ssh publickey authentication

Prev: solaris 10 x86 only ICMP works on rge driver
Next: upgrade cache on 6580

From: Peter van Hooft on 29 Jul 2010 01:25

---

On 2010-07-29, oparr(a)hotmail.com <oparr(a)hotmail.com> wrote:
>>it would be a real
>>easy matter to get into someone else's home directory, fiddle with the
>>authorized_keys file
>
> Not if the permissions on $HOME/.ssh and $HOME/.ssh/authorized_keys
> are 700 and 600 respectively which they should be and are in my case.
> I think this is an overreaction on the part of ssh default settings.
> Whatever, it would have been nice if this was documented. Not even 775
> on $HOME is allowed.
>
>
That's because 775 on $HOME would allow anyone in your unix group to
take over your identity:
mv $HOME/.ssh $HOME/.ssh-old
mkdir $HOME/.ssh

etc.


peter

From: Sami Ketola on 29 Jul 2010 12:09

---

oparr(a)hotmail.com <oparr(a)hotmail.com> wrote:
> Not if the permissions on $HOME/.ssh and $HOME/.ssh/authorized_keys
> are 700 and 600 respectively which they should be and are in my case.
> I think this is an overreaction on the part of ssh default settings.
> Whatever, it would have been nice if this was documented. Not even 775
> on $HOME is allowed.

It is docummended. But you are not asking yourself the right question here.
You should ask yourself is that why on earth you want to give everyone
that much access to your home directory. In general it's not a good idea.

Sami

From: oparr on 29 Jul 2010 20:11

---

> You should ask yourself is that why on earth you want to give everyone
> that much access to your home directory.

Better question....Why the hell ssh's debug option couldn't indicate
what was wrong?


On Jul 29, 12:09 pm, Sami Ketola <Sami.Ket...(a)iki.finland.invalid>
wrote:
>

From: Peter van Hooft on 30 Jul 2010 03:58

---

On 2010-07-30, oparr(a)hotmail.com <oparr(a)hotmail.com> wrote:
>> You should ask yourself is that why on earth you want to give everyone
>> that much access to your home directory.
>
> Better question....Why the hell ssh's debug option couldn't indicate
> what was wrong?
Because it doesn't receive the necessary info from the server for
security reasons. The sshd indicates what is wrong when given the
-d option. What I do is starting sshd -d -D on another port
than 22 in a terminal and then try to connect to it. In this
way the normal ssh operations aren't disturbed.

peter

From: oparr on 30 Jul 2010 08:09

---

> Because it doesn't receive the necessary info from the server for
> security reasons.

Long story short....There is a flaw in how the default StrictModes
setting operates. Testing the permissions on $HOME/.ssh is all that is
required.

Requiring group write for an individual account on an application
account's home directory should not require that you lose all the
benefits of the default StrictModes setting.

On Jul 30, 3:58 am, Peter van Hooft <p...(a)xs4all.nl> wrote:
>

First  |  Prev  |  Next  |  Last
Pages: 1 2 3
Prev: solaris 10 x86 only ICMP works on rge driver
Next: upgrade cache on 6580