Hi, We don't plan to remove this check. Accidental key exposure is still an unfortunately common problem and, while this check isn't perfect, I'm pretty sure that it avoids enough real-world misconfiguration to justify it's continued existence. You're right that it doesn't withstand a determined administrator and that's fine too - it isn't supposed to. -d On Fri, 19 Oct 2018, L A Walsh wrote: > Third party programs should not be dictating to users how > to manage their systems. Things like: > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > Permissions 0660 for '/Users/law.Bliss/.ssh/id_rsa' are too open. > It is required that your private key files are NOT accessible by others > This private key will be ignored. > Load key "/Users/law.Bliss/.ssh/id_rsa": bad permissions > > 1) how would you know if they are "too open". I assign a group to > each user. How would they claim my permissions are "bad". > 2) In this specific case, my local-machine and domain login > are different UID's, so I put them in the same GID to allow > access no matter UID I am logged in with. > 3) It may give some users a false sense of "security" if they believe > that setting perms to something like 0600 will give them the security of > only their 1 login having access. They had better not rely on that. > > 4) I no longer get the warning -- I can simple change the permission > bits to match what is wanted then add my group as an acl -- which > gives the group full access but circumvents the irrelevant warning. > > 5) since my home directory is exported and mountable via samba, anyone > in the administrators or Domain Admins group (among others) can read it > as well. > > 6) I.e. the warning message is outdated, inaccurate and not really needed. > > Thanks much! > -linda > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
