Re: Security of Debian SuX0r?

Peter Palfrader Sat, 2 Sep 2000 13:01:33 +0200

Hi Ethan!

On Fri, 01 Sep 2000, Ethan Benson wrote:


> On Sat, Sep 02, 2000 at 01:25:09AM -0400, Adam McKenna wrote:
> > > 
> > > my home directory is mode 710 and ssh works fine, on other systems my
> > > home is mode 755 and ssh still works fine (all with RSA auth and
> > > StrictModes yes)
> > 
> > Actually, sshd only cares about ~/.ssh and ~/.ssh/authorized_keys and that
> > they're not group or world writable.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> how much do you want to bet?

You really wanna bet?


> [EMAIL PROTECTED] eb]$ chmod 770 .

Hmm. I'ld think home is now /group writeable/.



[EMAIL PROTECTED]:~$ dpkg -l ssh
ii  ssh            1.2.3-9        Secure rlogin/rsh/rcp replacement (OpenSSH)


once again:

[EMAIL PROTECTED]:~$ l -d . .ssh .ssh/authorized_keys 
drwxr-sr-x   20 weasel   weasel       2048 Sep  1 04:09 ./
drwxr-sr-x    2 weasel   weasel       1024 Aug 12 01:04 .ssh/
-rw-r--r--    1 weasel   weasel        332 Aug 12 01:03 .ssh/authorized_keys

| [EMAIL PROTECTED]:~$ ssh defiant
| [...]
| [EMAIL PROTECTED]:~$ 

[EMAIL PROTECTED]:~$ chmod g+w .ssh/ 
[EMAIL PROTECTED]:~$ l -d . .ssh .ssh/authorized_keys 
drwxr-sr-x   20 weasel   weasel       2048 Sep  1 04:09 ./
drwxrwsr-x    2 weasel   weasel       1024 Aug 12 01:04 .ssh/
-rw-r--r--    1 weasel   weasel        332 Aug 12 01:03 .ssh/authorized_keys

| [EMAIL PROTECTED]:~$ ssh -v defiant
[...]
| debug: Trying RSA authentication via agent with '[EMAIL PROTECTED]'
| debug: Remote: RSA authentication refused for weasel: bad ownership or modes 
for '/home/weasel/.ssh/authorized_keys'.
[...]
| [EMAIL PROTECTED]'s password: 

[EMAIL PROTECTED]:~$ chmod g-w .ssh/ 
[EMAIL PROTECTED]:~$ chmod g+w .ssh/authorized_keys 
[EMAIL PROTECTED]:~$ l -d . .ssh .ssh/authorized_keys 
drwxr-sr-x   20 weasel   weasel       2048 Sep  1 04:09 ./
drwxr-sr-x    2 weasel   weasel       1024 Aug 12 01:04 .ssh/
-rw-rw-r--    1 weasel   weasel        332 Aug 12 01:03 .ssh/authorized_keys

| [EMAIL PROTECTED]:~$ ssh defiant
| [EMAIL PROTECTED]'s password: 

[EMAIL PROTECTED]:~$ l -d . .ssh .ssh/authorized_keys 
drwxrwsr-x   20 weasel   weasel       2048 Sep  1 04:09 ./
drwxr-sr-x    2 weasel   weasel       1024 Aug 12 01:04 .ssh/
-rw-r--r--    1 weasel   weasel        332 Aug 12 01:03 .ssh/authorized_keys

| [EMAIL PROTECTED]:~$ ssh defiant
| [EMAIL PROTECTED]'s password: 

[EMAIL PROTECTED]:~$ chmod g-w .
[EMAIL PROTECTED]:~$ l -d . .ssh .ssh/authorized_keys 
drwxr-sr-x   20 weasel   weasel       2048 Sep  1 04:09 ./
drwxr-sr-x    2 weasel   weasel       1024 Aug 12 01:04 .ssh/
-rw-r--r--    1 weasel   weasel        332 Aug 12 01:03 .ssh/authorized_keys

| [EMAIL PROTECTED]:~$ ssh defiant
| [...]
| [EMAIL PROTECTED]:~$ 


So ssh checks wheter the chain homedir, ~/.ssh, and authorized_keys is
writeable only by the owner.

                                        yours,
                                        peter

-- 
PGP encrypted messages preferred.
http://www.cosy.sbg.ac.at/~ppalfrad/
[please CC me on lists]

Re: Security of Debian SuX0r?

Reply via email to