Re: authorized_keys in /tmp/.ssh?
- From: Darren Tucker <dtucker@xxxxxxxxxx>
- Date: Fri, 20 Oct 2006 00:34:15 +1000
Clem Taylor wrote:
I'm working on an embedded Linux system that has a read-only jffs2[...]
root file system. /tmp is a tmpfs file system for files that need to
be writable. Anything that needs writable files is symlinked to /tmp.
It seems that sshd is finding the absolute path of the authorized_keys
file and then stating the first path entry. I'm not quite sure why it
is checking the top level directory and not the permissions of the
directory that contains the authorized_keys.
The check stops at the user's home directory if the real pathname is within that directory, otherwise it checks every parent directory to the root.
Generally, if a directory is group or world writable then the authorized_keys files and/or the .ssh directory could be renamed and recreated by a third party (the check does not consider the sticky bit, as it's rarely set on home directories).
I'd rather avoid having to separate tmpfs filesystems, so is there an
easy way to work around this problem? I'm using OpenSSH_3.9p1 and
OpenSSL 0.9.7e.
set "StrictModes no" in sshd_config? You could also teach the checks (secure_filename in auth.c) about sticky bits on directories.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
- Follow-Ups:
- Re: authorized_keys in /tmp/.ssh?
- From: Clem Taylor
- Re: authorized_keys in /tmp/.ssh?
- References:
- authorized_keys in /tmp/.ssh?
- From: Clem Taylor
- authorized_keys in /tmp/.ssh?
- Prev by Date: Re: Debugging SFTP for openSSH 4.4p1
- Next by Date: Re: problem with publickey authentication
- Previous by thread: Re: authorized_keys in /tmp/.ssh?
- Next by thread: Re: authorized_keys in /tmp/.ssh?
- Index(es):
Relevant Pages
|
