Bug#581919: openssh-server: "bad ownership or modes for file $HOME/.ssh/authorized_keys" check too aggressive
Package: openssh-server
Version: 1:5.5p1-3
Severity: important
Hi,
Base-files package just switched to umask 002 by default for new install
(see #248140 and discussion in d-devel). However, with this setup,
openssh-server babdly behave. It is similar to #314347 that was opened
for openssh-client and permission chechs for $HOME/.ssh/config.
The fix for this bug should probably be similar.
Here is a example of the problem:
On 15/05/2010 03:12, Joey Hess wrote:
> > Vincent Danjean wrote:
>> >> I'm happy with this move. However, there is still an interaction with ssh
>> >> to deal with:
>> >> vdanjean@eyak:~$ chmod -Rv g+w .ssh/authorized_keys
>> >> vdanjean@eyak:~$ ssh localhost
>> >> vdanjean@localhost's password:
>> >> And, in /var/log/auth.log:
>> >> May 14 09:42:17 eyak sshd[1618]: Authentication refused: bad ownership or modes for file /home/vdanjean/.ssh/authorized_keys
>> >>
>> >> vdanjean@eyak:~$ chmod -Rv g-w .ssh/authorized_keys
>> >> le mode de « .ssh/authorized_keys » a été modifié en 0644 (rw-r--r--).
>> >> vdanjean@eyak:~$ ssh localhost
>> >> You have mail.
>> >> Last login: Tue May 11 17:10:30 2010
>> >> vdanjean@eyak:~$
>> >>
>> >> My system is in UPG but I was using default umask 022
> >
> > FWIW, for openssh this is supposed to be fixed in version 1:4.1p1-3.
> > See #314347. It was changed to allow group-writable files if
> > the owner is the only member in the group.
Somethink is wrong here. Should 314347 be reopened ?
vdanjean@eyak:~$ LC_ALL=C apt-cache policy openssh-server
openssh-server:
Installed: 1:5.5p1-3
Candidate: 1:5.5p1-3
Version table:
*** 1:5.5p1-3 0
500 http://ftp.fr.debian.org unstable/main Packages
500 http://ftp.fr.debian.org testing/main Packages
100 /var/lib/dpkg/status
1:5.1p1-5 0
500 http://ftp.fr.debian.org stable/main Packages
1:4.3p2-9etch3 0
500 http://ftp.fr.debian.org oldstable/main Packages
vdanjean@eyak:~$ cat /etc/group /etc/passwd | grep '^vdanjean'
vdanjean:x:1000:
vdanjean:x:1000:1000:Vincent Danjean,,,:/home/vdanjean:/bin/bash
vdanjean@eyak:~$
Regards,
Vincent
-- System Information:
Debian Release: squeeze/sid
APT prefers oldstable
APT policy: (500, 'oldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.33-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages openssh-server depends on:
ii adduser 3.112 add and remove users and groups
ii debconf [debconf-2.0] 1.5.32 Debian configuration management sy
ii dpkg 1.15.7.1 Debian package management system
ii libc6 2.11-0exp6 Embedded GNU C Library: Shared lib
ii libcomerr2 1.41.11-1 common error description library
ii libgssapi-krb5-2 1.8.1+dfsg-2 MIT Kerberos runtime libraries - k
ii libkrb5-3 1.8.1+dfsg-2 MIT Kerberos runtime libraries
ii libpam-modules 1.1.1-3 Pluggable Authentication Modules f
ii libpam-runtime 1.1.1-3 Runtime support for the PAM librar
ii libpam0g 1.1.1-3 Pluggable Authentication Modules l
ii libselinux1 2.0.94-1 SELinux runtime shared libraries
ii libssl0.9.8 0.9.8n-1 SSL shared libraries
ii libwrap0 7.6.q-18 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-23.1 Linux Standard Base 3.2 init scrip
ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS
ii openssh-client 1:5.5p1-3 secure shell (SSH) client, for sec
ii procps 1:3.2.8-9 /proc file system utilities
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages openssh-server recommends:
ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op
ii xauth 1:1.0.4-1 X authentication utility
Versions of packages openssh-server suggests:
pn molly-guard <none> (no description available)
pn rssh <none> (no description available)
ii ssh-askpass 1:1.2.4.1-9 under X, asks user for a passphras
pn ufw <none> (no description available)
-- debconf information:
ssh/vulnerable_host_keys:
ssh/new_config: true
* ssh/use_old_init_script: true
ssh/disable_cr_auth: false
ssh/encrypted_host_key_but_no_keygen:
Reply to: