Bug#99675: marked as done ("unprotected private key file" warning problems)

Tue, 12 Jun 2007 17:15:09 -0700 

Your message dated Wed, 13 Jun 2007 00:02:51 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#99675: fixed in openssh 1:4.6p1-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: ssh
Version: 1:2.5.2p2-2.1
Severity: normal

If I attempt to log in by RSA authentification, with the -i argument to ssh
to denote a file containing the private key, then if that
file has the wrong permissions, then as expected the warning

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Bad ownership or mode(0704) for 'identity'.

appears. ssh then asks for the passphrase for the key, promptly gives
the warning again and then abandons the login, with a misleading error
message:

debug1: Trying RSA authentication with key '[EMAIL PROTECTED]'
debug1: Received RSA challenge from server.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Bad ownership or mode(0704) for 'identity'.
It is recommended that your private key files are NOT accessible by others.
Enter passphrase for RSA key '[EMAIL PROTECTED]': 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Bad ownership or mode(0704) for 'identity'.
It is recommended that your private key files are NOT accessible by others.
Bad passphrase.

If ssh is going to abandon the login anyway, surely it could do this
after the first warning, rather than giving the warning, asking for
the passphrase, then giving the same warning again before abandoning
the login. On top of that, the final error given, "Bad passphrase" is
wrong; if I simply change the permissions on the identity file to
-rwx------ then I can log in with the same passphrase with no errors
at all.

cheers,

Phil Armstrong


-- System Information
Debian Release: testing/unstable
Kernel Version: Linux kantaka 2.4.5 #1 Mon May 28 15:55:16 BST 2001 i586 unknown

Versions of the packages ssh depends on:
ii  debconf        0.9.62         Debian configuration management system
ii  libc6          2.2.3-5        GNU C Library: Shared libraries and Timezone
ii  libpam0g       0.72-24        Pluggable Authentication Modules library
ii  libpam-modules 0.72-24        Pluggable Authentication Modules for PAM
ii  libssl0.9.6    0.9.6a-3       SSL shared libraries
ii  libwrap0       7.6-7          Wietse Venema's TCP wrappers library
ii  zlib1g         1.1.3-15       compression library - runtime

--- Begin /etc/ssh/ssh_config (modified conffile)
Host localhost
    ForwardAgent yes
    ForwardX11 yes
Host *
   FallBackToRsh no
   UseRsh no
   Protocol 2,1
Cipher blowfish
EscapeChar ~

--- End /etc/ssh/ssh_config

--- End Message ---
--- Begin Message --- 
Source: openssh
Source-Version: 1:4.6p1-1

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_4.6p1-1_powerpc.udeb
  to pool/main/o/openssh/openssh-client-udeb_4.6p1-1_powerpc.udeb
openssh-client_4.6p1-1_powerpc.deb
  to pool/main/o/openssh/openssh-client_4.6p1-1_powerpc.deb
openssh-server-udeb_4.6p1-1_powerpc.udeb
  to pool/main/o/openssh/openssh-server-udeb_4.6p1-1_powerpc.udeb
openssh-server_4.6p1-1_powerpc.deb
  to pool/main/o/openssh/openssh-server_4.6p1-1_powerpc.deb
openssh_4.6p1-1.diff.gz
  to pool/main/o/openssh/openssh_4.6p1-1.diff.gz
openssh_4.6p1-1.dsc
  to pool/main/o/openssh/openssh_4.6p1-1.dsc
openssh_4.6p1.orig.tar.gz
  to pool/main/o/openssh/openssh_4.6p1.orig.tar.gz
ssh-askpass-gnome_4.6p1-1_powerpc.deb
  to pool/main/o/openssh/ssh-askpass-gnome_4.6p1-1_powerpc.deb
ssh-krb5_4.6p1-1_all.deb
  to pool/main/o/openssh/ssh-krb5_4.6p1-1_all.deb
ssh_4.6p1-1_all.deb
  to pool/main/o/openssh/ssh_4.6p1-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <[EMAIL PROTECTED]> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 13 Jun 2007 00:28:26 +0100
Source: openssh
Binary: ssh-askpass-gnome ssh-krb5 openssh-client-udeb ssh openssh-server 
openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:4.6p1-1
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSH Maintainers <[EMAIL PROTECTED]>
Changed-By: Colin Watson <[EMAIL PROTECTED]>
Description: 
 openssh-client - secure shell client, an rlogin/rsh/rcp replacement
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell server, an rshd replacement
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 ssh        - secure shell client and server (transitional package)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for 
ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 50612 88337 99675 103677 122188 257524 307890 319639 333447 369964 
389038 395507 397961 408027 410599 420035
Changes: 
 openssh (1:4.6p1-1) unstable; urgency=low
 .
   * New upstream release (closes: #395507, #397961, #420035). Important
     changes not previously backported to 4.3p2:
     - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4):
       + On portable OpenSSH, fix a GSSAPI authentication abort that could be
         used to determine the validity of usernames on some platforms.
       + Implemented conditional configuration in sshd_config(5) using the
         "Match" directive. This allows some configuration options to be
         selectively overridden if specific criteria (based on user, group,
         hostname and/or address) are met. So far a useful subset of
         post-authentication options are supported and more are expected to
         be added in future releases.
       + Add support for Diffie-Hellman group exchange key agreement with a
         final hash of SHA256.
       + Added a "ForceCommand" directive to sshd_config(5). Similar to the
         command="..." option accepted in ~/.ssh/authorized_keys, this forces
         the execution of the specified command regardless of what the user
         requested. This is very useful in conjunction with the new "Match"
         option.
       + Add a "PermitOpen" directive to sshd_config(5). This mirrors the
         permitopen="..." authorized_keys option, allowing fine-grained
         control over the port-forwardings that a user is allowed to
         establish.
       + Add optional logging of transactions to sftp-server(8).
       + ssh(1) will now record port numbers for hosts stored in
         ~/.ssh/known_hosts when a non-standard port has been requested
         (closes: #50612).
       + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a
         non-zero exit code) when requested port forwardings could not be
         established.
       + Extend sshd_config(5) "SubSystem" declarations to allow the
         specification of command-line arguments.
       + Replacement of all integer overflow susceptible invocations of
         malloc(3) and realloc(3) with overflow-checking equivalents.
       + Many manpage fixes and improvements.
       + Add optional support for OpenSSL hardware accelerators (engines),
         enabled using the --with-ssl-engine configure option.
       + Tokens in configuration files may be double-quoted in order to
         contain spaces (closes: #319639).
       + Move a debug() call out of a SIGCHLD handler, fixing a hang when the
         session exits very quickly (closes: #307890).
       + Fix some incorrect buffer allocation calculations (closes: #410599).
       + ssh-add doesn't ask for a passphrase if key file permissions are too
         liberal (closes: #103677).
       + Likewise, ssh doesn't ask either (closes: #99675).
     - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6):
       + sshd now allows the enabling and disabling of authentication methods
         on a per user, group, host and network basis via the Match directive
         in sshd_config.
       + Fixed an inconsistent check for a terminal when displaying scp
         progress meter (closes: #257524).
       + Fix "hang on exit" when background processes are running at the time
         of exit on a ttyful/login session (closes: #88337).
   * Update to current GSSAPI patch from
     
http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch;
     install ChangeLog.gssapi.
   * Build the .deb --with-ssl-engine (closes: #408027, LP: #119295).
   * Use LSB functions in init scripts, and add an LSB-style header (partly
     from Ubuntu and partly thanks to Christian Perrier; closes: #389038).
   * Move init script start links to S16, move rc1 stop link to K84, and
     remove rc0 and rc6 stop links altogether (the last part from Ubuntu;
     closes: #122188).
   * Emit a slightly more informative message from the init script if
     /dev/null has somehow become not a character device (closes: #369964).
   * Belatedly build-depend on zlib1g-dev (>= 1:1.2.3-1) (closes: #333447).
   * Merge from Ubuntu:
     - Build position-independent executables (only for debs, not for udebs)
       to take advantage of address space layout randomisation.
     - If building on Ubuntu, add /sbin, /usr/sbin, and /usr/local/sbin to
       the default path.
   * Use ${binary:Version} rather than ${Source-Version} in openssh-server ->
     openssh-client dependency.
Files: 
 274b1d5892e3805fc6cf02b4bcbae0d4 1062 net standard openssh_4.6p1-1.dsc
 cee58cd226138191561fa2d484e18f49 946439 net standard openssh_4.6p1.orig.tar.gz
 e31a11367a77ac6a5293286e463324bf 178464 net standard openssh_4.6p1-1.diff.gz
 6a07b42810cb43825f5bccfef27d050b 1060 net extra ssh_4.6p1-1_all.deb
 7611c62669803ede6d8873172807daa6 78884 net extra ssh-krb5_4.6p1-1_all.deb
 b410989a5fec7a9bb28040ae06805a2b 687032 net standard 
openssh-client_4.6p1-1_powerpc.deb
 eb67e9f21b381580a36a96e492e88479 257292 net optional 
openssh-server_4.6p1-1_powerpc.deb
 8e23b1d093801f6caef9472eb8a84eab 88536 gnome optional 
ssh-askpass-gnome_4.6p1-1_powerpc.deb
 efc9ed4c7588942ed0ab42c5626ba523 173176 debian-installer optional 
openssh-client-udeb_4.6p1-1_powerpc.udeb
 d5eb39406e06da0896e23a60c9d48089 179456 debian-installer optional 
openssh-server-udeb_4.6p1-1_powerpc.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFGbzCf9t0zAhD6TNERAmG1AJ96GA3o1U0f6u/gN9PlPhqdwwigCQCfTqmo
3RySlNDddnYbYP+sdo0jr9w=
=H7r5
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to