Package: openssh-client Version: 1:6.6p1-6 Severity: normal File: /usr/bin/ssh-add
hi, I noticed that ssh-add will display a warning: unprotected private key file and refuse to add the private material only when trying to add material owned by the same user calling ssh. However if the file is owned by another user but nevertheless world readable, nothing is displayed and the key can be added. in other words: godog@i7:~$ ssh-add -l The agent has no identities. godog@i7:~$ cd /tmp/ godog@i7:/tmp$ ssh-keygen -f test_id The key fingerprint is: 32:23:9e:da:84:8e:15:c6:e5:71:a6:f7:eb:30:25:99 godog@i7 godog@i7:/tmp$ chmod a+r test_id godog@i7:/tmp$ ssh-add test_id @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0644 for 'test_id' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. godog@i7:/tmp$ sudo chown nobody test_id [sudo] password for godog: godog@i7:/tmp$ ssh-add test_id Enter passphrase for test_id: Identity added: test_id (test_id) godog@i7:/tmp$ ssh-add -l 2048 32:23:9e:da:84:8e:15:c6:e5:71:a6:f7:eb:30:25:99 test_id (RSA) godog@i7:/tmp$ -- System Information: Debian Release: jessie/sid APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing-proposed-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages openssh-client depends on: ii adduser 3.113+nmu3 ii dpkg 1.17.10 ii libc6 2.19-7 ii libedit2 3.1-20140620-1 ii libgssapi-krb5-2 1.12.1+dfsg-5 ii libselinux1 2.3-1 ii libssl1.0.0 1.0.1h-3 ii passwd 1:4.2-2 ii zlib1g 1:1.2.8.dfsg-1 Versions of packages openssh-client recommends: ii xauth 1:1.0.9-1 Versions of packages openssh-client suggests: pn keychain <none> pn libpam-ssh <none> pn monkeysphere <none> pn ssh-askpass <none> -- no debconf information -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
