[ale] ssh authorized_keys2, what am I missing?
Michael Hirsch
mdhirsch at gmail.com
Thu Jun 9 19:31:56 EDT 2005
On 6/9/05, Bob Toxen <bob at verysecurelinux.com> wrote:
> On Wed, Jun 08, 2005 at 01:33:41PM -0400, Michael H. Warfield wrote:
> > On Wed, 2005-06-08 at 13:13 -0400, Grant Robertson wrote:
> > > Just checked.. it was set to 700, now 500, same issue. I should have
> > > mentioned that.
>
> > Make sure you check your entire path. Had an incident a couple of
> > years back where it failed because some moron had / mode 775 (755 was
> > sufficient).
> Yes, OpenSSH will fail without a good explanation if anyone other than
> the owner of the file can read or write the private key or has write
> permission to any directory leading to it (because having directory
> write permission would allow one to replace the valid private key).
>
> On the version of OpenSSH that comes with RH9 (what a client requires
> currently when I teach my Linux Security class), ssh-keygen creates the
> keys mode 660 so using the keys automatically fails. Clever.
That's bee a problem on RH forever, and I can't decide if itis a bug
in RH, OpenSSH, or neither. RH uses their clever "every user gets
their own group" system which allows everyone to have a 002 umod
instead of the more traditional 022. I'm pretty sure that that is
what causes the keyfile to end up with "wrong" permissions. It is
group writable and SSH doesn't like that.
I think the RH group system is quite clever. It allows teams to setup
directories that the team can write to very easily. But it does cause
problems with SSH. So, who is at fault?
Michael
More information about the Ale
mailing list