bugzilla-daemon at mindrot.org
2006-Apr-25 04:27 UTC
[Bug 1186] unprotected keys are not properly ignored
http://bugzilla.mindrot.org/show_bug.cgi?id=1186
Summary: unprotected keys are not properly ignored
Product: Portable OpenSSH
Version: 3.8.1p1
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P2
Component: ssh
AssignedTo: bitbucket at mindrot.org
ReportedBy: pepper at rockefeller.edu
As a test, I made a private key world readable. Note that id_dsa is a
symlink to this key. When I tried to ssh without a running agent, ssh
complained about permissions and said it would ignore this key, but
then prompted me for its passphrase.
If I'm understanding correctly, this is a failure of a security
feature. Note that this is the OpenSSH currently supplied by Apple in
the current 10.4.6 release, which lags substantially behind CURRENT. I
will also report this up to Apple, referencing this bug number, once I
have one.
pepper at pepperbook:~/.ssh$ ssh www
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/Users/pepper/.ssh/id_dsa' are too open.
It is recommended that your private key files are NOT accessible by
others.
This private key will be ignored.
bad permissions: ignore key: /Users/pepper/.ssh/id_dsa
Enter passphrase for key '/Users/pepper/.ssh/id_dsa':
pepper at pepperbook:~/.ssh$ ls -l id_dsa id_dsa.pepper.200510
lrwxr-xr-x 1 pepper pepper 20 Nov 16 23:19 id_dsa ->
id_dsa.pepper.200510
-rw-r--r-- 1 pepper pepper 736 Nov 3 00:51 id_dsa.pepper.200510
pepper at pepperbook:~/.ssh$ ssh -V
OpenSSH_3.8.1p1, OpenSSL 0.9.7i 14 Oct 2005
pepper at pepperbook:~/.ssh$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.4.6
BuildVersion: 8I127
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Apr-25 04:33 UTC
[Bug 1186] unprotected keys are not properly ignored
http://bugzilla.mindrot.org/show_bug.cgi?id=1186 ------- Comment #1 from djm at mindrot.org 2006-04-25 14:33 ------- I think you will find that they key *is* ignored. Try typing you passphrase when prompted - I bet it doesn't get you any further. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Apr-25 04:39 UTC
[Bug 1186] unprotected keys are not properly ignored
http://bugzilla.mindrot.org/show_bug.cgi?id=1186 ------- Comment #2 from pepper at rockefeller.edu 2006-04-25 14:39 ------- That's good for the security aspect, although in this situation the passphrase entry should probably be avoided too (since something strange must've happened to change the pubkey's permissions). But it's not good to prompt the user (three times) for a passphrase which won't be used either. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Apr-25 06:02 UTC
[Bug 1186] unprotected keys are not properly ignored
http://bugzilla.mindrot.org/show_bug.cgi?id=1186 ------- Comment #3 from dtucker at zip.com.au 2006-04-25 16:02 ------- Created an attachment (id=1125) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1125&action=view) Prevent retrying keys with bad permissions This patch prevents the retry attempts, similar to an earlier change in ssh-add. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Apr-25 06:30 UTC
[Bug 1186] unprotected keys are not properly ignored
http://bugzilla.mindrot.org/show_bug.cgi?id=1186
djm at mindrot.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1125| |ok+
Flag| |
------- Comment #4 from djm at mindrot.org 2006-04-25 16:30 -------
(From update of attachment 1125)
looks ok to me
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Apr-25 08:00 UTC
[Bug 1186] unprotected keys are not properly ignored
http://bugzilla.mindrot.org/show_bug.cgi?id=1186
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
------- Comment #5 from dtucker at zip.com.au 2006-04-25 18:00 -------
Applied, thanks.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Apr-25 08:01 UTC
[Bug 1186] unprotected keys are not properly ignored
http://bugzilla.mindrot.org/show_bug.cgi?id=1186
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
OtherBugsDependingO| |1155
nThis| |
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Possibly Parallel Threads
- [Bug 1157] ssh-keygen doesn't handle DOS line breaks
- Enhancement suggestion: improve the host not found error message
- having some trouble using another user's RSA/DSA keys
- Apache handler?
- [Bug 1909] New: "WARNING: UNPROTECTED PRIVATE KEY FILE!" warning needs an actionable step