forum.excito.org

Bubba community forum
https://forum.excito.org/

ssh public key authentication

https://forum.excito.org/viewtopic.php?t=2783

Page 2 of 2

Re: ssh public key authentication

Posted: 26 Dec 2010, 07:44
by ryz
There is a setting in the SSH server that tells it to check for healthy permission on the users home folder for the user that tries to login with a public key. I think it is the StrictModes yes in the file /etc/ssh/sshd_config. You could changes that to no and the reconfigure the ssh server with

Code: Select all

/etc/init.d/ssh reload
SSH does not know if the group that the home folder has is only accessible by the user and that it will stay so. If any other user has write permission to the /home/press folder that user can change the /home/press/.ssh folder and hence put its own public key there and then login in as the user press.

Bubba is not set up to have a single primary group for each user. All users share the same primary group.

Re: ssh public key authentication

Posted: 26 Dec 2010, 09:04
by Ubi
ryz wrote:I think it is the StrictModes yes in the file /etc/ssh/sshd_config. You could changes that to no and the reconfigure the ssh server with

Code: Select all

/etc/init.d/ssh reload
well.. yes you can.
But would you really want to? Or would you want to recommend this to other users? I'd say the first "S" of SSH is to be taken seriously, and in this forum we should help people creating a secure and reliable working environment, rather than suggesting workarounds that disable important security measures.

Re: ssh public key authentication

Posted: 26 Dec 2010, 13:46
by Pressurized
ryz wrote:...SSH does not know if the group that the home folder has is only accessible by the user and that it will stay so. If any other user has write permission to the /home/press folder that user can change the /home/press/.ssh folder and hence put its own public key there and then login in as the user press. Bubba is not set up to have a single primary group for each user. All users share the same primary group.
Exactly right. Even though my network would be pretty secure in the circumstance, it is better not to weaken the fundamental security the distro offers:
ubi wrote: But would you really want to? Or would you want to recommend this to other users? I'd say the first "S" of SSH is to be taken seriously, and in this forum we should help people creating a secure and reliable working environment, rather than suggesting workarounds that disable important security measures.
But I appreciate knowing about the option even so.
All times are UTC-04:00
Page 2 of 2

Powered by phpBB® Forum Software © phpBB Limited