[Bug 1186] unprotected keys are not properly ignored

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Apr 25 14:27:57 EST 2006


http://bugzilla.mindrot.org/show_bug.cgi?id=1186

           Summary: unprotected keys are not properly ignored
           Product: Portable OpenSSH
           Version: 3.8.1p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: ssh
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: pepper at rockefeller.edu


As a test, I made a private key world readable. Note that id_dsa is a
symlink to this key. When I tried to ssh without a running agent, ssh
complained about permissions and said it would ignore this key, but
then prompted me for its passphrase.

If I'm understanding correctly, this is a failure of a security
feature. Note that this is the OpenSSH currently supplied by Apple in
the current 10.4.6 release, which lags substantially behind CURRENT. I
will also report this up to Apple, referencing this bug number, once I
have one.

pepper at pepperbook:~/.ssh$ ssh www
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/Users/pepper/.ssh/id_dsa' are too open.
It is recommended that your private key files are NOT accessible by
others.
This private key will be ignored.
bad permissions: ignore key: /Users/pepper/.ssh/id_dsa
Enter passphrase for key '/Users/pepper/.ssh/id_dsa': 

pepper at pepperbook:~/.ssh$ ls -l id_dsa id_dsa.pepper.200510
lrwxr-xr-x   1 pepper  pepper   20 Nov 16 23:19 id_dsa ->
id_dsa.pepper.200510
-rw-r--r--   1 pepper  pepper  736 Nov  3 00:51 id_dsa.pepper.200510
pepper at pepperbook:~/.ssh$ ssh -V
OpenSSH_3.8.1p1, OpenSSL 0.9.7i 14 Oct 2005
pepper at pepperbook:~/.ssh$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.4.6
BuildVersion:   8I127




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list