ssh and home directory permissions

ssh file-permissions permissions

sshd will refuse to accept public key authentication if the user's home directory is group-accessible, even if ~/.ssh is set to 700? If the permissions on ~/.ssh are acceptable, why do the permissions on ~ matter?


Solution 1:

I guess the reason is that if your home directory is writable by someone else, then a malicious user can create ~/.ssh, add desired keys and then change permissions on it to 700.

Even if you already have a ~/.ssh, it can simply be renamed to something else and a new one created.

However, on modern systems such trick is usually not possible due to chown working only for super-user, this has not always been the case:

In earlier versions of UNIX, all users could run the chown command to change the ownership of a file that they owned to that of any other user on the system. (http://www.diablotin.com/librairie/networking/puis/ch05_07.htm)

Whether chmod behaves one way or another depends on libc compilation options, and for the sake of security OpenSSH server is slightly paranoid.

Solution 2:

Okay to fix this you could either go the insecure route and set StrictModes no in your /etc/ssh/sshd_config as was already mentioned or you could go the complicated way and store the ssh-keys for all users in a directory accessible to root only. Here a the steps for the latter:

  1. Create a directory to hold the new keys. Here we'll use /usr/share/sshkeys, wich might not be the best place but the best I can think of out of my head.

    sudo mkdir /usr/share/sshkeys

  2. Edit /etc/ssh/sshd_config to include the line

    AuthorizedKeysFile /usr/share/sshkeys/%u

  3. Copy the old authorized key file from your user (here called "exampleuser") to the new directory

    mv /home/exampleuser/.ssh/authorized_keys /usr/share/sshkeys/exampleuser

  4. (Optional but recommended since exampleuser will expect to be able to add keys the usual way) Link the new keyfile to the location of the old and give the user access to the new key file

    sudo chown exampleuser /usr/share/sshkeys/exampleuser
sudo chmod 600 /usr/share/sshkeys/exampleuser
ln -s /usr/share/sshkeys/exampleuser /home/exampleuser/.ssh/authorized_keys

  5. Restart the ssh daemon

    sudo service sshd restart

Related

Why is elasticsearch user running SSHD?
No signal on monitor after plug it to a linux box
Alternative for sudo
How to connect 2 LAN each one with its own DSL connection?
How do you auto-type the contents of the clipboard from the host into a guest Virtual Box instance?
Combine in- and outgoing mail in Thunderbird in one folder
Linux: aliases when using `screen`
How to create a shortcut to PC Settings?
How do you replace the logon shell with iexplore?
Is it possible to hide the SSID of the Windows 7 soft AP
Confusion about Positive Curvature in Holomorphic Bundles.
Theorems that give sufficient condition for a $C^{\infty}$ function to be analytic