1186 – ssh tries multiple times to open unprotected keys

Bug 1186 - ssh tries multiple times to open unprotected keys

Summary: ssh tries multiple times to open unprotected keys

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh (show other bugs)
Version:	-current
Hardware:	All All

Importance:	P2 major
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:	V_4_4
	Show dependency tree / graph

Reported:	2006-04-25 14:27 AEST by Chris Pepper
Modified:	2006-09-28 19:26 AEST (History)
CC List:	0 users

See Also:

Attachments
Prevent retrying keys with bad permissions (5.37 KB, patch) 2006-04-25 16:02 AEST, Darren Tucker	djm: ok+	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Pepper 2006-04-25 14:27:55 AEST

As a test, I made a private key world readable. Note that id_dsa is a symlink to this key. When I tried to ssh without a running agent, ssh complained about permissions and said it would ignore this key, but then prompted me for its passphrase.

If I'm understanding correctly, this is a failure of a security feature. Note that this is the OpenSSH currently supplied by Apple in the current 10.4.6 release, which lags substantially behind CURRENT. I will also report this up to Apple, referencing this bug number, once I have one.

pepper@pepperbook:~/.ssh$ ssh www
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/Users/pepper/.ssh/id_dsa' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /Users/pepper/.ssh/id_dsa
Enter passphrase for key '/Users/pepper/.ssh/id_dsa': 

pepper@pepperbook:~/.ssh$ ls -l id_dsa id_dsa.pepper.200510
lrwxr-xr-x   1 pepper  pepper   20 Nov 16 23:19 id_dsa -> id_dsa.pepper.200510
-rw-r--r--   1 pepper  pepper  736 Nov  3 00:51 id_dsa.pepper.200510
pepper@pepperbook:~/.ssh$ ssh -V
OpenSSH_3.8.1p1, OpenSSL 0.9.7i 14 Oct 2005
pepper@pepperbook:~/.ssh$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.4.6
BuildVersion:   8I127

Comment 1 Damien Miller 2006-04-25 14:33:29 AEST

I think you will find that they key *is* ignored. Try typing you passphrase when prompted - I bet it doesn't get you any further.

Comment 2 Chris Pepper 2006-04-25 14:39:00 AEST

That's good for the security aspect, although in this situation the passphrase entry should probably be avoided too (since something strange must've happened to change the pubkey's permissions).

But it's not good to prompt the user (three times) for a passphrase which won't be used either.

Comment 3 Darren Tucker 2006-04-25 16:02:23 AEST

Created attachment 1125 [details]
Prevent retrying keys with bad permissions

This patch prevents the retry attempts, similar to an earlier change in ssh-add.

Comment 4 Damien Miller 2006-04-25 16:30:30 AEST

Comment on attachment 1125 [details]
Prevent retrying keys with bad permissions

looks ok to me

Comment 5 Darren Tucker 2006-04-25 18:00:42 AEST

Applied, thanks.

Comment 6 Chris Pepper 2006-04-26 00:56:14 AEST

Thank you! Mail sent to Apple, nudging them to update from 3.8.1p1.

Comment 7 Darren Tucker 2006-09-28 19:26:12 AEST

With the release of 4.4, we believe that this bug is now closed.  For information about the release please see http://www.openssh.com/txt/release-4.4 .