[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#581919: openssh-server: "bad ownership or modes for file $HOME/.ssh/authorized_keys" check too aggressive

Package: openssh-server
Version: 1:5.5p1-3
Severity: important

  Hi,

  Base-files package just switched to umask 002 by default for new install
(see #248140 and discussion in d-devel). However, with this setup,
openssh-server babdly behave. It is similar to #314347 that was opened
for openssh-client and permission chechs for $HOME/.ssh/config.
The fix for this bug should probably be similar.

  Here is a example of the problem:
On 15/05/2010 03:12, Joey Hess wrote:
> > Vincent Danjean wrote:
>> >> I'm happy with this move. However, there is still an interaction with ssh
>> >> to deal with:
>> >> vdanjean@eyak:~$ chmod -Rv g+w .ssh/authorized_keys
>> >> vdanjean@eyak:~$ ssh localhost
>> >> vdanjean@localhost's password:
>> >> And, in /var/log/auth.log:
>> >> May 14 09:42:17 eyak sshd[1618]: Authentication refused: bad ownership or modes for file /home/vdanjean/.ssh/authorized_keys
>> >>
>> >> vdanjean@eyak:~$ chmod -Rv g-w .ssh/authorized_keys
>> >> le mode de « .ssh/authorized_keys » a été modifié en 0644 (rw-r--r--).
>> >> vdanjean@eyak:~$ ssh localhost
>> >> You have mail.
>> >> Last login: Tue May 11 17:10:30 2010
>> >> vdanjean@eyak:~$
>> >>
>> >> My system is in UPG but I was using default umask 022
> > 
> > FWIW, for openssh this is supposed to be fixed in version 1:4.1p1-3.
> > See #314347. It was changed to allow group-writable files if
> > the owner is the only member in the group.
Somethink is wrong here. Should 314347 be reopened ?

vdanjean@eyak:~$ LC_ALL=C apt-cache policy openssh-server
openssh-server:
  Installed: 1:5.5p1-3
  Candidate: 1:5.5p1-3
  Version table:
 *** 1:5.5p1-3 0
        500 http://ftp.fr.debian.org unstable/main Packages
        500 http://ftp.fr.debian.org testing/main Packages
        100 /var/lib/dpkg/status
     1:5.1p1-5 0
        500 http://ftp.fr.debian.org stable/main Packages
     1:4.3p2-9etch3 0
        500 http://ftp.fr.debian.org oldstable/main Packages
vdanjean@eyak:~$ cat /etc/group /etc/passwd | grep '^vdanjean'
vdanjean:x:1000:
vdanjean:x:1000:1000:Vincent Danjean,,,:/home/vdanjean:/bin/bash
vdanjean@eyak:~$

  Regards,
    Vincent

-- System Information:
Debian Release: squeeze/sid
  APT prefers oldstable
  APT policy: (500, 'oldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.33-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii  adduser                 3.112            add and remove users and groups
ii  debconf [debconf-2.0]   1.5.32           Debian configuration management sy
ii  dpkg                    1.15.7.1         Debian package management system
ii  libc6                   2.11-0exp6       Embedded GNU C Library: Shared lib
ii  libcomerr2              1.41.11-1        common error description library
ii  libgssapi-krb5-2        1.8.1+dfsg-2     MIT Kerberos runtime libraries - k
ii  libkrb5-3               1.8.1+dfsg-2     MIT Kerberos runtime libraries
ii  libpam-modules          1.1.1-3          Pluggable Authentication Modules f
ii  libpam-runtime          1.1.1-3          Runtime support for the PAM librar
ii  libpam0g                1.1.1-3          Pluggable Authentication Modules l
ii  libselinux1             2.0.94-1         SELinux runtime shared libraries
ii  libssl0.9.8             0.9.8n-1         SSL shared libraries
ii  libwrap0                7.6.q-18         Wietse Venema's TCP wrappers libra
ii  lsb-base                3.2-23.1         Linux Standard Base 3.2 init scrip
ii  openssh-blacklist       0.4.1            list of default blacklisted OpenSS
ii  openssh-client          1:5.5p1-3        secure shell (SSH) client, for sec
ii  procps                  1:3.2.8-9        /proc file system utilities
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

Versions of packages openssh-server recommends:
ii  openssh-blacklist-extra       0.4.1      list of non-default blacklisted Op
ii  xauth                         1:1.0.4-1  X authentication utility

Versions of packages openssh-server suggests:
pn  molly-guard                  <none>      (no description available)
pn  rssh                         <none>      (no description available)
ii  ssh-askpass                  1:1.2.4.1-9 under X, asks user for a passphras
pn  ufw                          <none>      (no description available)

-- debconf information:
  ssh/vulnerable_host_keys:
  ssh/new_config: true
* ssh/use_old_init_script: true
  ssh/disable_cr_auth: false
  ssh/encrypted_host_key_but_no_keygen:
Reply to: