[Bug 1186] unprotected keys are not properly ignored
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Apr 25 14:27:57 EST 2006
http://bugzilla.mindrot.org/show_bug.cgi?id=1186
Summary: unprotected keys are not properly ignored
Product: Portable OpenSSH
Version: 3.8.1p1
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P2
Component: ssh
AssignedTo: bitbucket at mindrot.org
ReportedBy: pepper at rockefeller.edu
As a test, I made a private key world readable. Note that id_dsa is a
symlink to this key. When I tried to ssh without a running agent, ssh
complained about permissions and said it would ignore this key, but
then prompted me for its passphrase.
If I'm understanding correctly, this is a failure of a security
feature. Note that this is the OpenSSH currently supplied by Apple in
the current 10.4.6 release, which lags substantially behind CURRENT. I
will also report this up to Apple, referencing this bug number, once I
have one.
pepper at pepperbook:~/.ssh$ ssh www
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/Users/pepper/.ssh/id_dsa' are too open.
It is recommended that your private key files are NOT accessible by
others.
This private key will be ignored.
bad permissions: ignore key: /Users/pepper/.ssh/id_dsa
Enter passphrase for key '/Users/pepper/.ssh/id_dsa':
pepper at pepperbook:~/.ssh$ ls -l id_dsa id_dsa.pepper.200510
lrwxr-xr-x 1 pepper pepper 20 Nov 16 23:19 id_dsa ->
id_dsa.pepper.200510
-rw-r--r-- 1 pepper pepper 736 Nov 3 00:51 id_dsa.pepper.200510
pepper at pepperbook:~/.ssh$ ssh -V
OpenSSH_3.8.1p1, OpenSSL 0.9.7i 14 Oct 2005
pepper at pepperbook:~/.ssh$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.4.6
BuildVersion: 8I127
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list