assistant: Ensure that .ssh/config and .ssh/authorized_keys are not group or world writable when writing to those files, as that can make ssh refuse to use them, if it allows another user to write to them.

Assistant/Ssh.hs

@@ -149,7 +149,7 @@ removeAuthorizedKeys gitannexshellonly dir pubkey = do
 	sshdir <- sshDir
 	let keyfile = sshdir </> "authorized_keys"
 	ls <- lines <$> readFileStrict keyfile
-	writeFile keyfile $ unlines $ filter (/= keyline) ls
+	viaTmp writeSshConfig keyfile $ unlines $ filter (/= keyline) ls
 
 {- Implemented as a shell command, so it can be run on remote servers over
  - ssh.
@@ -290,13 +290,15 @@ setSshConfig sshdata config = do
 	sshdir <- sshDir
 	createDirectoryIfMissing True sshdir
 	let configfile = sshdir </> "config"
-	unlessM (catchBoolIO $ isInfixOf mangledhost <$> readFile configfile) $
+	unlessM (catchBoolIO $ isInfixOf mangledhost <$> readFile configfile) $ do
 		appendFile configfile $ unlines $
 			[ ""
 			, "# Added automatically by git-annex"
 			, "Host " ++ mangledhost
 			] ++ map (\(k, v) -> "\t" ++ k ++ " " ++ v)
 				(settings ++ config)
+		setSshConfigMode configfile
+
 	return $ sshdata { sshHostName = T.pack mangledhost }
   where
 	mangledhost = mangleSshHostName sshdata

Utility/SshConfig.hs

@@ -10,6 +10,7 @@ module Utility.SshConfig where
 import Common
 import Utility.UserInfo
 import Utility.Tmp
+import Utility.FileMode
 
 import Data.Char
 import Data.Ord
@@ -117,7 +118,19 @@ changeUserSshConfig modifier = do
 		c <- readFileStrict configfile
 		let c' = modifier c
 		when (c /= c') $
-			viaTmp writeFile configfile c'
+			viaTmp writeSshConfig configfile c'
+
+writeSshConfig :: FilePath -> String -> IO ()
+writeSshConfig f s = do
+	writeFile f s
+	setSshConfigMode f
+
+{- Ensure that the ssh config file lacks any group or other write bits, 
+ - since ssh is paranoid about not working if other users can write
+ - to one of its config files (.ssh/config and .ssh/authorized_keys) -}
+setSshConfigMode :: FilePath -> IO ()
+setSshConfigMode f = modifyFileMode f $
+	removeModes [groupWriteMode, otherWriteMode]
 
 sshDir :: IO FilePath
 sshDir = do

debian/changelog

@@ -12,6 +12,9 @@ git-annex (5.20131231) UNRELEASED; urgency=medium
   * Assistant: Remove stale MERGE_HEAD files in lockfile cleanup.
   * Remotes can now be made read-only, by setting remote.<name>.annex-readonly
   * wanted, schedule: Avoid printing "ok" after requested value.
+  * assistant: Ensure that .ssh/config and .ssh/authorized_keys are not
+    group or world writable when writing to those files, as that can make
+    ssh refuse to use them, if it allows another user to write to them.
 
  -- Joey Hess <joeyh@debian.org>  Tue, 31 Dec 2013 13:41:18 -0400
 

doc/bugs/file_permissions_on___126____47__.ssh__47__config___40__windows__41__.mdwn

@@ -9,3 +9,12 @@ Windows 7, git-annex version 5.20131230-g192d991
 
 ### Please provide any additional information below.
 I have no daemon.log, and the console log isn't particularly detailed today; it had just created an ssh key and shown it's fingerprint.
+
+> Ok, I guess this is ssh refusing to use a file that has a group
+> write bit set (when the owner is not the only member of its group),
+> or perhaps that has the world write bit set.
+>
+> I have made the assistant unset those modes when creating and modifying
+> ssh config files. Hopefully that is enough for Windows too.. I can't
+> really test it there, but am calling this provisionally [[done]].
+> --[[Joey]]