You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Goldstein Lyor (JIRA)" <ji...@apache.org> on 2015/11/15 07:08:10 UTC
[jira] [Resolved] (SSHD-584) permisison of ~/.ssh/config with
group/world readable is legal
[ https://issues.apache.org/jira/browse/SSHD-584?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Goldstein Lyor resolved SSHD-584.
---------------------------------
Resolution: Not A Problem
According to the [OpenSSH Client Configuration|https://en.wikibooks.org/wiki/OpenSSH/Client_Configuration_Files#.7E.2F.ssh.2Fconfig]:
{quote}
This file must not be accessible to other users in any way. Set strict permissions: read/write for the user, and not accessible by others.
{quote}
The only exception to this rule is:
{quote}
It may group-writable if and only if that user is the only member of the group in question.
{quote}.
In our case, since there is not easy portable way to check in pure _Java_ that the group in question contains only one member - the user, we chose the strict approach. If the permissions are too strict for you, you can easily override this:
{code:java}
HostConfigEntryResolver myResolver = new DefaultConfigFileHostEntryResolver(false /* not strict */);
client.setHostConfigEntryResolver(myResolver);
{code}
> permisison of ~/.ssh/config with group/world readable is legal
> --------------------------------------------------------------
>
> Key: SSHD-584
> URL: https://issues.apache.org/jira/browse/SSHD-584
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 1.1.0
> Environment: build
> Reporter: Alon Bar-Lev
>
> Got this exception:
> ---
> testAttributes(org.apache.sshd.client.subsystem.sftp.SftpFileSystemTest) Time elapsed: 5.581 sec <<< ERROR!
> java.io.IOException: String permission violation (GROUP_READ) for /home/alonbl/.ssh/config
> at org.apache.sshd.client.config.hosts.DefaultConfigFileHostEntryResolver.reloadHostConfigEntries(DefaultConfigFileHostEntryResolver.java:80)
> at org.apache.sshd.client.config.hosts.ConfigFileHostEntryResolver.resolveEffectiveResolver(ConfigFileHostEntryResolver.java:86)
> at org.apache.sshd.client.config.hosts.ConfigFileHostEntryResolver.resolveEffectiveHost(ConfigFileHostEntryResolver.java:59)
> at org.apache.sshd.client.SshClient.connect(SshClient.java:339)
> at org.apache.sshd.client.subsystem.sftp.SftpFileSystemProvider.newFileSystem(SftpFileSystemProvider.java:177)
> at org.apache.sshd.client.subsystem.sftp.SftpFileSystemProvider.newFileSystem(SftpFileSystemProvider.java:87)
> at java.nio.file.FileSystems.newFileSystem(FileSystems.java:322)
> at java.nio.file.FileSystems.newFileSystem(FileSystems.java:272)
> at org.apache.sshd.client.subsystem.sftp.SftpFileSystemTest.testAttributes(SftpFileSystemTest.java:136)
> ---
> While ssh code enforces only world/group writeable at readconf.c::read_config_file:
> ---
> if (flags & SSHCONF_CHECKPERM) {
> struct stat sb;
> if (fstat(fileno(f), &sb) == -1)
> fatal("fstat %s: %s", filename, strerror(errno));
> if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
> (sb.st_mode & 022) != 0))
> fatal("Bad owner or permissions on %s", filename);
> }
> ---
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)