Ubuntu
openssh package

SSH StrictModes does not work correctly

Bug #954620 reported by Frank
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

When StrictModes is set to yes in /etc/ssh/sshd_config, I am still able to successfully log in to my server when .ssh is set to 0775 and authorized_keys is set to 0664. It seems that StrictModes is not working as it is supposed to.

This is happening on a fresh install of Ubuntu Server 11.10 64-bit.

frank@localhost:~$ lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10

frank@localhost:~$ apt-cache policy openssh-server
openssh-server:
  Installed: 1:5.8p1-7ubuntu1
  Candidate: 1:5.8p1-7ubuntu1
  Version table:
 *** 1:5.8p1-7ubuntu1 0
        500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
        100 /var/lib/dpkg/status

Jamie Strandboge (jdstrand)
security vulnerability: yes → no
security vulnerability: yes → no
visibility: private → public
visibility: private → public
James Page (james-page)
Changed in openssh (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Christian Kujau (christiank) wrote :

@Frank: does your home belong to your own per-user group? If so, StrictMode=yes might notice that and still allow login. In my case:

 christian@alice$ ls -ld $HOME
 drwx------ 24 christian christian 20480 Jul 23 03:44 /home/christian

=> Now, setting $HOME to 0720 will still allow login with public keys. But changing the ownership to e.g. ":users" makes StrictMode work.

Note that sshd_config defines "StrictModes" only as "specifies whether sshd(8) should check file modes and ownership of the user's files and home directory before accepting login." - i.e. there's no mention what exactly is "checked". The source may be helpful on that.

Revision history for this message
Christian Kujau (christiank) wrote :

FWIW, http://bugs.debian.org/119886 deals with a similar issue.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openssh (Ubuntu):
status: New → Confirmed
Revision history for this message
Rodney Beede (business2008+launchpad) wrote :

Debian has a Debian specific patch (user-group-modes.patch) that changes the behavior compared to the upstream version of OpenSSH.

If a user ssh file or directory has a group write bit set and that group has no other members besides the user then sshd now allows the use of the ssh file or directory.

I've confirmed this behavior in Ubuntu 12.04.

Upstream the change was not accepted for security reasons and that other distros may not have per-user groups like Debian.

See also:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347

https://bugzilla.mindrot.org/show_bug.cgi?id=1060

Changed in openssh (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.