Kevin Kunka
|
Re: ssh-keygen creating unprotected key file
|
Kevin Kunka
09/23/2014 1:57 PM
post111850
|
Re: ssh-keygen creating unprotected key file
The ramdisk is likely formatted as a DOS partition, which does not support permissions. Try re-formatting it as a QNX6
partition.
Kevin
|
|
|
Mate Szarvas
|
Re: ssh-keygen creating unprotected key file
|
Mate Szarvas
09/23/2014 2:06 PM
post111853
|
Re: ssh-keygen creating unprotected key file
Even if you created a ramdisk with a filesystem that supports posix permissions and you think is being used by ssh-
keygen it is possible that in reality it is using /etc/ssh from your SD card that, blind guess, has a FAT filesystem.
This can happen due to unioning of the filesystems, depending on the mount order and mount flags.
Did you verify, e.g., by moving your SD card to your host computer, that the keys are not stored on the SD card?
Original Message
From: Christopher Olarti
Sent: Wednesday, September 24, 2014 02:54
To: osmeta-core_os
Reply To: osmeta-core_os@community.qnx.com
Subject: ssh-keygen creating unprotected key file
When trying to initialize sshd by generating rsa/dsa keys using the following commands
ssh-keygen -t dsa -v -f /etc/ssh/ssh_host_dsa_key -N ''
ssh-keygen -t rsa -v -f /etc/ssh/ssh_host_rsa_key -N ''
the files are created in /etc/ssh/ however, when trying to execute /usr/sbin/sshd I get the following message
# cd etc/ssh
# ls -al
total 74
drwx------ 2 root root 16384 Jan 01 00:00 .
drwx------ 2 root root 16384 Jan 01 00:00 ..
-rw-rw-rw- 1 root root 751 Jan 01 1980 ssh_host_dsa_key
-rw-rw-rw- 1 root root 604 Jan 01 1980 ssh_host_dsa_key.pub
-rw-rw-rw- 1 root root 1766 Jan 01 1980 ssh_host_rsa_key
-rw-rw-rw- 1 root root 396 Jan 01 1980 ssh_host_rsa_key.pub
-rw-rw-rw- 1 root root 155 Sep 23 2014 sshd_config
# /tmp/sshd
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0666 for '/etc/ssh/ssh_host_rsa_key' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh/ssh_host_rsa_key
Could not load host key: /etc/ssh/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0666 for '/etc/ssh/ssh_host_dsa_key' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /etc/ssh/ssh_host_dsa_key
Could not load host key: /etc/ssh/ssh_host_dsa_key
Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting
I see from other websites, they recommend permission rights 700 on the ssh folder and 600 on the files.
But when trying to perform chmod on a specific file, as the following:
# chmod -v -R 600 ./ssh_host_dsa_key
chmod: Changing ./ssh_host_dsa_key to mode 0600
# ls -al
total 74
drwx------ 2 root root 16384 Jan 01 00:00 .
drwx------ 2 root root 16384 Jan 01 00:00 ..
-rw-rw-rw- 1 root root 751 Jan 01 1980 ssh_host_dsa_key
-rw-rw-rw- 1 root root 604 Jan 01 1980 ssh_host_dsa_key.pub
-rw-rw-rw- 1 root root 1766 Jan 01 1980 ssh_host_rsa_key
-rw-rw-rw- 1 root root 396 Jan 01 1980 ssh_host_rsa_key.pub
-rw-rw-rw- 1 root root 155 Sep 23 2014 sshd_config
I am still seeing 0666.
So is there a way to change the permission rights on the key files when they are being generated?
Also a side issue, if an ssh-keygen fails, it disappears from the filesystem; however, if I copy the ssh-keygen macro to
the /tmp/ and use that keygen, then I can continuously re-use the macro.
Using an iMX6 SabreLite
Booting from an SD Card
Created a RAM Disk at /etc/ssh
Thanks in advance.
_______________________________________________
OSMeta
http://community.qnx.com/sf/go/post111849
To cancel your subscription to this discussion, please e-mail osmeta-core_os-unsubscribe@community.qnx.com
|
|
|