Daniel Kahn Gillmor
2008-Oct-29 04:19 UTC
ssh disregarding umask for creation of known_hosts (and other files?)
Hey folks--
When ssh creates a known_hosts file for a user, it disregards the
currently-set umask, and can actually turn on mode bits that the user
has explicitly masked. While i'm happy to have ssh make files *more*
secure than my umask (in situations where that's reasonable, like the
creation of new ssh keys, etc), i'm not sure that i see the point in
ssh making the files more open than i've explicitly requested.
I found this at ssh.c:256:
/*
* Set our umask to something reasonable, as some files are created
* with the default umask. This will make them world-readable but
* writable only by the owner, which is ok for all files for which we
* don't set the modes explicitly.
*/
umask(022);
Why not simply OR the dangerous writable bits with the current umask
instead:
umask(022 | umask(0));
This would make sure that we're not creating group- or other-writable
files while still honoring the user's expectations that setting a bit
in the umask will actually mask off that bit.
Regards,
--dkg
PS Some tests that i ran that demonstrate this surprising behavior:
Here's ssh setting g+r,o+r (explicitly disregarding my umask of 077)
when it creates known_hosts for me (tested with OpenSSH 4.8 on OpenBSD
4.3 and OpenSSH 5.1 on Debian testing):
$ uname -a
OpenBSD openbsdtest.squeak.fifthhorseman.net 4.3 GENERIC#698 i386
$ umask 077
$ ls -l ~/.ssh/known_hosts
ls: /home/dkg/.ssh/known_hosts: No such file or directory
$ ssh monkeysphere.info
The authenticity of host 'monkeysphere.info (204.13.164.191)' can't
be established.
RSA key fingerprint is e8:7e:5b:7d:bc:6f:08:22:80:00:bb:0a:83:ef:bd:7a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'monkeysphere.info,204.13.164.191' (RSA) to
the list of known hosts.
Permission denied (publickey).
$ ls -l ~/.ssh/known_hosts
-rw-r--r-- 1 dkg dkg 414 Oct 29 00:03 /home/dkg/.ssh/known_hosts
$ umask
077
$
wt215 at squeak:~$ uname -a
Linux squeak 2.6.26-1-686 #1 SMP Sat Oct 18 16:22:25 UTC 2008 i686 GNU/Linux
wt215 at squeak:~$ umask 077
wt215 at squeak:~$ ls -l ~/.ssh/known_hosts
ls: cannot access /home/wt215/.ssh/known_hosts: No such file or directory
wt215 at squeak:~$ ssh monkeysphere.info
The authenticity of host 'monkeysphere.info (204.13.164.191)' can't
be established.
RSA key fingerprint is e8:7e:5b:7d:bc:6f:08:22:80:00:bb:0a:83:ef:bd:7a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'monkeysphere.info,204.13.164.191' (RSA) to
the list of known hosts.
Permission denied (publickey).
wt215 at squeak:~$ ls -l ~/.ssh/known_hosts
-rw-r--r-- 1 wt215 wt215 884 2008-10-28 23:51 /home/wt215/.ssh/known_hosts
wt215 at squeak:~$ umask
0077
wt215 at squeak:~$
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
Url :
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20081029/f24fc798/attachment-0001.bin
Maybe Matching Threads
- using ssh-add unattended on dubious files -- how can i avoid a hang?
- Can't get LocalForward to work when using ControlPath
- [Bug 1544] New: ssh-keygen -l on known_hosts file does not display hostnames for lines with comments
- [Bug 1869] New: ssh-add can no longer read from FIFOs as of 5.7p1
- [Bug 1545] ssh-keygen -R removes all comments from known_hosts file
Wisdom of the Ancients
