bugzilla-daemon at mindrot.org
2006-Apr-25 04:27 UTC
[Bug 1186] unprotected keys are not properly ignored
http://bugzilla.mindrot.org/show_bug.cgi?id=1186 Summary: unprotected keys are not properly ignored Product: Portable OpenSSH Version: 3.8.1p1 Platform: All OS/Version: All Status: NEW Severity: major Priority: P2 Component: ssh AssignedTo: bitbucket at mindrot.org ReportedBy: pepper at rockefeller.edu As a test, I made a private key world readable. Note that id_dsa is a symlink to this key. When I tried to ssh without a running agent, ssh complained about permissions and said it would ignore this key, but then prompted me for its passphrase. If I'm understanding correctly, this is a failure of a security feature. Note that this is the OpenSSH currently supplied by Apple in the current 10.4.6 release, which lags substantially behind CURRENT. I will also report this up to Apple, referencing this bug number, once I have one. pepper at pepperbook:~/.ssh$ ssh www @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0644 for '/Users/pepper/.ssh/id_dsa' are too open. It is recommended that your private key files are NOT accessible by others. This private key will be ignored. bad permissions: ignore key: /Users/pepper/.ssh/id_dsa Enter passphrase for key '/Users/pepper/.ssh/id_dsa': pepper at pepperbook:~/.ssh$ ls -l id_dsa id_dsa.pepper.200510 lrwxr-xr-x 1 pepper pepper 20 Nov 16 23:19 id_dsa -> id_dsa.pepper.200510 -rw-r--r-- 1 pepper pepper 736 Nov 3 00:51 id_dsa.pepper.200510 pepper at pepperbook:~/.ssh$ ssh -V OpenSSH_3.8.1p1, OpenSSL 0.9.7i 14 Oct 2005 pepper at pepperbook:~/.ssh$ sw_vers ProductName: Mac OS X ProductVersion: 10.4.6 BuildVersion: 8I127 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Apr-25 04:33 UTC
[Bug 1186] unprotected keys are not properly ignored
http://bugzilla.mindrot.org/show_bug.cgi?id=1186 ------- Comment #1 from djm at mindrot.org 2006-04-25 14:33 ------- I think you will find that they key *is* ignored. Try typing you passphrase when prompted - I bet it doesn't get you any further. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Apr-25 04:39 UTC
[Bug 1186] unprotected keys are not properly ignored
http://bugzilla.mindrot.org/show_bug.cgi?id=1186 ------- Comment #2 from pepper at rockefeller.edu 2006-04-25 14:39 ------- That's good for the security aspect, although in this situation the passphrase entry should probably be avoided too (since something strange must've happened to change the pubkey's permissions). But it's not good to prompt the user (three times) for a passphrase which won't be used either. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Apr-25 06:02 UTC
[Bug 1186] unprotected keys are not properly ignored
http://bugzilla.mindrot.org/show_bug.cgi?id=1186 ------- Comment #3 from dtucker at zip.com.au 2006-04-25 16:02 ------- Created an attachment (id=1125) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1125&action=view) Prevent retrying keys with bad permissions This patch prevents the retry attempts, similar to an earlier change in ssh-add. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Apr-25 06:30 UTC
[Bug 1186] unprotected keys are not properly ignored
http://bugzilla.mindrot.org/show_bug.cgi?id=1186 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1125| |ok+ Flag| | ------- Comment #4 from djm at mindrot.org 2006-04-25 16:30 ------- (From update of attachment 1125) looks ok to me ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Apr-25 08:00 UTC
[Bug 1186] unprotected keys are not properly ignored
http://bugzilla.mindrot.org/show_bug.cgi?id=1186 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Comment #5 from dtucker at zip.com.au 2006-04-25 18:00 ------- Applied, thanks. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Apr-25 08:01 UTC
[Bug 1186] unprotected keys are not properly ignored
http://bugzilla.mindrot.org/show_bug.cgi?id=1186 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO| |1155 nThis| | ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Seemingly Similar Threads
- [Bug 1157] ssh-keygen doesn't handle DOS line breaks
- Enhancement suggestion: improve the host not found error message
- having some trouble using another user's RSA/DSA keys
- Apache handler?
- [Bug 1909] New: "WARNING: UNPROTECTED PRIVATE KEY FILE!" warning needs an actionable step