You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Goldstein Lyor (JIRA)" <ji...@apache.org> on 2015/11/15 07:08:10 UTC

[jira] [Resolved] (SSHD-584) permisison of ~/.ssh/config with group/world readable is legal

     [ https://issues.apache.org/jira/browse/SSHD-584?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Goldstein Lyor resolved SSHD-584.
---------------------------------
    Resolution: Not A Problem

According to the [OpenSSH Client Configuration|https://en.wikibooks.org/wiki/OpenSSH/Client_Configuration_Files#.7E.2F.ssh.2Fconfig]:
{quote}
This file must not be accessible to other users in any way. Set strict permissions: read/write for the user, and not accessible by others.
{quote}
The only exception to this rule is:
{quote}
It may group-writable if and only if that user is the only member of the group in question.
{quote}.
In our case, since there is not easy portable way to check in pure _Java_ that the group in question contains only one member - the user, we chose the strict approach. If the permissions are too strict for you, you can easily override this:
{code:java}
    HostConfigEntryResolver myResolver = new DefaultConfigFileHostEntryResolver(false /* not strict */);
    client.setHostConfigEntryResolver(myResolver);
{code}

> permisison of ~/.ssh/config with group/world readable is legal
> --------------------------------------------------------------
>
>                 Key: SSHD-584
>                 URL: https://issues.apache.org/jira/browse/SSHD-584
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 1.1.0
>         Environment: build
>            Reporter: Alon Bar-Lev
>
> Got this exception:
> ---
> testAttributes(org.apache.sshd.client.subsystem.sftp.SftpFileSystemTest)  Time elapsed: 5.581 sec  <<< ERROR!
> java.io.IOException: String permission violation (GROUP_READ) for /home/alonbl/.ssh/config
>         at org.apache.sshd.client.config.hosts.DefaultConfigFileHostEntryResolver.reloadHostConfigEntries(DefaultConfigFileHostEntryResolver.java:80)
>         at org.apache.sshd.client.config.hosts.ConfigFileHostEntryResolver.resolveEffectiveResolver(ConfigFileHostEntryResolver.java:86)
>         at org.apache.sshd.client.config.hosts.ConfigFileHostEntryResolver.resolveEffectiveHost(ConfigFileHostEntryResolver.java:59)
>         at org.apache.sshd.client.SshClient.connect(SshClient.java:339)
>         at org.apache.sshd.client.subsystem.sftp.SftpFileSystemProvider.newFileSystem(SftpFileSystemProvider.java:177)
>         at org.apache.sshd.client.subsystem.sftp.SftpFileSystemProvider.newFileSystem(SftpFileSystemProvider.java:87)
>         at java.nio.file.FileSystems.newFileSystem(FileSystems.java:322)
>         at java.nio.file.FileSystems.newFileSystem(FileSystems.java:272)
>         at org.apache.sshd.client.subsystem.sftp.SftpFileSystemTest.testAttributes(SftpFileSystemTest.java:136)
> ---
> While ssh code enforces only world/group writeable at readconf.c::read_config_file:
> ---
>         if (flags & SSHCONF_CHECKPERM) {
>                 struct stat sb;
>                 if (fstat(fileno(f), &sb) == -1)
>                         fatal("fstat %s: %s", filename, strerror(errno));
>                 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
>                     (sb.st_mode & 022) != 0))
>                         fatal("Bad owner or permissions on %s", filename);
>         }
> ---



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)