| View previous topic :: View next topic |
| Author |
Message |
intgr
Apprentice
Joined: 23 Jun 2004
Posts: 225
Location: Earth, Sol, Milky Way
|
 Posted: Mon Jul 26, 2004 6:10 pm Post subject: OpenSSH doesn't accept RSA auth - bad chmod [SOLVED] |
 |
|
OpenSSH won't let me do RSA auth because it thinks the chmod of my home directory is wrong. It does work, when I do 'chmod g-w /home/sipsick', but I need group write access. Why would sshd care as long as '~/.ssh' is owned by me and has chmod 700? I know there is a little chance that somebody could fake this by moving my own files, but it's not like I'm going to add anybody I don't trust into my group. Yet I couldn't find any options to turn it off from the sshd_config man page, and the only solutions google has offered is doing 'chmod g-w' to my home directory.
Here's what I get in /var/log/messages:
| Code: |
Jul 26 20:54:21 ark sshd[2897]: Authentication refused: bad ownership or modes for directory /home/sipsick
|
The permissions:
| Code: |
drwxrwx--- 19 sipsick sipsick 872 Jul 26 19:53 /home/sipsick/
drwx------ 3 sipsick sipsick 136 Jul 23 23:17 /home/sipsick/.ssh/
-rw------- 1 sipsick sipsick 233 Jun 6 20:50 /home/sipsick/.ssh/authorized_keys
-rw------- 1 sipsick sipsick 671 Jul 26 20:03 /home/sipsick/.ssh/known_hosts
|
The solutions I could come up with are:
- Hack OpenSSHD's source - not going to happen.
- Use some symlink madness to make up for not having my home directory group writable
Last edited by intgr on Tue Jul 27, 2004 9:49 am; edited 1 time in total |
|
| Back to top |
|
 |
tuxmin
l33t
Joined: 24 Apr 2004
Posts: 838
Location: Heidelberg
|
| Posted: Mon Jul 26, 2004 6:40 pm Post subject: |
|
|
Make sure the private key files on the machin you come from have mode 600 -- then it should work.
Alex!!!
_________________
ALT-F4 |
|
| Back to top |
|
|
intgr
Apprentice
Joined: 23 Jun 2004
Posts: 225
Location: Earth, Sol, Milky Way
|
| Posted: Mon Jul 26, 2004 10:14 pm Post subject: |
|
|
| tuxmin wrote: | | Make sure the private key files on the machin you come from have mode 600 -- then it should work. |
Yeah, they already are:
| Code: |
-rw------- 1 sipsick sipsick 233 Jun 6 20:50 /home/sipsick/.ssh/authorized_keys
|
| Code: |
[sipsick@ark ~]$ stat /home/sipsick/.ssh/authorized_keys
File: `/home/sipsick/.ssh/authorized_keys'
Access: (0664/-rw-rw-r--) Uid: ( 1000/ sipsick) Gid: ( 407/ sipsick)
|
(Removed irrelevant lines)
Last edited by intgr on Mon Jul 26, 2004 10:47 pm; edited 1 time in total |
|
| Back to top |
|
|
Jake
Veteran
Joined: 31 Jul 2003
Posts: 1132
|
| Posted: Mon Jul 26, 2004 10:56 pm Post subject: |
|
|
My permissions are
| Code: | server$ ls -la ~/.ssh
total 8
drwxr-xr-x 2 jake other 512 Jul 26 17:50 .
drwxr-xr-x 4 jake other 512 Jul 26 16:32 ..
-rw-r--r-- 1 jake other 601 Jul 26 17:50 authorized_keys
-rw-r--r-- 1 jake other 233 Jul 26 16:00 known_hosts |
| Code: | client$ ls -la ~/.ssh
total 19
drwx------ 2 jake users 5 Jul 26 02:25 .
drwxr-xr-x 101 jake users 213 Jul 26 16:56 ..
-rw------- 1 jake daemon 668 Jul 21 11:27 id_dsa
-rw-r--r-- 1 jake daemon 601 Jul 21 11:27 id_dsa.pub
-rw-r--r-- 1 jake daemon 5588 Jul 26 02:08 known_hosts |
Only id_dsa, your private key, needs to be mode 600. |
|
| Back to top |
|
|
intgr
Apprentice
Joined: 23 Jun 2004
Posts: 225
Location: Earth, Sol, Milky Way
|
| Posted: Mon Jul 26, 2004 11:25 pm Post subject: |
|
|
| Jake wrote: | | Only id_dsa, your private key, needs to be mode 600. |
Then how do you explain that message in my syslog?
Before letting you login using RSA/DSA authentication, OpenSSHD checks that $HOME, $HOME/.ssh and $HOME/.ssh/authorized_keys are not world or group writable. If they are, OpenSSHD won't let you login using this method, because somebody else (eg, another member of your group) could have moved a file/directory with your permissions there and/or edited it.
I need a way to tell OpenSSHD not to do that. |
|
| Back to top |
|
|
garn
Tux's lil' helper
Joined: 10 Sep 2003
Posts: 131
|
| Posted: Tue Jul 27, 2004 12:19 am Post subject: |
|
|
Basically by using private key and having your home dir group writeable, you cannot prove that you are the user you say you are, only the group. So SSH would be flawed if it let you assume the identity of the user rather than the group. I would recommend having a directory inside your home dir that is group writeable, and putting all your crap in there, but this would keep your config files safe from tampering.
I understand that you won't add untrustworthy to your group, and it might just be a group of your own users, but the fact is that if your ~ is group writable, a private key can only insure your group, not your user, and ssh is looking at user. |
|
| Back to top |
|
|
tuxmin
l33t
Joined: 24 Apr 2004
Posts: 838
Location: Heidelberg
|
| Posted: Tue Jul 27, 2004 4:32 am Post subject: |
|
|
[quote="integor"] | tuxmin wrote: |
| Code: |
-rw------- 1 sipsick sipsick 233 Jun 6 20:50 /home/sipsick/.ssh/authorized_keys
|
| Code: |
[sipsick@ark ~]$ stat /home/sipsick/.ssh/authorized_keys
File: `/home/sipsick/.ssh/authorized_keys'
Access: (0664/-rw-rw-r--) Uid: ( 1000/ sipsick) Gid: ( 407/ sipsick)
|
(Removed irrelevant lines) |
These are no private keys! Look for files named identity, id_rsa and id_dsa
_________________
ALT-F4 |
|
| Back to top |
|
|
intgr
Apprentice
Joined: 23 Jun 2004
Posts: 225
Location: Earth, Sol, Milky Way
|
| Posted: Tue Jul 27, 2004 8:31 am Post subject: |
|
|
| tuxmin wrote: | | These are no private keys! Look for files named identity, id_rsa and id_dsa |
Ah, sorry. I didn't pay enough attention to your post. The problem isn't my private keys -- the server rejects my public keys because it's not confident about the authenticity but the public keys on the server machine. |
|
| Back to top |
|
|
intgr
Apprentice
Joined: 23 Jun 2004
Posts: 225
Location: Earth, Sol, Milky Way
|
| Posted: Tue Jul 27, 2004 9:48 am Post subject: |
|
|
| garn wrote: | | I would recommend having a directory inside your home dir that is group writeable, and putting all your crap in there, but this would keep your config files safe from tampering. |
You're right, this is the way to go. After thinking about it, it does make more sense than making my home directory group writable. |
|
| Back to top |
|
|
|
Networking & Security
