SSH ignoring "StrictModes no"

• Previous message: alexansp_at_us.ibm.com: "Preserving ONLY modification times & access times for "scp""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 27 Aug 2005 13:39:48 +0200
To: secureshell@securityfocus.com

Hi everybody,

We have a very strange problem with SSH. It looks like sshd is ignoring
"StrictModes no" and still doing strict permission checking.
Can anyone give me some hint what the problem might be?

Background:
We have a machine where partners can transfer files to us. The machine runs a
SSH daemon with very strict settings. We use OpenSSH 3.9p1 with the chroot and
sftp-logging patch. Only PublicKey authentication and SFTP is allowed. And the
user is chroot'ed.

Problem:
As long as the various users directory (e.g. User XA302) is mode drwxr-sr-x
everything is fine. But if I change this to drwxrwsr-x SSH complains
"Authentication refused: bad ownership or modes for directory
/appl/chroot/cp/XA302". We need group write permission on /appl/chroot/cp/...
for our jobs which do further processing of the transfered files.
So I set "StrictModes no" in sshd_config. The strange thing is this setup worked
for months but not anymore since yesterday. And I can't find any configuration
change. SSH was not updated and no Solaris patches have been installed.

Does anyone have a similar problem or knows why SSH might possibly ignore
"StrictModes no"?

Any help would be very much appreciated.

-Markus-

Below some configuration info:

OS: Solaris 8

SSH-Version:
# ssh -V
OpenSSH_3.9p1-AuthSelect-SecurID-log, OpenSSL 0.9.7d 17 Mar 2004

The sshd_config:

# $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

Port 2222
Protocol 2
ListenAddress 172.22.4.139

ServerKeyBits 1024
StrictModes no

# HostKeys for protocol version 2
HostKey /etc/mmp/ssh_host_rsa_key_mmp
HostKey /etc/mmp/ssh_host_dsa_key_mmp

# Only allow PublicKey authentication
PubkeyAuthentication yes
PasswordAuthentication no
RhostsRSAAuthentication no
RSAAuthentication no
ChallengeResponseAuthentication no
HostbasedAuthentication no
IgnoreRhosts yes

# Logging
#obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
#LogLevel INFO
LogLevel VERBOSE
#LogLevel DEBUG3

# PrivilegeSeparation
# Specifies whether sshd separates privileges by creating
# an unprivileged child process to deal with incoming
# network traffic. After successful authentication,
# another process will be created that has the privilege
# of the authenticated user. The goal of privilege
# separation is to prevent privilege escalation by con-
# taining any corruption within the unprivileged
# processes. The default is ``yes''.
UsePrivilegeSeparation yes

# Allow only this groups (primary group)
AllowGroups cms
AllowGroups dcs
AllowGroups nobody

# Allow only this users
#AllowUsers mmp
#AllowUsers TE333
#AllowUsers TE444

PrintMotd no

# override default of no subsystems
Subsystem sftp /usr/local/libexec/sftp-server

# sftp-server logging
SftpLog yes
SftpLogFacility AUTH
SftpLogLevel VERBOSE

# sftp-server umask control
SftpUmask 007

SftpPermitChmod yes
SftpPermitChown yes

• Previous message: alexansp_at_us.ibm.com: "Preserving ONLY modification times & access times for "scp""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]