Wednesday, January 30, 2008

couldn't set file permissions in Cygwin

Here's a little tidbit that might help someone. I was configuring my public and private keys to allow secure SSH communications between my workstation and a server (see /2007/08/eliminating-need-to-enter-your-password.html for more details). The workstation is an XP box running Cygwin and the server is a Linux variant. When I went to test ssh, I got the following error in Cygwin from the XP box that denied access to the private key:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
WARNING: UNPROTECTED PRIVATE KEY FILE! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Permissions 0644 for '/cygdrive/h/.ssh/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /cygdrive/h/.ssh/id_rsa
Password:

Woops. I guess that's my fault. Looking at the file permissions, I see that id_rsa perms are too loose:
bash-2.02$ ls -l id_rsa
-rw-r--r-- 1 28235 everyone 1675 Jan 30 15:33 id_rsa

I issued the following chmod command:
bash-2.02$ chmod 600 id_rsa
bash-2.02$ ls -l id_rsa
-rw-r--r-- 1 28235 everyone 1675 Jan 30 15:33 id_rsa

But the permissions stayed the same. What gives? Why aren't the permissions changing?

Apparently, Cygwin has two ways to deal with file permissions. Here's the explanation:
http://www.iu.hio.no/cfengine/docs/cfengine-NT/node24.html

The short answer, though, is that I was able to solve my problem by setting this environment variable in /Cygnus/cygwin-b20/cygnus.bat:
set CYGWIN=ntea

Once I set that environment variable in the batch script and restarted a new Cygwin shell, I was able to set the permissions correctly:
bash-2.02$ chmod 600 id_rsa
bash-2.02$ ls -l id_rsa
-rw------- 1 28235 everyone 1675 Jan 30 15:33 id_rsa

Update 2/8/2008
I also got bollucksed with id_rsa permissions if my user's NT permissions on the file were not Full Control. So watch out for that as well.

Live and learn!
sodo

3 comments:

robert said...

Nice post cacasodo. It came up as the 4th result for a serach I did on some ssh permissions questions.

Cheers
maximus

robert said...

FYI the google search was:
set permissions on id_rsa

-maximus

Cacasodo said...

Interesting. Thanks for dropping by!
;)

Feel free to drop me a line or ask me a question.