Why is this type of authentication sensitive to permissions on the
remote user's home directory? Case in point.....Had it working fine
until someone came along and changed the permissions on the remote
user's home directory from rwxr-xr-x to rwxrwxrwt. Are ssh home
directory permissions requirements documented somewhere?
|
|
0
|
|
|
|
Reply
|
 oparr (9)
|
7/28/2010 5:32:38 PM |
|
In article
<afad22d9-c03b-4c60-82e2-9c8f55658af6@i31g2000yqm.googlegroups.com>,
"oparr@hotmail.com" <oparr@hotmail.com> wrote:
> Why is this type of authentication sensitive to permissions on the
> remote user's home directory? Case in point.....Had it working fine
> until someone came along and changed the permissions on the remote
> user's home directory from rwxr-xr-x to rwxrwxrwt. Are ssh home
> directory permissions requirements documented somewhere?
I seem to recall remote copy utilities are picky about remote
permissions for security reasons. I stumbled across theses undocumented
restrictions just as you. Near as I could tell, only having the source
would have answered my question. Guess that's where you'll have to go
as well.
"It's a feature, not a bug" (ymmv)
--
DeeDee, don't press that button! DeeDee! NO! Dee...
[I filter all Goggle Groups posts, so any reply may be automatically ignored]
|
|
|
0
|
|
|
|
Reply
|
 Michael
|
7/28/2010 9:39:18 PM
|
|
On Jul 29, 2:32=A0am, "op...@hotmail.com" <op...@hotmail.com> wrote:
> Why is this type of authentication sensitive to permissions on the
> remote user's home directory? Case in point.....Had it working fine
> until someone came along and changed the permissions on the remote
> user's home directory from rwxr-xr-x to rwxrwxrwt. Are ssh home
> directory permissions requirements documented somewhere?
They are picky because with more open permissions, it would be a real
easy matter to get into someone else's home directory, fiddle with the
authorized_keys file and have full access things they probably
shouldn't.
The whole point of public key access is to make sure the person coming
in
is who they say they are and only allow people on the list in.
OpenSSH has an option to turn off strict checking with StrictMode no
in the sshd_config file:
http://www.openssh.com/faq.html#3.14
Not sure if that option exists in the Solaris version of SSH or not.
I don't think it is a good idea either way.
|
|
|
0
|
|
|
|
Reply
|
chuckers
|
7/28/2010 11:15:52 PM
|
|
On Jul 28, 7:15=A0pm, chuckers <chucker...@gmail.com> wrote:
> On Jul 29, 2:32=A0am, "op...@hotmail.com" <op...@hotmail.com> wrote:
>
> > Why is this type of authentication sensitive to permissions on the
> > remote user's home directory? Case in point.....Had it working fine
> > until someone came along and changed the permissions on the remote
> > user's home directory from rwxr-xr-x to rwxrwxrwt. Are ssh home
> > directory permissions requirements documented somewhere?
>
> They are picky because with more open permissions, it would be a real
> easy matter to get into someone else's home directory, fiddle with the
> authorized_keys file and have full access things they probably
> shouldn't.
> The whole point of public key access is to make sure the person coming
> in
> is who they say they are and only allow people on the list in.
>
> OpenSSH has an option to turn off strict checking with StrictMode no
> in the sshd_config file:
>
> http://www.openssh.com/faq.html#3.14
>
> Not sure if that option exists in the Solaris version of SSH or not.
> I don't think it is a good idea either way.
|
|
|
0
|
|
|
|
Reply
|
oparr
|
7/29/2010 1:05:50 AM
|
|
>it would be a real
>easy matter to get into someone else's home directory, fiddle with the
>authorized_keys file
Not if the permissions on $HOME/.ssh and $HOME/.ssh/authorized_keys
are 700 and 600 respectively which they should be and are in my case.
I think this is an overreaction on the part of ssh default settings.
Whatever, it would have been nice if this was documented. Not even 775
on $HOME is allowed.
On Jul 28, 7:15=A0pm, chuckers <chucker...@gmail.com> wrote:
>
|
|
|
0
|
|
|
|
Reply
|
oparr
|
7/29/2010 1:28:06 AM
|
|
In article <c9815241-793a-4819-bffa-198efeda799c@o10g2000prf.googlegroups.com>,
chuckers <chuckersjp@gmail.com> wrote:
>Not sure if that option exists in the Solaris version of SSH or not.
>I don't think it is a good idea either way.
See StrictModes in sshd_config(4).
John
groenveld@acm.org
|
|
|
0
|
|
|
|
Reply
|
groenvel
|
7/29/2010 1:36:36 AM
|
|
On 2010-07-29, oparr@hotmail.com <oparr@hotmail.com> wrote:
>>it would be a real
>>easy matter to get into someone else's home directory, fiddle with the
>>authorized_keys file
>
> Not if the permissions on $HOME/.ssh and $HOME/.ssh/authorized_keys
> are 700 and 600 respectively which they should be and are in my case.
> I think this is an overreaction on the part of ssh default settings.
> Whatever, it would have been nice if this was documented. Not even 775
> on $HOME is allowed.
>
>
That's because 775 on $HOME would allow anyone in your unix group to
take over your identity:
mv $HOME/.ssh $HOME/.ssh-old
mkdir $HOME/.ssh
etc.
peter
|
|
|
0
|
|
|
|
Reply
|
Peter
|
7/29/2010 5:25:41 AM
|
|
oparr@hotmail.com <oparr@hotmail.com> wrote:
> Not if the permissions on $HOME/.ssh and $HOME/.ssh/authorized_keys
> are 700 and 600 respectively which they should be and are in my case.
> I think this is an overreaction on the part of ssh default settings.
> Whatever, it would have been nice if this was documented. Not even 775
> on $HOME is allowed.
It is docummended. But you are not asking yourself the right question here.
You should ask yourself is that why on earth you want to give everyone
that much access to your home directory. In general it's not a good idea.
Sami
|
|
|
0
|
|
|
|
Reply
|
Sami
|
7/29/2010 4:09:37 PM
|
|
> You should ask yourself is that why on earth you want to give everyone
> that much access to your home directory.
Better question....Why the hell ssh's debug option couldn't indicate
what was wrong?
On Jul 29, 12:09=A0pm, Sami Ketola <Sami.Ket...@iki.finland.invalid>
wrote:
>
|
|
|
0
|
|
|
|
Reply
|
oparr
|
7/30/2010 12:11:45 AM
|
|
On 2010-07-30, oparr@hotmail.com <oparr@hotmail.com> wrote:
>> You should ask yourself is that why on earth you want to give everyone
>> that much access to your home directory.
>
> Better question....Why the hell ssh's debug option couldn't indicate
> what was wrong?
Because it doesn't receive the necessary info from the server for
security reasons. The sshd indicates what is wrong when given the
-d option. What I do is starting sshd -d -D on another port
than 22 in a terminal and then try to connect to it. In this
way the normal ssh operations aren't disturbed.
peter
|
|
|
0
|
|
|
|
Reply
|
Peter
|
7/30/2010 7:58:31 AM
|
|
> Because it doesn't receive the necessary info from the server for
> security reasons.
Long story short....There is a flaw in how the default StrictModes
setting operates. Testing the permissions on $HOME/.ssh is all that is
required.
Requiring group write for an individual account on an application
account's home directory should not require that you lose all the
benefits of the default StrictModes setting.
On Jul 30, 3:58=A0am, Peter van Hooft <p...@xs4all.nl> wrote:
>
|
|
|
0
|
|
|
|
Reply
|
oparr
|
7/30/2010 12:09:10 PM
|
|
> Long story short....There is a flaw in how the default StrictModes
> setting operates. Testing the permissions on $HOME/.ssh is all that is
> required.
I take this back. Security could be compromised if anyone but the user
had write permissions on $HOME. Just testing $HOME/.ssh for user
ownership and 700 permissions is insufficient.
Okay, that just leaves the lousy documentation.
On Jul 30, 8:09=A0am, "op...@hotmail.com" <op...@hotmail.com> wrote:
>
|
|
|
0
|
|
|
|
Reply
|
oparr
|
7/30/2010 2:45:03 PM
|
|
|
11 Replies
559 Views
(page loaded in 0.151 seconds)
Similiar Articles: ssh publickey authentication - comp.unix.solarisWhy is this type of authentication sensitive to permissions on the remote user's home directory? Case in point.....Had it working fine until someone... ssh public key authentication - comp.sys.hp.hpuxWhy is this type of authentication sensitive to permissions on the remote user's home directory? Example, I have it working fine then decide to change... how to disable keyboard-interactive and enable password ...I have a server running OpenSSH 4.2 that, per the SSH_MSG_USERAUTH_FAILURE message only supports publickey and keyboard- interactive authentication.... ssh key - comp.unix.solarisOpenSSH works for root but not for regular users - comp.unix ... ssh publickey authentication - comp.unix.solaris OpenSSH works for root but not for regular users - comp ... ssh-agent and dtlogin/gdm - comp.unix.solarisAfter playing around with ssh-agent/ssh-add and integration into CDE recently, to make publickey authentication with SSH easier for my users, I'm aski... what is "AUTH GSSAPI"? - comp.os.linux.miscssh publickey authentication - comp.unix.solaris what is "AUTH GSSAPI"? - comp.os.linux.misc ssh publickey authentication - comp.unix.solaris ssh batchmode fails auth on ... SSH cannot login , remote system say /bin/bash: no such file or ...ssh publickey authentication - comp.unix.solaris SSH cannot login , remote system say /bin/bash: no such file or ... ... keys and no passphrase ... OpenSSH and .rhosts usage - comp.unix.solarisI think the server worked correctly but was never presented the request for publickey authentication. Perms on the .ssh dir and the private keys must permit access to ... OpenSSH works for root but not for regular users - comp.unix ...ssh publickey authentication - comp.unix.solaris OpenSSH works for root but not for regular users - comp.unix ... ssh public key authentication - comp.sys.hp.hpux OpenSSH ... ssh and .rhosts or .shosts - comp.unix.solarisMoreover, if sshd is only serving protocol 2 > and .ssh/authorized_keys2 is absent and .ssh/authorized_keys > includes the ssh2 keys, public key authentication fails. Solaris 10 ssh authorized key issue - comp.unix.solarisssh publickey authentication - comp.unix.solaris Solaris 10 ssh authorized key issue - comp.unix.solaris ssh public key authentication - comp.sys.hp.hpux Solaris 10 ssh ... ssh and Permission denied - comp.parallel.mpissh publickey authentication - comp.unix.solaris ssh and Permission denied - comp.parallel.mpi ssh publickey authentication - comp.unix.solaris ssh and Permission denied ... Couldn't authenticate to server - comp.protocols.kerberos ...ssh publickey authentication - comp.unix.solaris Better question....Why the hell ssh's debug option couldn't indicate what was wrong? ... Because it doesn't receive the ... sftp (authenticity can't be established) - comp.unix.shell ...To be able to login without being asked for a password, you need to use public key authentication. First of all, the ssh server on the target machine must support it (I ... Automatically enabling SSH server on a router. - comp.dcom.sys ...ssh publickey authentication - comp.unix.solaris [I filter all Goggle Groups posts, so any reply may be automatically ignored] ... publickey authentication - comp.unix ... 7/23/2012 12:58:39 PM
|
Search |
Post Question |
Groups |
Stream |
About |
Register
78 followers. 