Why is this type of authentication sensitive to permissions on the
remote user's home directory? Example, I have it working fine then
decide to change permissions on the remote user's home directory from
755 to 775....The offered public key is subsequently ignored by the
remote host and password authentication is always resorted to.
Changing permissions back to 755 reinstates public key authentication.
Is there any logic to this? Is this behavior documented somewhere?
|
|
0
|
|
|
|
Reply
|
 oparr
|
7/28/2010 6:14:21 PM |
|
oparr@hotmail.com wrote:
> Why is this type of authentication sensitive to permissions on the
> remote user's home directory?
> Is there any logic to this?
I know you need to have this permission for the .ssh directory:
drwx------ 2 UUU GGG .ssh
I'm not sure why the home directory can't have write? Perhaps to make
sure some other person doesn't mv .ssh and replace it by another?
|
|
|
0
|
|
|
|
Reply
|
Dennis
|
7/29/2010 1:36:03 AM
|
|
Dennis Handly <dhandly@convex.hp.com> wrote:
>oparr@hotmail.com wrote:
>> Why is this type of authentication sensitive to permissions on the
>> remote user's home directory?
>> Is there any logic to this?
>
>I know you need to have this permission for the .ssh directory:
>drwx------ 2 UUU GGG .ssh
>
>I'm not sure why the home directory can't have write? Perhaps to make
>sure some other person doesn't mv .ssh and replace it by another?
And why would you want to give anybody else write access to your home
directory?
==============================================================
| Ted Linnell <edlinnell@acslink.net.au> |
| |
| Nunawading, Victoria , Australia |
==============================================================
|
|
|
0
|
|
|
|
Reply
|
Ted
|
7/29/2010 11:47:15 AM
|
|
>And why would you want to give anybody else write access to your
>home directory?
Not all accounts belong to individuals. There are application accounts
too.
On Jul 29, 7:47=A0am, Ted Linnell <edlinn...@acslink.net.au> wrote:
>
|
|
|
0
|
|
|
|
Reply
|
oparr
|
7/29/2010 11:49:32 PM
|
|
oparr@hotmail.com schreef:
>> And why would you want to give anybody else write access to your
>> home directory?
>
> Not all accounts belong to individuals. There are application accounts
> too.
>
> On Jul 29, 7:47 am, Ted Linnell <edlinn...@acslink.net.au> wrote:
Oparr,
Still, the home directory should belong to one application.
Kind regards,
Jan Gerrit
|
|
|
0
|
|
|
|
Reply
|
Jan
|
7/30/2010 5:23:11 AM
|
|
> Still, the home directory should belong to one application.
Seems as though it would be a waste of time to argue as to why an
individual account , in the same group, may need write permissions on
an application accounts home directory. I think it suffices to say
that there is a flaw in how the default StrictModes setting operates.
On Jul 30, 1:23=A0am, Jan Gerrit Kootstra <jan.ger...@kootstra.org.uk>
wrote:
>
|
|
|
0
|
|
|
|
Reply
|
oparr
|
7/30/2010 11:56:33 AM
|
|
>I think it suffices to say
>that there is a flaw in how the default StrictModes setting operates.
I take this back. Now see where security could be compromised if user
owned $HOME/.ssh doesn't already exist with 700 permissions and public
key authentication was allowed with group or world write permission on
$HOME.
On Jul 30, 7:56=A0am, "op...@hotmail.com" <op...@hotmail.com> wrote:
>
|
|
|
0
|
|
|
|
Reply
|
oparr
|
7/30/2010 2:58:54 PM
|
|
Dennis Handly <dhandly@convex.hp.com> writes:
> oparr@hotmail.com wrote:
>> Why is this type of authentication sensitive to permissions on the
>> remote user's home directory?
>> Is there any logic to this?
>
> I know you need to have this permission for the .ssh directory:
> drwx------ 2 UUU GGG .ssh
>
> I'm not sure why the home directory can't have write? Perhaps to make sure
> some other person doesn't mv .ssh and replace it by another?
Easy: the one who may write the home may rename .ssh, then install
his/her own copy. Similar for /etc and a writable root directory...
You guess what that means, right?
Regards,
Ulrich
|
|
|
0
|
|
|
|
Reply
|
Ulrich
|
8/13/2010 11:25:12 AM
|
|
"oparr@hotmail.com" <oparr@hotmail.com> writes:
>>And why would you want to give anybody else write access to your
>>home directory?
>
> Not all accounts belong to individuals. There are application accounts
> too.
>
> On Jul 29, 7:47 am, Ted Linnell <edlinn...@acslink.net.au> wrote:
>>
Well:
vi ~/.profile # for that user
# insert "exit" at the beginning.
The users using the shared account will not have much fun after that.
Regards,
Ulrich
|
|
|
0
|
|
|
|
Reply
|
Ulrich
|
8/13/2010 11:26:34 AM
|
|
"oparr@hotmail.com" <oparr@hotmail.com> writes:
>> Still, the home directory should belong to one application.
>
> Seems as though it would be a waste of time to argue as to why an
> individual account , in the same group, may need write permissions on
> an application accounts home directory. I think it suffices to say
> that there is a flaw in how the default StrictModes setting operates.
>
> On Jul 30, 1:23 am, Jan Gerrit Kootstra <jan.ger...@kootstra.org.uk>
> wrote:
>>
People coming from the Windows-world have strange security concepts. If
absolutely required, make a writeble SUBdirectory of the home directory.
|
|
|
0
|
|
|
|
Reply
|
Ulrich
|
8/13/2010 11:28:30 AM
|
|
|
9 Replies
265 Views
(page loaded in 0.283 seconds)
|
Search |
Post Question |
Groups |
Stream |
About |
Register
4392 articles. 
5 followers. 