Ubuntu
openssh package

PublicKey authentication fails because of onerous permission rules

Bug #522373 reported by Andrew Burrow
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Expired
Medium
Unassigned

Bug Description

The required permissions are now too strict. It is not possible to login using the PublicKey method if the home directory is group readable.

WHAT I DID

Install openssh-server and openssh-client. Create a new account. Login to the account and create a PublicKey

    ssh-keygen -t rsa

Copy the PublicKey to the authorized keys list

    cat ~/.ssh/id_rsa.pub > .ssh/authorized_keys

Set the permissions along the path

    chmod u+rwx,go-rwx ~/
    chmod u+rwx,go-rwx ~/.ssh
    chmod u+rw,go-rwx ~/.ssh/authorized_keys

Start the ssh authentication agent, and add the new key

    eval `/usr/bin/ssh-agent -s`
    ssh-add

Login to the account via ssh

    ssh -vv localhost

Logout.

WHAT HAPPENS

Everything works as expected

WHAT I DID NEXT

Change the permission on just the home folder.

    chmod g+rwx ~/

Login to the account via ssh

    ssh -vv localhost

WHAT I EXPECTED

Login should still work. It does in jaunty, and the FILES section of the ssh man page makes no mention of restrictions on the home directory. In fact, it talks about permissions on .ssh, which makes no sense if the home directory is already more restricted.

WHAT HAPPENS

PublicKey authentication fails. The reason is given in /var/log/authlog as the wrong permissions on the home directory.

Revision history for this message
Chuck Short (zulcss) wrote :

Which version are you using?

Regards
chuck

Changed in openssh (Ubuntu):
importance: Undecided → Medium
status: New → Incomplete
Revision history for this message
Andrew Burrow (albcorp) wrote :

Hi Chuck,

I regret I made a mistake in this bug report. I just examined my example again.

The exact condition is group write-able, which is not as onerous as suggested. Although the example is correct, the first sentence of the report is incorrect. Also, it works the same way in Jaunty, contrary to what I said.

It would be helpful if the ssh(1) man page made some mention of this.

thanks

Andrew

Revision history for this message
HPO (hpo) wrote :

- Lucid Lynx creates user groups and group writeable home directories;
- openssh StrictMode on forbids public key authentication if home is group writable;

=> default installation prohibits public key authentication for users!

I do like user groups. Would it be possible to loosen StrictMode for the specific case, where uid=gid and home is group writable?

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for openssh (Ubuntu) because there has been no activity for 60 days.]

Changed in openssh (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.