Community
Participate
Working Groups
Build ID: M20060118-1600 (Ubuntu version: 3.1.2-1ubuntu6) Steps To Reproduce: 1. Window->Preferences->Team->CVS->SSH2 Connection Method->Key Management 2. Generate a DSA key 3. Copy public key into authorized_keys file 4. Save private key 5. Attempt to use the CVS features Result: You will be prompted first for your passphrase to the DSA key, then for the keyboard interactive password TWICE for every CVS task you perform. More information: May be related to bug 130582, 119008. I was being prompted for my dsa key passphrase, and then for the ssh password every time I did anything with CVS. While fiddling with the public key authentication I tried simply logging in using ssh from the command line. It gave me this error: mpatterson@mattrp:~ $ ssh localhost @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0644 for '/home/mpatterson/.ssh/id_dsa' are too open. It is recommended that your private key files are NOT accessible by others. This private key will be ignored. bad permissions: ignore key: /home/mpatterson/.ssh/id_dsa Enter passphrase for key '/home/mpatterson/.ssh/id_dsa': Password: When I corrected the permissions issue I was able to use eclipse CVS with no more password prompts or issues.
(In reply to comment #0) > Build ID: M20060118-1600 (Ubuntu version: 3.1.2-1ubuntu6) > Steps To Reproduce: > 1. Window->Preferences->Team->CVS->SSH2 Connection Method->Key Management > 2. Generate a DSA key > 3. Copy public key into authorized_keys file > 4. Save private key > 5. Attempt to use the CVS features > When I corrected the permissions issue I was able to use eclipse CVS with no > more password prompts or issues. I'm sorry, but I'm confusing what you are talking about. Do you mean that you can get accesses to the remote without the prompt for "passphrase"? Anyway, the essence of this problem is that the permission of your "authorized_keys" is too open and the sshd has rejected to adopt it. What you did to "correct the permissions"? I guess you also changed the permission of "authorized_keys" file. IMHO, this is not a bug of Eclipse SDK.
I corrected the permissions by making my id_dsa file permissions 600. I agree that this is not something necessarily wrong with eclipse, but it does manifest itself as a problem in eclipse, at least to the user. I simply meant to post this as a solution to be placed somewhere like a FAQ. Perhaps eclipse should be aware of this failure case and give the user useful feedback? Perhaps eclipse should produce private key files with appropriate permissions in the first place?
(In reply to comment #2) > I corrected the permissions by making my id_dsa file permissions 600. I hardly believe what you are talking about, because Eclipse SDK does not check the permission of "id_dsa" and sshd must not check it. I'll recommend to change the permission of id_dsa to 0644 again and try CVS extssh connection. > I agree that this is not something necessarily wrong with eclipse, but it does > manifest itself as a problem in eclipse, at least to the user. I simply meant > to post this as a solution to be placed somewhere like a FAQ. > Perhaps eclipse should be aware of this failure case and give the user useful > feedback? Perhaps eclipse should produce private key files with appropriate > permissions in the first place? How to check the file permissions and change them in pure Java? Does Java5(or 6) have such functionalities?
Attempt #1, permissions 644 as suggested: mpatterson@mattrp:~/.ssh $ ls -l total 20 -rw-r--r-- 1 mpatterson mpatterson 1196 2007-03-27 19:56 #authorized_keys# -rw-r--r-- 1 mpatterson mpatterson 598 2007-03-26 21:34 authorized_keys -rw-r--r-- 1 mpatterson mpatterson 672 2007-03-26 21:34 id_dsa -rw-r--r-- 1 mpatterson mpatterson 598 2007-03-26 21:34 id_dsa.pub -rw-r--r-- 1 mpatterson mpatterson 540 2007-03-28 08:08 known_hosts mpatterson@mattrp:~/.ssh $ ssh 10.10.0.100 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0644 for '/home/mpatterson/.ssh/id_dsa' are too open. It is recommended that your private key files are NOT accessible by others. This private key will be ignored. bad permissions: ignore key: /home/mpatterson/.ssh/id_dsa Enter passphrase for key '/home/mpatterson/.ssh/id_dsa': Attempt #2, permissions 600: mpatterson@mattrp:~/.ssh $ ls -l total 20 -rw-r--r-- 1 mpatterson mpatterson 1196 2007-03-27 19:56 #authorized_keys# -rw-r--r-- 1 mpatterson mpatterson 598 2007-03-26 21:34 authorized_keys -rw------- 1 mpatterson mpatterson 672 2007-03-26 21:34 id_dsa -rw-r--r-- 1 mpatterson mpatterson 598 2007-03-26 21:34 id_dsa.pub -rw-r--r-- 1 mpatterson mpatterson 540 2007-03-28 08:08 known_hosts mpatterson@mattrp:~/.ssh $ ssh 10.10.0.100 Linux mattrp 2.6.15-28-k7 #1 SMP PREEMPT Thu Feb 1 16:36:09 UTC 2007 i686 GNU/Linux The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. You have mail. Last login: Wed Mar 28 08:09:24 2007 from 10.10.0.100 mpatterson@mattrp:~ $ As for how to change permissions in Java, I have no clue, I am not a Java coder.
(In reply to comment #4) > Attempt #1, permissions 644 as suggested: > mpatterson@mattrp:~/.ssh $ ls -l ... > mpatterson@mattrp:~/.ssh $ ssh 10.10.0.100 What is your intention? You have been reporting the problem in CVS connection from Eclipse SDK and we need to understand what is the reason and we want to fix it if possible. I have asked you to try CVS extssh connection! The error on OpenSSH's clients is other issue. It is trivial.
My intention is simply to share a solution. More than a few people are having what sounds like similiar authentication issues related to CVS and eclipse. Check the bug numbers I listed or do a google search if you don't believe me. Perhaps adding the information to a FAQ, or to the work in progress manual for eclipse? On a different note, I would like to suggest that you change your approach to bugs reports you recieve. This has not been a pleasant experience. Every response you have given has been confrontational and dismissive. I made it very clear that I already had a solution to the issue at hand and was simply requesting documentation/improved error case handling. I sincerely hope that information makes it into a patch for the product, to give the user useful feedback, or into a FAQ so a confused user can solve their own problem. Eclipse is a good product, but treating the few users who report useful information/bugs like this is not a way to retain a user base.
(In reply to comment #6) > My intention is simply to share a solution. More than a few people are having > what sounds like similiar authentication issues related to CVS and eclipse. > Check the bug numbers I listed or do a google search if you don't believe me. I want to know the reason. You had a problem on CVS connection from Eclipse. Are you using CVS 'ext' connection on CVS plug-in? Your first post was at bug 119008 and it is just for CVS 'extssh' connection. I'm sorry for my lack of imagination. > On a different note, I would like to suggest that you change your approach to > bugs reports you recieve. Thank you for your kind suggestions. I'll keep it in my mind.
So, the tilte of this bug entry should be "[EXT] OpenSSH's clinet fails public-key auth due to file permissions" To address this issue, we may be able to add a message like "Please check file permissions" in generating the key pair on the Preferense page, but on Windows platform it is nonsense. As for the FAQ,... Almost of users who can use OpenSSH's client will use ssh-keygen command and this bug entry must be very rare case. So, it may not be "Frequent" question, but if somebody think that it is worth adding, please add it.
Matthew, thank you for taking the time to describe this issue. I think there are two things we should consider doing here. 1) We should certainly mention this is the FAQ. I have added an entry: http://wiki.eclipse.org/index.php/CVS_FAQ#Why_do_I_get_prompted_first_for_my_passphrase_to_the_DSA_key.2C_then_for_the_keyboard_interactive_password_TWICE_for_every_CVS_I_perform.3F Please have a look at it. If you feel it needs to be changed, let me know (or you could edit it yourself as anyone with a Bugzilla account can edit the wiki). 2) YMNK, is there a way for us to detect the error and inform the user of the problem without requiring them to use an external client? Even if we could log the message or print it on the CVS console, it would be a help.
(In reply to comment #9) > 2) YMNK, is there a way for us to detect the error and inform the user of the > problem without requiring them to use an external client? Even if we could log > the message or print it on the CVS console, it would be a help. I think so. Since JSch 0.1.30, the logging mechanism has been introduced. In the near future if we are allowed to update jsch version, it will be possible to put internal logging messages from jsch on the CVS console or PDE Error Log.
Excellent. Based on the status of the request, I think we are close to getting approval to add 0.1.31 to the Platform.
Approval is taking longer than I had hoped. At this point, even if we get approval for 3.3, we won;t have time to incorporate any new features.
This bug hasn't had any activity in quite some time. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. If you have further information on the current state of the bug, please add it. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant. -- The automated Eclipse Genie.