7
commit be8a0cee6d
2 changed files with 100 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
winsup/doc/ChangeLog
View File

@ -1,3 +1,8 @@
2015-02-04 Corinna Vinschen <corinna@vinschen.de>
* faq-using.xml (faq.using.ssh-pubkey-stops-working): New entry.
(faq.using.same-with-rhosts): Ditto.
2015-02-03 Corinna Vinschen <corinna@vinschen.de> 2015-02-03 Corinna Vinschen <corinna@vinschen.de>
* utils.xml (regtool): Clarify save action. Add description for * utils.xml (regtool): Clarify save action. Add description for

95
winsup/doc/faq-using.xml
View File

@ -932,6 +932,101 @@ usually all set and you can start the sshd service via
</answer></qandaentry> </answer></qandaentry>
<qandaentry id="faq.using.ssh-pubkey-stops-working">
<question><para>Why does public key authentication with ssh fail after updating to Cygwin 1.7.34?</para></question>
<answer>
<para>
This is the result of fixing a long-standing security problem in Cygwin's
POSIX ACL handling. IEEE 1003.1e draft 17 defines that the permissions
of secondary user and group entries in an ACL are reflected in the group
permission mask by or'ing the permissions of the file's primary group with
all permissions of secondary users and groups in the ACL. The background
is that this way the standard POSIX permission bits reflect the fact that
<emphasis role='bold'>somebody else</emphasis> has additional, otherwise
potentially invisible permissions on the file. This relatively complex
interface has been defined in order to ensure that applications that are
compliant with IEEE 1003.1 (“POSIX.1”) will still function as expected on
systems with ACLs.</para>
<para>So, what does that mean for your situation? Typically this means the
private key file, for instance <filename>~/.ssh/id_rsa</filename>, has too
open permissions. OpenSSH expects the permissions of the private key file
to be 0600. Let's use the default SSH2 RSA keyfile as example:</para>
<screen>
$ ls -l .ssh/id_rsa
-rw------- 1 user group 1766 Aug 26 2013 .ssh/id_rsa
</screen>
<para>However, if other accounts can read the file, the key is potentially
compromised. Consider the file has additional rw- permissions for a group
<literal>bad_guys</literal>. Up to Cygwin 1.7.33 that would have looked
like this:</para>
<screen>
$ ls -l .ssh/id_rsa
-rw-------+ 1 user group 1766 Aug 26 2013 .ssh/id_rsa
</screen>
<para>Notice the extra <emphasis role='bold'>+</emphasis> character following
the permission string. This shows that additional ACL entries are in the ACL.
But an application only checking the POSIX permission bits (and ssh is one of
them!), will not notice the fact, because it gets the permissions 0600 for the
file.</para>
<para>Starting with Cygwin 1.7.34, the extra permissions are reflected in
the group permission bits per IEEE 1003.1e draft 17:</para>
<screen>
$ ls -l .ssh/id_rsa
-rw-rw----+ 1 user group 1766 Aug 26 2013 .ssh/id_rsa
</screen>
<para>So now ssh will notice that the file has extra permissions and it will
complain. The same problem occurs if the file
<filename>~/.ssh/authorized_keys</filename> has too open permissions. On
the client side you won't get any helping text, though, other than that you're
suddenly asked for a password. That's a rather good hint to have a closer
look at the server's <filename>~/.ssh/authorized_keys</filename> file.</para>
<para>To fix the permissions of your private key file or your
<filename>~/.ssh/authorized_keys</filename> file, simply use the
<command>setfacl</command> command with the <literal>-b</literal> option.
This removes all additional ACL entries and thus fixes the permissions to
be not too open:</para>
<screen>
$ ls -l .ssh/id_rsa
-rw-rw----+ 1 user group 1766 Aug 26 2013 .ssh/id_rsa
$ setfacl -b .ssh/id_rsa
$ ls -l .ssh/id_rsa
-rw------- 1 user group 1766 Aug 26 2013 .ssh/id_rsa
</screen>
<para>For more information on <command>setfacl</command>, see
<ulink url="https://cygwin.com/cygwin-ug-net/using-utils.html#setfacl"/></para>
</answer></qandaentry>
<qandaentry id="faq.using.same-with-rhosts">
<question><para>Why is my .rhosts file not recognized by rlogin anymore after updating to Cygwin 1.7.34?</para></question>
<answer>
<para>The problem is exactly the same as with the key files of SSH. See
<xref linkend="faq.using.ssh-pubkey-stops-working"/>.</para>
<para>The solution is the same:</para>
<screen>
$ ls -l .rhosts
-rw-rw----+ 1 user group 42 Nov 12 2010 .rhosts
$ setfacl -b .rhosts
$ ls -l .rhosts
-rw------- 1 user group 42 Nov 12 2010 .rhosts
</screen>
</answer></qandaentry>
<qandaentry id="faq.using.tcl-tk"> <qandaentry id="faq.using.tcl-tk">
<question><para>Why do my Tk programs not work anymore?</para></question> <question><para>Why do my Tk programs not work anymore?</para></question>
<answer> <answer>