having some trouble using another user's RSA/DSA keys
Hank Leininger
openssh-unix-dev at progressive-comp.com
Sun Oct 29 17:35:10 EST 2000
On 2000-10-25, Jim Breton <jamesb-lists at alongtheway.com> wrote:
> 1) I am still warned about bad permissions on the key file even though
> I am root (I guess this would be a "wishlist" item since I can suppress
> these warnings with the -q option);
Right. The warning is not because you're unable to access the file, but
because OpenSSH thinks it is a bad thing to ever use a private key which is
readable or (worse) writable by any user other than the one running ssh.
This is a feature ;) And while you may have a legitimate case where this
feature isn't desired, it's generally the Right Thing To Do--the key is
essentially compromised, and root (or any user, in the generic case) should
not trust it. The workaround would be to put this key in
~root/.ssh/jamesbiden or such, root.root mode 600.
> 2) I am unable to log in using that key. The passphrase is blank, but
> key authentication fails and I am forced to enter a login password.
Right, because:
> # ssh -v -l jamesb -i ~jamesb/.ssh/identity <remotehost>
[snip]
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> Bad ownership or mode(0600) for '/home/jamesb/.ssh/identity'.
> It is recommended that your private key files are NOT accessible by
> others.
> Enter passphrase for RSA key 'jamesb at tarkin':
> debug: Remote: Wrong response to RSA authentication challenge.
> debug: Doing password authentication.
> jamesb@<remotehost>'s password:
[ Even though you've said this key has no passphrase. ]
I assume things are happy if you su - jamesb on the local host and then ssh
remotehost? In that case I suspect this is a mildly buggy way of
expressing "Hey, I'm not willing to even try to use this key, since it's
essentially been compromised." Similar to how RSA authentication won't be
tried if the remote host's key has changed. Probably, the workaround above
will make this problem disappear.
--
Hank Leininger <hlein at progressive-comp.com>
More information about the openssh-unix-dev
mailing list