[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#581919: marked as done (openssh-server: "bad ownership or modes for file $HOME/.ssh/authorized_keys" check too aggressive)

Your message dated Sat, 22 May 2010 23:02:28 +0000
with message-id <E1OFxi8-0007QY-45@ries.debian.org>
and subject line Bug#581919: fixed in openssh 1:5.5p1-4
has caused the Debian Bug report #581919,
regarding openssh-server: "bad ownership or modes for file $HOME/.ssh/authorized_keys" check too aggressive
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
581919: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581919
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: openssh-server
Version: 1:5.5p1-3
Severity: important

  Hi,

  Base-files package just switched to umask 002 by default for new install
(see #248140 and discussion in d-devel). However, with this setup,
openssh-server babdly behave. It is similar to #314347 that was opened
for openssh-client and permission chechs for $HOME/.ssh/config.
The fix for this bug should probably be similar.

  Here is a example of the problem:
On 15/05/2010 03:12, Joey Hess wrote:
> > Vincent Danjean wrote:
>> >> I'm happy with this move. However, there is still an interaction with ssh
>> >> to deal with:
>> >> vdanjean@eyak:~$ chmod -Rv g+w .ssh/authorized_keys
>> >> vdanjean@eyak:~$ ssh localhost
>> >> vdanjean@localhost's password:
>> >> And, in /var/log/auth.log:
>> >> May 14 09:42:17 eyak sshd[1618]: Authentication refused: bad ownership or modes for file /home/vdanjean/.ssh/authorized_keys
>> >>
>> >> vdanjean@eyak:~$ chmod -Rv g-w .ssh/authorized_keys
>> >> le mode de « .ssh/authorized_keys » a été modifié en 0644 (rw-r--r--).
>> >> vdanjean@eyak:~$ ssh localhost
>> >> You have mail.
>> >> Last login: Tue May 11 17:10:30 2010
>> >> vdanjean@eyak:~$
>> >>
>> >> My system is in UPG but I was using default umask 022
> > 
> > FWIW, for openssh this is supposed to be fixed in version 1:4.1p1-3.
> > See #314347. It was changed to allow group-writable files if
> > the owner is the only member in the group.
Somethink is wrong here. Should 314347 be reopened ?

vdanjean@eyak:~$ LC_ALL=C apt-cache policy openssh-server
openssh-server:
  Installed: 1:5.5p1-3
  Candidate: 1:5.5p1-3
  Version table:
 *** 1:5.5p1-3 0
        500 http://ftp.fr.debian.org unstable/main Packages
        500 http://ftp.fr.debian.org testing/main Packages
        100 /var/lib/dpkg/status
     1:5.1p1-5 0
        500 http://ftp.fr.debian.org stable/main Packages
     1:4.3p2-9etch3 0
        500 http://ftp.fr.debian.org oldstable/main Packages
vdanjean@eyak:~$ cat /etc/group /etc/passwd | grep '^vdanjean'
vdanjean:x:1000:
vdanjean:x:1000:1000:Vincent Danjean,,,:/home/vdanjean:/bin/bash
vdanjean@eyak:~$

  Regards,
    Vincent

-- System Information:
Debian Release: squeeze/sid
  APT prefers oldstable
  APT policy: (500, 'oldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.33-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii  adduser                 3.112            add and remove users and groups
ii  debconf [debconf-2.0]   1.5.32           Debian configuration management sy
ii  dpkg                    1.15.7.1         Debian package management system
ii  libc6                   2.11-0exp6       Embedded GNU C Library: Shared lib
ii  libcomerr2              1.41.11-1        common error description library
ii  libgssapi-krb5-2        1.8.1+dfsg-2     MIT Kerberos runtime libraries - k
ii  libkrb5-3               1.8.1+dfsg-2     MIT Kerberos runtime libraries
ii  libpam-modules          1.1.1-3          Pluggable Authentication Modules f
ii  libpam-runtime          1.1.1-3          Runtime support for the PAM librar
ii  libpam0g                1.1.1-3          Pluggable Authentication Modules l
ii  libselinux1             2.0.94-1         SELinux runtime shared libraries
ii  libssl0.9.8             0.9.8n-1         SSL shared libraries
ii  libwrap0                7.6.q-18         Wietse Venema's TCP wrappers libra
ii  lsb-base                3.2-23.1         Linux Standard Base 3.2 init scrip
ii  openssh-blacklist       0.4.1            list of default blacklisted OpenSS
ii  openssh-client          1:5.5p1-3        secure shell (SSH) client, for sec
ii  procps                  1:3.2.8-9        /proc file system utilities
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

Versions of packages openssh-server recommends:
ii  openssh-blacklist-extra       0.4.1      list of non-default blacklisted Op
ii  xauth                         1:1.0.4-1  X authentication utility

Versions of packages openssh-server suggests:
pn  molly-guard                  <none>      (no description available)
pn  rssh                         <none>      (no description available)
ii  ssh-askpass                  1:1.2.4.1-9 under X, asks user for a passphras
pn  ufw                          <none>      (no description available)

-- debconf information:
  ssh/vulnerable_host_keys:
  ssh/new_config: true
* ssh/use_old_init_script: true
  ssh/disable_cr_auth: false
  ssh/encrypted_host_key_but_no_keygen:

--- End Message ---
--- Begin Message --- 
Source: openssh
Source-Version: 1:5.5p1-4

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_5.5p1-4_i386.udeb
  to main/o/openssh/openssh-client-udeb_5.5p1-4_i386.udeb
openssh-client_5.5p1-4_i386.deb
  to main/o/openssh/openssh-client_5.5p1-4_i386.deb
openssh-server-udeb_5.5p1-4_i386.udeb
  to main/o/openssh/openssh-server-udeb_5.5p1-4_i386.udeb
openssh-server_5.5p1-4_i386.deb
  to main/o/openssh/openssh-server_5.5p1-4_i386.deb
openssh_5.5p1-4.debian.tar.gz
  to main/o/openssh/openssh_5.5p1-4.debian.tar.gz
openssh_5.5p1-4.dsc
  to main/o/openssh/openssh_5.5p1-4.dsc
ssh-askpass-gnome_5.5p1-4_i386.deb
  to main/o/openssh/ssh-askpass-gnome_5.5p1-4_i386.deb
ssh-krb5_5.5p1-4_all.deb
  to main/o/openssh/ssh-krb5_5.5p1-4_all.deb
ssh_5.5p1-4_all.deb
  to main/o/openssh/ssh_5.5p1-4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 581919@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 22 May 2010 23:37:20 +0100
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source i386 all
Version: 1:5.5p1-4
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 579843 581697 581919
Changes: 
 openssh (1:5.5p1-4) unstable; urgency=low
 .
   [ Sebastian Andrzej Siewior ]
   * Add powerpcspe to architecture list for libselinux1-dev build-dependency
     (closes: #579843).
 .
   [ Colin Watson ]
   * Allow ~/.ssh/authorized_keys and other secure files to be
     group-writable, provided that the group in question contains only the
     file's owner; this extends a patch previously applied to ~/.ssh/config
     (closes: #581919).
   * Check primary group memberships as well as supplementary group
     memberships, and only allow group-writability by groups with exactly one
     member, as zero-member groups are typically used by setgid binaries
     rather than being user-private groups (closes: #581697).
Checksums-Sha1: 
 283186a3e3066519742aee9a15975da648c1fc2a 1701 openssh_5.5p1-4.dsc
 14cfb2428053dc8d6755ac1a32c4fa20343c1abd 234111 openssh_5.5p1-4.debian.tar.gz
 f018aee71a0717c169cae154e7eae86e53fc88e3 880568 openssh-client_5.5p1-4_i386.deb
 e2312d1016502ac77607074bcb724f400643531c 297554 openssh-server_5.5p1-4_i386.deb
 c1ec0b0986a49f3410ee7de8ae2e42427e667f46 1244 ssh_5.5p1-4_all.deb
 3c553288883174406bf0ab385bf66cd6be268b3d 95464 ssh-krb5_5.5p1-4_all.deb
 bf008581058e4079f3b5ce839fb3805ba82cd126 103064 ssh-askpass-gnome_5.5p1-4_i386.deb
 dd9aff4745bdb6b7f55de6546e220fcba6b2a013 193690 openssh-client-udeb_5.5p1-4_i386.udeb
 84d707d8aa1c9345b142d107f9ac456139a35efe 218538 openssh-server-udeb_5.5p1-4_i386.udeb
Checksums-Sha256: 
 5f42f3eb3944bda5d8216f369feb95e0fa9ec9a9271b0b9bf37b524f73485462 1701 openssh_5.5p1-4.dsc
 59fc5345a617f3f297d936829af759accc2a710d1de839bc8cdb54c9ee9bd5db 234111 openssh_5.5p1-4.debian.tar.gz
 7f3bca990542a5279a4c16932dbdc987009c5a5a48ee13694b68fe9fa7a00baf 880568 openssh-client_5.5p1-4_i386.deb
 b07228936408f37ecc9174f29b8512de53e9823ed91b6555c51b224b6b994a6d 297554 openssh-server_5.5p1-4_i386.deb
 b821fab4ad7fdfae2663c05df7640d0dc849c086b1e1d5c61c48b313f5fe970a 1244 ssh_5.5p1-4_all.deb
 13fd6e26e439cf57ccb729a70bf647207e7cff0e029ba0f87d462a2de65cffc8 95464 ssh-krb5_5.5p1-4_all.deb
 3fdefda53e550357f7d59fea51202adaf430a8ee9d21dee78b098f7472c79c15 103064 ssh-askpass-gnome_5.5p1-4_i386.deb
 d8bca821941b768c97d351968b8a212287822bf7b4ea83b8cc1fb6d15460e2aa 193690 openssh-client-udeb_5.5p1-4_i386.udeb
 f17c9fe3f44fdd081cce9d8ceb69b3899dcbaf097af89f660dfe6ae26ce12556 218538 openssh-server-udeb_5.5p1-4_i386.udeb
Files: 
 194ea11fdf4f582fb966ce2397d95a97 1701 net standard openssh_5.5p1-4.dsc
 dcb5e032b60d6bb881e59a71a1877916 234111 net standard openssh_5.5p1-4.debian.tar.gz
 f21db060ebafa8555a469431efc000aa 880568 net standard openssh-client_5.5p1-4_i386.deb
 6f4e54dd67c2978ad35fc2d4dd073688 297554 net optional openssh-server_5.5p1-4_i386.deb
 0107471a60de025600024b06498a7e0b 1244 net extra ssh_5.5p1-4_all.deb
 6a9debbb7c88fc0b897670d85348a714 95464 net extra ssh-krb5_5.5p1-4_all.deb
 3a6d65f3b7225db5b62c24497786395e 103064 gnome optional ssh-askpass-gnome_5.5p1-4_i386.deb
 9bf3ec427b8ac01e11a8a9a9acc0b0a8 193690 debian-installer optional openssh-client-udeb_5.5p1-4_i386.udeb
 02e23812f5cc38c9c875c0440b7aa573 218538 debian-installer optional openssh-server-udeb_5.5p1-4_i386.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iD8DBQFL+F2e9t0zAhD6TNERAn1TAJ9rwlavocxyM1cYSgA4B5hQMWtnhgCdE5fR
nI9MxJLBX8mqHsaY/pvhXeg=
=m9C4
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: