[OpenAFS-devel] User-friendly Mac OS X patch causes SSH hardship

Christopher Alexander North-Keys erlkonig@isgenesis.com
Wed, 07 Feb 2007 15:34:18 -0600 

Normally, we solve this by making a ~/.ssh/private/, moving the private 
keys into it, and then making symlinks from the old locations to the new 
ones, and set the ACLs to something like (for user "erlkonig"):

$ fs la ~/.ssh
Access list for /afs/isgenesis.com/user/erlkonig/.ssh is
Normal rights:
   system:administrators rlidwka
   system:anyuser rl
   erlkonig rlidwka
$ fs la ~/.ssh/private
Access list for /afs/isgenesis.com/user/erlkonig/.ssh/private is
Normal rights:
   system:administrators rl
   erlkonig rlidwka

The links in .ssh look like:

  1 lrwxr-xr-x   1 ...  14 2004-07-23 18:38 id_dsa -> private/id_dsa
  1 -rw-r--r--   1 ... 619 2004-06-02 16:12 id_dsa.pub
  1 lrwxr-xr-x   1 ...  14 2004-07-23 18:38 id_rsa -> private/id_rsa
  1 -rw-r--r--   1 ... 239 2004-06-02 16:11 id_rsa.pub


Atro Tossavainen wrote:
> Hi,
> 
> The permission-faking patch in the Mac OS X port of OpenAFS is
> causing some unexpected trouble here.
> 
> When users' home directories are on AFS and they have SSH key files
> in $HOME/.ssh which they would like to use for logging in to other
> computers, OpenSSH throws a tantrum because the permissions appear
> too permissive.  I imagine it might also not be the only program
> that thinks it knows something by virtue of the UNIX mode bits of
> the files and directories involved.  I am aware of the Finder-related
> reasoning for the fake permissions patch, am just wondering if there
> is a workaround or a compromise that would satisfy Finder but would
> not cause SSH any extra hard times either.
> 
> mac% ssh othermachine
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> Permissions 0666 for '$HOME/.ssh/id_dsa' are too open.
> It is recommended that your private key files are NOT accessible by others.
> This private key will be ignored.
> bad permissions: ignore key: $HOME/.ssh/id_dsa
> Enter passphrase for key '$HOME/.ssh/id_dsa': 
> 

-- 
C. Alex. North-Keys
Catalis, Inc.
erlkonig@isgenesis.com
512.874.7666