Re: authorized_keys in /tmp/.ssh?



On Wed, Oct 18, 2006 at 02:36:35PM -0400, Clem Taylor wrote:
[...]
As part of this change, I need to create root's authorized_keys file
at boot time. So now I have /root/.ssh/authorized_keys symlinked to
/tmp/.ssh/authorized_keys.

/tmp is 1777, but /tmp/.ssh is 0700. When I attempt to login using a
key that is in authorized_keys, I get "sshd: Authentication refused:
bad ownership or modes for directory /tmp". If I change the
permissions of /tmp to 1755, then sshd will allow the login, but this
causes problems for things not running as root that need to write to
/tmp.

So, add another intermediary directory which is owned by root and 700,
i.e.:

/tmp 1777
/tmp/root 0700
/tmp/root/.ssh 0700

Update your symlinks accordingly.

It seems that sshd is finding the absolute path of the authorized_keys
file and then stating the first path entry. I'm not quite sure why it
is checking the top level directory and not the permissions of the
directory that contains the authorized_keys.

Because ultimately the top level directory controls who will be able
to access the file, not the symlink or its parent.

--
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D



Relevant Pages

  • Re: No interpereters for files on a specific partition?
    ... > level directory, has it's permissions set, so that the user can't ... run the script citygen.pl from within that directory? ... I did try them as root, ...
    (comp.os.linux.misc)
  • Re: [opensuse] command line question
    ... can't do something but root can, the problem is usually one of permissions. ... Absent recompilation, VLC does not ... No one has as yet explained what security issues could possibly exist playing a local source DVD, .ts, .mpeg, .mp3 or the like outside a Windows desktop environment. ...
    (SuSE)
  • Re: [RFC] FUSE permission modell (Was: fuse review bits)
    ... >> root is denied all access. ... and the kernel checks the permission. ... The userspace can't enforce the permissions. ...
    (Linux-Kernel)
  • Re: MISSING PAGEFILE.SYS FILE
    ... "George Hester" wrote: ... Not a folder on C drive called root. ... There is no need to have a seperate permissions set for the System account ... Am beginning to wonder if I have a partial SP-2 installation problem. ...
    (microsoft.public.windowsxp.general)
  • Re: [PATCH 0/3] vfs: plug some holes involving LAST_BIND symlinks and file bind mounts (try #5)
    ... A process can run inside a subdirectory it doesn't have permissions to ... root, if that's how it was started - as well as having other ... to follow a /proc/pid symlink to a path that it wouldn't ordinarily be ... directory permissions or access files that aren't in their namespace ...
    (Linux-Kernel)