Bug 642008 – GNOME keyring allows the use of SSH keys that have weak file access permissions

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 642008 - GNOME keyring allows the use of SSH keys that have weak file access permissions


Summary:	GNOME keyring allows the use of SSH keys that have weak file access permissions


Status:	RESOLVED FIXED

Product:	gnome-keyring
Classification:	Core
Component:	general
Version:	unspecified
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	GNOME keyring maintainer(s)
QA Contact:	GNOME keyring maintainer(s)

URL:
Whiteboard:

Depends on:	775981
Blocks:

Reported:	2011-02-10 08:10 UTC by Robert Ancell
Modified:	2018-03-10 05:14 UTC

See Also:	https://launchpad.net/bugs/714908
GNOME target:	---
GNOME version:	---

Description Robert Ancell 2011-02-10 08:10:17 UTC

OpenSSH enforces that one's keys must be mode 0700 so that unsafe permissions do not go unnoticed.  It would be nice if GNOME keyring could detect/correct this and take appropriate action.

Comment 1 Robert Ancell 2011-02-10 08:15:55 UTC

Test case:
1. Set permissions of SSH key to unsafe:
   $ chmod 644 ~/.ssh/id_rsa
2. Log into a SSH server that uses this key
   $ ssh master.gnome.org (works)
3. Stop GNOME keyring
   $ killall gnome-keyring-daemon
4. Log into SSH server
   $ ssh master.gnome.org (fails, OpenSSH complains about permissions)

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/home/bob/.ssh/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /home/bob/.ssh/id_rsa
Permission denied (publickey).

Comment 2 Robert Ancell 2011-02-10 08:17:55 UTC

Proposed solution:
1. GNOME keyring loads unsafe keys but marks them as such (this is because otherwise the user would not be able to tell why their keys aren't working)
2. When the user accesses the key, GNOME keyring puts up a dialog warning that the key is insecure.
3. The user has the option to cancel the use (default), fix the permissions, or ignore the warning.

I'm having trouble finding if/how the information can be easily passed to the UI - any pointers?

Comment 3 Stef Walter 2011-03-10 15:15:07 UTC

Hmmm, implementing the warning dialog is tough. Ignoring these files, while printing warnings to the logs is easy, but like you said this is going to cause problems for users for whom this has worked so far.

The code for loading the keys are in the ssh-store [1], the unlocking code in the wrap-layer [2], and the actual dialog in gnome-keyring-prompt [3].

[1] http://git.gnome.org/browse/gnome-keyring/tree/pkcs11/ssh-store/gkm-ssh-module.c#n104

[2] http://git.gnome.org/browse/gnome-keyring/tree/pkcs11/wrap-layer/gkm-wrap-layer.c#n700

[3] http://git.gnome.org/browse/gnome-keyring/tree/ui/gku-prompt-tool.c

Comment 4 Stef Walter 2012-03-15 09:42:19 UTC

Are you still interested in working on this? Perhaps a patch that might fix the permissions for ssh keys that have incorrect permissions?

Comment 5 Stef Walter 2016-12-12 12:59:21 UTC

 gnome-keyring should just wrap stock ssh-agent to solve this problem:

https://bugzilla.gnome.org/show_bug.cgi?id=775981

Comment 6 Daiki Ueno 2018-03-10 05:14:29 UTC

With bug 775981, the agent refuses signing request (although there is no warning shown).