OpenSSH incompatible with mkdir(mode=0o700) on Windows with OWNER RIGHTS

[hssyoo]

Bug report

Bug description:

On Windows, when a directory is created using Python's os.mkdir with mode=0o700, permissions for the OWNER RIGHTS group are attached. Files written to the directory inherit these permissions, unless explicitly disabled. This causes incompatibility with the OpenSSH client when attempting to pass a private key file stored in the created directory because permissions are "too open".

Although this can be avoided by calling os.mkdir with mode=0o400, there's no available workaround when using tempfile.TemporaryDirectory since the mode is hardcoded to 0o700.

To reproduce:

# Create a temporary directory
import tempfile

# Take note of `temp_dir.name`
temp_dir = tempfile.TemporaryDirectory()

# Place a private key file into `temp_dir.name`

In Windows Command Prompt:

> ssh -p port -i C:\Path\To\TempDir\Keyfile destination

Bad permissions. Try removing permissions for user: \\OWNER RIGHTS (S-1-3-4) on file C:\Path\To\TempDir\Keyfile.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'C:\Path\To\TempDir\Keyfile' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "C:\Path\To\TempDir\Keyfile": bad permissions
destination: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Based on the related CPython issue and PR linked below, I understand switching to OWNER RIGHTS was intentionally done to address a CVE. However, this has created friction between tempfile.TemporaryDirectory and OpenSSH.

Related:

• [CVE-2024-4030] Enable mkdir(mode=0o700) to work on Windows #118486
• gh-118486: Switch mkdir(mode=0o700) on Windows to use OWNER RIGHTS instead of CURRENT_USER #118515
• aws ec2-instance connect ssh fails on Windows aws/aws-cli#9114

CPython versions tested on:

3.12

Operating systems tested on:

Windows

[zooba]

Hmm, that's unfortunate.

Do we know if OpenSSH deliberately excluded OWNER RIGHTS from allowable permissions? Perhaps they just overlooked it?

Is there any information on what ACLs they check for? Using OWNER RIGHTS was pretty important for us to be secure, so if they would require us to use a less secure option, the answer would likely be to allow the caller to override the permissions on the temporary directory, rather than changing the ACLs we set.

[hssyoo]

Is there any information on what ACLs they check for?

Based on Microsoft docs for host keys (which I imagine applies to private keys), only administrators and System are allowed access.

if they would require us to use a less secure option,

My understanding is that it's not they want a less secure option, it's just that CURRENT_USER would explicitly set the Administrator ACL (assuming it was created by an admin), whereas OWNER RIGHTS has its own SID.

I do think that if a file is owned by an administrator, OpenSSH should allow OWNER RIGHTS. I created an issue here: PowerShell/Win32-OpenSSH#2317