On 4/24/2012 12:54 PM, Stefan Johnson wrote:
On Tue, Apr 24, 2012 at 2:24 PM, Tyler <disc...@gmail.com <mailto:disc...@gmail.com>> wrote: Hi, Is there a way to create logins that are only accessed via authorized_keys so that security(8) doesn't complain about them every day? The general goal is to disable remote root login via SSH and allow an unprivileged "admin" user access via key files and pass phrases (and then sudo or su). My problem is security(8) complains about this every day: "Login admin is off but still has a valid shell and alternate access files in home directory are still readable." Which, taking a look at the newly rewritten /usr/libexec/security script, is a result of the .ssh files existing and being readable by anyone: or check_access_file "$home/.$_", $name foreach qw(ssh rhosts shosts klogin); and: nag $mode & (S_IRUSR | S_IRGRP | S_IROTH) && ! -O $filename, It seems to me I need to learn how to make these types of logins in such a way that security(8) doesn't whine about them; or, if that is not possible, I will write a patch for /usr/libexec/security that works the way I want it to and post it. Thanks all, Tyler The recommended permissions of the .ssh directory for each user is 700. What are the permissions you are using? It sounds like it might be something like 755 (which means world and group readable, not just user readable.) The directory has to be at least read and execute capable for the user that owns it in order to use the files within it, and the write bit should be set for accepting keys when logging on to a new system. This is why the '7' is recommended.
The .ssh directory is 700. I even locked down the .ssh directory files from 644 to 640 (ie: known_hosts and id_rsa.pub) in hopes of silencing the message.
The check in the security(8) script in based on the current user running it, which looks like root when ran via cron.daily, who would have S_IRUSR no matter what I did to the perms.
/home/pfcopy as 755 is default as far as I know. root@border2-bellevue:/home# ls -laR admin/ total 40 drwxr-xr-x 3 admin admin 512 Mar 14 17:42 . drwxr-xr-x 3 root wheel 512 Aug 17 2011 .. -rw-r--r-- 1 admin admin 22 Mar 14 17:25 .Xdefaults -rw-r--r-- 1 admin admin 773 Mar 14 17:25 .cshrc -rw-r--r-- 1 admin admin 21 Mar 14 17:40 .forward -rw-r--r-- 1 admin admin 398 Mar 14 17:25 .login -rw-r--r-- 1 admin admin 113 Mar 14 17:25 .mailrc -rw-r--r-- 1 admin admin 218 Mar 14 17:25 .profile drwx------ 2 admin admin 512 Mar 14 17:26 .ssh -rwxr-xr-x 1 root wheel 335 Mar 14 17:39 admin.sh admin/.ssh: total 24 drwx------ 2 admin admin 512 Mar 14 17:26 . drwxr-xr-x 3 admin admin 512 Mar 14 17:42 .. -rw------- 1 admin admin 415 Mar 14 17:27 authorized_keys -rw------- 1 admin admin 1651 Mar 14 17:25 id_rsa -rw-r----- 1 admin admin 415 Mar 14 17:25 id_rsa.pub -rw-r----- 1 admin admin 192 Mar 14 17:26 known_hosts root@border2-bellevue:/home# ls -lad admin/ drwxr-xr-x 3 admin admin 512 Mar 14 17:42 admin/ root@border2-bellevue:/home# uname -a OpenBSD border2-bellevue.tradetech.net 5.0 GENERIC.MP#63 amd64
