4 files changed, 30 insertions, 3 deletions

diff --git a/Assistant/Ssh.hs b/Assistant/Ssh.hs
index d69c29254..82da9e33a 100644
--- a/Assistant/Ssh.hs
+++ b/Assistant/Ssh.hs
@@ -149,7 +149,7 @@ removeAuthorizedKeys gitannexshellonly dir pubkey = do
 	sshdir <- sshDir
 	let keyfile = sshdir </> "authorized_keys"
 	ls <- lines <$> readFileStrict keyfile
-	writeFile keyfile $ unlines $ filter (/= keyline) ls
+	viaTmp writeSshConfig keyfile $ unlines $ filter (/= keyline) ls
 
 {- Implemented as a shell command, so it can be run on remote servers over
  - ssh.
@@ -290,13 +290,15 @@ setSshConfig sshdata config = do
 	sshdir <- sshDir
 	createDirectoryIfMissing True sshdir
 	let configfile = sshdir </> "config"
-	unlessM (catchBoolIO $ isInfixOf mangledhost <$> readFile configfile) $
+	unlessM (catchBoolIO $ isInfixOf mangledhost <$> readFile configfile) $ do
 		appendFile configfile $ unlines $
 			[ ""
 			, "# Added automatically by git-annex"
 			, "Host " ++ mangledhost
 			] ++ map (\(k, v) -> "\t" ++ k ++ " " ++ v)
 				(settings ++ config)
+		setSshConfigMode configfile
+
 	return $ sshdata { sshHostName = T.pack mangledhost }
   where
 	mangledhost = mangleSshHostName sshdata
diff --git a/Utility/SshConfig.hs b/Utility/SshConfig.hs
index b7068f48d..d6cd32078 100644
--- a/Utility/SshConfig.hs
+++ b/Utility/SshConfig.hs
@@ -10,6 +10,7 @@ module Utility.SshConfig where
 import Common
 import Utility.UserInfo
 import Utility.Tmp
+import Utility.FileMode
 
 import Data.Char
 import Data.Ord
@@ -117,7 +118,19 @@ changeUserSshConfig modifier = do
 		c <- readFileStrict configfile
 		let c' = modifier c
 		when (c /= c') $
-			viaTmp writeFile configfile c'
+			viaTmp writeSshConfig configfile c'
+
+writeSshConfig :: FilePath -> String -> IO ()
+writeSshConfig f s = do
+	writeFile f s
+	setSshConfigMode f
+
+{- Ensure that the ssh config file lacks any group or other write bits, 
+ - since ssh is paranoid about not working if other users can write
+ - to one of its config files (.ssh/config and .ssh/authorized_keys) -}
+setSshConfigMode :: FilePath -> IO ()
+setSshConfigMode f = modifyFileMode f $
+	removeModes [groupWriteMode, otherWriteMode]
 
 sshDir :: IO FilePath
 sshDir = do
diff --git a/debian/changelog b/debian/changelog
index 3727d4c5d..bd5b459bc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,6 +12,9 @@ git-annex (5.20131231) UNRELEASED; urgency=medium
   * Assistant: Remove stale MERGE_HEAD files in lockfile cleanup.
   * Remotes can now be made read-only, by setting remote.<name>.annex-readonly
   * wanted, schedule: Avoid printing "ok" after requested value.
+  * assistant: Ensure that .ssh/config and .ssh/authorized_keys are not
+    group or world writable when writing to those files, as that can make
+    ssh refuse to use them, if it allows another user to write to them.
 
  -- Joey Hess <joeyh@debian.org>  Tue, 31 Dec 2013 13:41:18 -0400
 
diff --git a/doc/bugs/file_permissions_on___126____47__.ssh__47__config___40__windows__41__.mdwn b/doc/bugs/file_permissions_on___126____47__.ssh__47__config___40__windows__41__.mdwn
index 47c44bea3..9b2e89ca2 100644
--- a/doc/bugs/file_permissions_on___126____47__.ssh__47__config___40__windows__41__.mdwn
+++ b/doc/bugs/file_permissions_on___126____47__.ssh__47__config___40__windows__41__.mdwn
@@ -9,3 +9,12 @@ Windows 7, git-annex version 5.20131230-g192d991
 
 ### Please provide any additional information below.
 I have no daemon.log, and the console log isn't particularly detailed today; it had just created an ssh key and shown it's fingerprint.
+
+> Ok, I guess this is ssh refusing to use a file that has a group
+> write bit set (when the owner is not the only member of its group),
+> or perhaps that has the world write bit set.
+>
+> I have made the assistant unset those modes when creating and modifying
+> ssh config files. Hopefully that is enough for Windows too.. I can't
+> really test it there, but am calling this provisionally [[done]].
+> --[[Joey]]