ssh publickey authentication
in [Solaris]
|
From: oparr on 28 Jul 2010 13:32 Why is this type of authentication sensitive to permissions on the remote user's home directory? Case in point.....Had it working fine until someone came along and changed the permissions on the remote user's home directory from rwxr-xr-x to rwxrwxrwt. Are ssh home directory permissions requirements documented somewhere?
From: chuckers on 28 Jul 2010 19:15 On Jul 29, 2:32 am, "op...(a)hotmail.com" <op...(a)hotmail.com> wrote: > Why is this type of authentication sensitive to permissions on the > remote user's home directory? Case in point.....Had it working fine > until someone came along and changed the permissions on the remote > user's home directory from rwxr-xr-x to rwxrwxrwt. Are ssh home > directory permissions requirements documented somewhere? They are picky because with more open permissions, it would be a real easy matter to get into someone else's home directory, fiddle with the authorized_keys file and have full access things they probably shouldn't. The whole point of public key access is to make sure the person coming in is who they say they are and only allow people on the list in. OpenSSH has an option to turn off strict checking with StrictMode no in the sshd_config file: http://www.openssh.com/faq.html#3.14 Not sure if that option exists in the Solaris version of SSH or not. I don't think it is a good idea either way.
From: oparr on 28 Jul 2010 21:05 On Jul 28, 7:15 pm, chuckers <chucker...(a)gmail.com> wrote: > On Jul 29, 2:32 am, "op...(a)hotmail.com" <op...(a)hotmail.com> wrote: > > > Why is this type of authentication sensitive to permissions on the > > remote user's home directory? Case in point.....Had it working fine > > until someone came along and changed the permissions on the remote > > user's home directory from rwxr-xr-x to rwxrwxrwt. Are ssh home > > directory permissions requirements documented somewhere? > > They are picky because with more open permissions, it would be a real > easy matter to get into someone else's home directory, fiddle with the > authorized_keys file and have full access things they probably > shouldn't. > The whole point of public key access is to make sure the person coming > in > is who they say they are and only allow people on the list in. > > OpenSSH has an option to turn off strict checking with StrictMode no > in the sshd_config file: > > http://www.openssh.com/faq.html#3.14 > > Not sure if that option exists in the Solaris version of SSH or not. > I don't think it is a good idea either way.
From: oparr on 28 Jul 2010 21:28 >it would be a real >easy matter to get into someone else's home directory, fiddle with the >authorized_keys file Not if the permissions on $HOME/.ssh and $HOME/.ssh/authorized_keys are 700 and 600 respectively which they should be and are in my case. I think this is an overreaction on the part of ssh default settings. Whatever, it would have been nice if this was documented. Not even 775 on $HOME is allowed. On Jul 28, 7:15 pm, chuckers <chucker...(a)gmail.com> wrote: >
From: John D Groenveld on 28 Jul 2010 21:36 In article <c9815241-793a-4819-bffa-198efeda799c(a)o10g2000prf.googlegroups.com>, chuckers <chuckersjp(a)gmail.com> wrote: >Not sure if that option exists in the Solaris version of SSH or not. >I don't think it is a good idea either way. See StrictModes in sshd_config(4). John groenveld(a)acm.org
|
Next
|
Last
Pages: 1 2 3 Prev: solaris 10 x86 only ICMP works on rge driver Next: upgrade cache on 6580 |