Re: baffling ssh problem
Andrew Sackville-West(andrew@farwestbilliards.com) is reported to have said:
> On Wed, Sep 19, 2007 at 01:42:48PM -0400, Wayne Topa wrote:
>
> ...
>
> > I agree Andrew. Other then reading the mail today I am going to be
> > looking into the problem, as it was, to see if I can figure out
> > exactly, why the problem occured and what package the bug report
> > should be filed against.
> >
>
> well its interesting that it cares what the parent directory perms are
> (from your other mail in this thread). I would think the .ssh
> directory would be sufficient. I'm not sure where to report the
> problem as well. Things that occur to me: does ssh-copy-id assume that
> /home/$USER has the correct perms without checking?
It must, as I used ssh-copy-id to send the public key from 5 boxes to
the to 3 accounts on the server, including the one with the bad perms.
It did not throw any errors.
>
> if so, on what is
> that assumption based and who sets that perm (adduser perhaps?)?
> That's where I see the breakdown. Either ssh-copy-id isn't doing a
> sufficient job of checking or its assumptions are faulty.
You are correct Douglas.
I just did the following:
1. Moved the ~USER/.ssh file to good.ssh, on the server
2. Changed the perms on /home/USER to 770
3. On the AND64 box did
ssh-copy-id -i .ssh/id_dsa.pub server (not USER@server)
Replied with password when asked.
Then ssh'ed to server as asked.
Was asked for password and connected when PW supplied.
4. Repeated the above but with
ssh-copy-id -i .ssh/id_dsa.pub USER@server
The results were the same as above.
Note: The perms on the .ssh dir and the authorized_keys file
created by ssh-copy-id were correct, 600.
ssh-copy-id does not check (care) about perms of /home/USER.
I don't know if that should be called a bug though, as ssh still
works, just not in password-less mode. I do think that a mention
should be included in one of the the man pages.
A Wish-list for a note about the perms of ~/home/use being included the
ssh and/or ssh-copy-id man pages would be sufficient, I would think.
Wayne
--
Plug-and-Play is really nice, unfortunately it only works 50% of the time.
To be specific the "Plug" almost always works. --unknown source
_______________________________________________________
Reply to: