Re: Security of Debian SuX0r?
Hi Ethan!
On Fri, 01 Sep 2000, Ethan Benson wrote:
> On Sat, Sep 02, 2000 at 01:25:09AM -0400, Adam McKenna wrote:
> > >
> > > my home directory is mode 710 and ssh works fine, on other systems my
> > > home is mode 755 and ssh still works fine (all with RSA auth and
> > > StrictModes yes)
> >
> > Actually, sshd only cares about ~/.ssh and ~/.ssh/authorized_keys and that
> > they're not group or world writable.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> how much do you want to bet?
You really wanna bet?
> [eb@socrates eb]$ chmod 770 .
Hmm. I'ld think home is now /group writeable/.
weasel@defiant:~$ dpkg -l ssh
ii ssh 1.2.3-9 Secure rlogin/rsh/rcp replacement (OpenSSH)
once again:
weasel@defiant:~$ l -d . .ssh .ssh/authorized_keys
drwxr-sr-x 20 weasel weasel 2048 Sep 1 04:09 ./
drwxr-sr-x 2 weasel weasel 1024 Aug 12 01:04 .ssh/
-rw-r--r-- 1 weasel weasel 332 Aug 12 01:03 .ssh/authorized_keys
| weasel@marvin:~$ ssh defiant
| [...]
| weasel@defiant:~$
weasel@defiant:~$ chmod g+w .ssh/
weasel@defiant:~$ l -d . .ssh .ssh/authorized_keys
drwxr-sr-x 20 weasel weasel 2048 Sep 1 04:09 ./
drwxrwsr-x 2 weasel weasel 1024 Aug 12 01:04 .ssh/
-rw-r--r-- 1 weasel weasel 332 Aug 12 01:03 .ssh/authorized_keys
| weasel@marvin:~$ ssh -v defiant
[...]
| debug: Trying RSA authentication via agent with 'weasel@marvin'
| debug: Remote: RSA authentication refused for weasel: bad ownership or modes for '/home/weasel/.ssh/authorized_keys'.
[...]
| weasel@defiant.localnet's password:
weasel@defiant:~$ chmod g-w .ssh/
weasel@defiant:~$ chmod g+w .ssh/authorized_keys
weasel@defiant:~$ l -d . .ssh .ssh/authorized_keys
drwxr-sr-x 20 weasel weasel 2048 Sep 1 04:09 ./
drwxr-sr-x 2 weasel weasel 1024 Aug 12 01:04 .ssh/
-rw-rw-r-- 1 weasel weasel 332 Aug 12 01:03 .ssh/authorized_keys
| weasel@marvin:~$ ssh defiant
| weasel@defiant.localnet's password:
weasel@defiant:~$ l -d . .ssh .ssh/authorized_keys
drwxrwsr-x 20 weasel weasel 2048 Sep 1 04:09 ./
drwxr-sr-x 2 weasel weasel 1024 Aug 12 01:04 .ssh/
-rw-r--r-- 1 weasel weasel 332 Aug 12 01:03 .ssh/authorized_keys
| weasel@marvin:~$ ssh defiant
| weasel@defiant.localnet's password:
weasel@defiant:~$ chmod g-w .
weasel@defiant:~$ l -d . .ssh .ssh/authorized_keys
drwxr-sr-x 20 weasel weasel 2048 Sep 1 04:09 ./
drwxr-sr-x 2 weasel weasel 1024 Aug 12 01:04 .ssh/
-rw-r--r-- 1 weasel weasel 332 Aug 12 01:03 .ssh/authorized_keys
| weasel@marvin:~$ ssh defiant
| [...]
| weasel@defiant:~$
So ssh checks wheter the chain homedir, ~/.ssh, and authorized_keys is
writeable only by the owner.
yours,
peter
--
PGP encrypted messages preferred.
http://www.cosy.sbg.ac.at/~ppalfrad/
[please CC me on lists]
Reply to: