|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] ssh key based authentication
|
> > A couple of people suggested permissions being too lax. The
> > permissions on the sprint user's homedir were 777. I changed them to
> > 755 and it works now.
>
> That has nailed me a few times too. I get focused on ~/.ssh perms and
> forget about ~/ perms. :-( But there is a way (StrictModes) to turn
> that checking off in the sshd config. I am not saying that's a GOOD
> idea, but sometimes you have to have a home dir with loose permissions.
Er, isn't that setting things up so any other user could 'break' into
the account via ssh?
If $HOME is 777, then another user on the same host can create the
.ssh directory and put whatever key they want in it.
If $HOME is 777 and .ssh already exists, a non-owner of that home can
rename the .ssh directory and put in whatever keys, files, configs
they want.
Doesn't having a 777 home and an sshd that allows pub/private keys to
be used basically allow any user with file system access (are the
homes mounted from somewhere else?) the ability to become the other
user?
I could be missing something, but a 777 $HOME should be a no-no.
Kyle
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|