Executive summary: Why can I not have a private key which is `public' ?
Gory details ....
I'm new to openssh. I've been using ssh for years. However, I'm in
the process
of investigating RH 7.* (0.91 at the moment) and am wanting to be as
`standard' as possible, so trying openssh.
I looked on http://www.openssh.com/list.html but could not find a list for
"general OpenSSH discussion", but this was the closest match, so
I'll call it
a bug :-)
We use a client/server model with no `user' accounts on servers.
There are certain operations which a user may require to run with certain
privs, and we use ssh to do this. The capability may be given to an individual
user (user-only-readable in their .ssh/), a group (using UN*X group semantics)
or may be accessible to all users of a particular machine or set of machines
(e.g. when a user changes their password, a process is woken up on the
password server).
This all worked fine under ssh, but under openssh load_private_key() does a
(st.st_mode & 077) != 0) {
and then complains that it is readable and won't use it. (it says "It
is
recommended that your private key files are NOT accessible by others." but
appears to implement somewhat more than a `recommendation' !)
Is this bug intended as a feature ? [ :-) ]
I can see no code to disable this test [ other than setting HAVE_CYGWIN and
writing a check_ntsec() which returns FALSE :-) ]
On Tue, Mar 27, 2001 at 02:11:08PM +0100, Piete Brooks wrote:> Executive summary: Why can I not have a private key which is `public' ?is this a good idea?> Is this bug intended as a feature ? [ :-) ]feature. many ppl are confused by private/public distinction and are starting to change permissions for all kind of files. however it's a bad idea to have the private key group or world readable, this is why openssh ignore the key. perhaps we should allow group-readable private keys? but i really don't like the idea.
mouring at etoh.eviladmin.org
2001-Mar-27 13:45 UTC
Use of non-user readable (null password) private keys
On Tue, 27 Mar 2001, Piete Brooks wrote:> Executive summary: Why can I not have a private key which is `public' ? > >Example: * UserA has ~/.ssh/id_rsa readable by everyone on MachineA * UserA copied ~/.ssh/id_rsa.pub to MachineB and put it in their ~/.ssh/authorized_keys2 * UserB finds ~UserA/.ssh/id_rsa being readable and steals the key. * UserB learns that UserA logs into MachineB using non-interactive key exchange method. * UserB copies stolen key to his ~/.ssh/ and now does: ssh UserA at MachineB. Security has now been compermised.> Gory details .... > > I'm new to openssh. I've been using ssh for years. However, I'm in the process > of investigating RH 7.* (0.91 at the moment) and am wanting to be as > `standard' as possible, so trying openssh. > > I looked on http://www.openssh.com/list.html but could not find a list for > "general OpenSSH discussion", but this was the closest match, so I'll call it > a bug :-) >This list doubles as a lot of things. And luckly the traffic is not extremely high. =)> We use a client/server model with no `user' accounts on servers. > There are certain operations which a user may require to run with certain > privs, and we use ssh to do this. The capability may be given to an individual > user (user-only-readable in their .ssh/), a group (using UN*X group semantics) > or may be accessible to all users of a particular machine or set of machines > (e.g. when a user changes their password, a process is woken up on the > password server). > > This all worked fine under ssh, but under openssh load_private_key() does a > (st.st_mode & 077) != 0) { > and then complains that it is readable and won't use it. (it says "It is > recommended that your private key files are NOT accessible by others." but > appears to implement somewhat more than a `recommendation' !) > > Is this bug intended as a feature ? [ :-) ] >I would not consider this a bug. It's a safety feature to protect the user from doing stupid things. (As shown in the example above). I don't see why the 'private' key should be allowed to be made public. Feel free to explain why such behavior is not correct. I can't see how allowing everyone to read/steal my keys is considered a Good Thing(tm). =) - Ben
Corinna Vinschen
2001-Mar-27 14:38 UTC
Use of non-user readable (null password) private keys
On Tue, Mar 27, 2001 at 02:11:08PM +0100, Piete Brooks wrote:> Executive summary: Why can I not have a private key which is `public' ?You can perform this action by not starting ssh directly but by starting an intermediate executable which - Checks if the calling user is allowed to perform that specific action. - Sets uid to the uid which owns the ssh private key for that action. - Calls in turn ssh to perform the action. Corinna> > > Gory details .... > > I'm new to openssh. I've been using ssh for years. However, I'm in the process > of investigating RH 7.* (0.91 at the moment) and am wanting to be as > `standard' as possible, so trying openssh. > > I looked on http://www.openssh.com/list.html but could not find a list for > "general OpenSSH discussion", but this was the closest match, so I'll call it > a bug :-) > > We use a client/server model with no `user' accounts on servers. > There are certain operations which a user may require to run with certain > privs, and we use ssh to do this. The capability may be given to an individual > user (user-only-readable in their .ssh/), a group (using UN*X group semantics) > or may be accessible to all users of a particular machine or set of machines > (e.g. when a user changes their password, a process is woken up on the > password server). > > This all worked fine under ssh, but under openssh load_private_key() does a > (st.st_mode & 077) != 0) { > and then complains that it is readable and won't use it. (it says "It is > recommended that your private key files are NOT accessible by others." but > appears to implement somewhat more than a `recommendation' !) > > Is this bug intended as a feature ? [ :-) ] > > I can see no code to disable this test [ other than setting HAVE_CYGWIN and > writing a check_ntsec() which returns FALSE :-) ]-- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com
Piete Brooks wrote:> Executive summary: Why can I not have a private key which is > `public' ?Every time I use OpenSSH I seem to get caught out by the permission checks. I use umask 002 and my private files are all in a private group. This way I don't accidentally deny others access when I work on shared material. But OpenSSH doesn't like mode 775...> We use a client/server model with no `user' accounts on servers. > There are certain operations which a user may require to run with > certain privs, and we use ssh to do this.You could use the agent. I've just tried and it doesn't look as though ssh checks permissions on the socket directory. This would also have the nice feature that users couldn't copy the key. You would therefore be able to revoke access from one user without revoking the key for the whole group. -- Pete