Bug#756930: ssh-add: display bad perm warning only if private key is owned by the same user

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#756930: ssh-add: display bad perm warning only if private key is owned by the same user
From: Filippo Giunchedi <filippo@debian.org>
Date: Sun, 03 Aug 2014 17:34:17 +0100
Message-id: <[🔎] 20140803163417.2816.79292.reportbug@i7.dub.esaurito.net>
Reply-to: Filippo Giunchedi <filippo@debian.org>, 756930@bugs.debian.org

Package: openssh-client
Version: 1:6.6p1-6
Severity: normal
File: /usr/bin/ssh-add

hi,
I noticed that ssh-add will display a warning: unprotected private key file and
refuse to add the private material only when trying to add material owned by
the same user calling ssh. However if the file is owned by another user but
nevertheless world readable, nothing is displayed and the key can be added.

in other words:

godog@i7:~$ ssh-add -l
The agent has no identities.
godog@i7:~$ cd /tmp/
godog@i7:/tmp$ ssh-keygen -f test_id
The key fingerprint is:
32:23:9e:da:84:8e:15:c6:e5:71:a6:f7:eb:30:25:99 godog@i7
godog@i7:/tmp$ chmod a+r test_id
godog@i7:/tmp$ ssh-add test_id
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'test_id' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
godog@i7:/tmp$ sudo chown nobody test_id
[sudo] password for godog: 
godog@i7:/tmp$ ssh-add test_id
Enter passphrase for test_id: 
Identity added: test_id (test_id)
godog@i7:/tmp$ ssh-add -l
2048 32:23:9e:da:84:8e:15:c6:e5:71:a6:f7:eb:30:25:99 test_id (RSA)
godog@i7:/tmp$ 


-- System Information:
Debian Release: jessie/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing-proposed-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-client depends on:
ii  adduser           3.113+nmu3
ii  dpkg              1.17.10
ii  libc6             2.19-7
ii  libedit2          3.1-20140620-1
ii  libgssapi-krb5-2  1.12.1+dfsg-5
ii  libselinux1       2.3-1
ii  libssl1.0.0       1.0.1h-3
ii  passwd            1:4.2-2
ii  zlib1g            1:1.2.8.dfsg-1

Versions of packages openssh-client recommends:
ii  xauth  1:1.0.9-1

Versions of packages openssh-client suggests:
pn  keychain      <none>
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- no debconf information

Reply to:

Prev by Date: Processed: reassigning my bugs to tobi@debian.org
Next by Date: Bug#244924: ssh: scp only prints file modes and exits with status 1
Previous by thread: Processed: reassigning my bugs to tobi@debian.org
Next by thread: Bug#244924: ssh: scp only prints file modes and exits with status 1
Index(es):
- Date
- Thread