|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] ssh key based authentication
|
> Date: Fri, 2 May 2008 15:17:33 -0400
> From: "Kyle R. Burton" <kyle.burton@gmail.com>
>
>>> A couple of people suggested permissions being too lax. The
>>> permissions on the sprint user's homedir were 777. I changed them to
>>> 755 and it works now.
>>
>> That has nailed me a few times too. I get focused on ~/.ssh perms and
>> forget about ~/ perms. :-( But there is a way (StrictModes) to turn
>> that checking off in the sshd config. I am not saying that's a GOOD
>> idea, but sometimes you have to have a home dir with loose permissions.
>
> Er, isn't that setting things up so any other user could 'break' into
> the account via ssh?
>
> If $HOME is 777, then another user on the same host can create the
> .ssh directory and put whatever key they want in it.
Yes, 0777 is a Bad Idea. I was just talking about in general, it might
be necessary or useful to have slightly looser permissions than SSH
likes. And note the part about "I am not saying that's a GOOD idea"... :-)
But thanks for calling me on this, it's a good thing to clarify!
[...]
> I could be missing something, but a 777 $HOME should be a no-no.
Agree!
Later,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org
My Account, My Opinions |=========| http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|